From 9ba16d5f4dd70835300af06e9f80b0a9abab5b9b Mon Sep 17 00:00:00 2001 From: Benjamin Chrobot Date: Thu, 31 Jan 2019 16:41:56 -0500 Subject: [PATCH] Ensure user is authorized to send message. --- src/server/api/schema.js | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/server/api/schema.js b/src/server/api/schema.js index 9696859dd..4705ae438 100644 --- a/src/server/api/schema.js +++ b/src/server/api/schema.js @@ -7,6 +7,7 @@ import { organizationCache } from '../models/cacheable_queries/organization' import { gzip, log, makeTree } from '../../lib' import { applyScript } from '../../lib/scripts' +import { hasRole } from '../../lib/permissions' import { assignTexters, exportCampaign, loadContactsFromDataWarehouse, uploadContacts } from '../../workers/jobs' import { Assignment, @@ -873,7 +874,7 @@ const rootMutations = { return [] }, - sendMessage: async (_, { message, campaignContactId }, { loaders }) => { + sendMessage: async (_, { message, campaignContactId }, { user, loaders }) => { const contact = await loaders.campaignContact.load(campaignContactId) const campaign = await loaders.campaign.load(contact.campaign_id) if (contact.assignment_id !== parseInt(message.assignmentId) || campaign.is_archived) { @@ -882,6 +883,23 @@ const rootMutations = { message: 'Your assignment has changed' }) } + + const assignment = await loaders.assignment.load(contact.assignment_id) + const currentRoles = (await r + .knex('user_organization') + .where({ + user_id: user.id, + organization_id: campaign.organization_id, + }) + .select('role')).map(res => res.role) + const isAdmin = hasRole('SUPERVOLUNTEER', currentRoles) + if (!isAdmin && assignment.user_id !== user.id) { + throw new GraphQLError({ + status: 403, + message: 'You are not authorized to send a message for this assignment!' + }) + } + const organization = await r .table('campaign') .get(contact.campaign_id)