add bundling user restrictions and test back

maproulette · Apr 23, 2024 · a0c1ac2 · a0c1ac2
1 parent 9ec1be3
commit a0c1ac2
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/app/org/maproulette/framework/service/TaskBundleService.scala b/app/org/maproulette/framework/service/TaskBundleService.scala
@@ -100,6 +100,14 @@ class TaskBundleService @Inject() (
       bundleId: Long,
       taskIds: List[Long]
   ): TaskBundle = {
+    val bundle = this.getTaskBundle(user, bundleId)
+
+    if (!permission.isSuperUser(user) && bundle.ownerId != user.id) {
+      throw new IllegalAccessException(
+        "Only a super user or the original user can reset this bundle."
+      )
+    }
+
     this.repository.resetTaskBundle(user, bundleId, taskIds)
     this.getTaskBundle(user, bundleId)
   }
@@ -117,6 +125,13 @@ class TaskBundleService @Inject() (
   )(): TaskBundle = {
     val bundle = this.getTaskBundle(user, bundleId)
 
+    // Verify permissions to modify this bundle
+    if (!permission.isSuperUser(user) && bundle.ownerId != user.id) {
+      throw new IllegalAccessException(
+        "Only a super user or the original user can delete this bundle."
+      )
+    }
+
     this.repository.unbundleTasks(user, bundleId, taskIds, preventTaskIdUnlocks)
     this.getTaskBundle(user, bundleId)
   }

diff --git a/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala b/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala
@@ -245,6 +245,45 @@ class TaskBundleServiceSpec(implicit val application: Application) extends Frame
       response.taskIds.head mustEqual task1.id
     }
 
+    "unbundle a task with permission check" taggedAs (TaskTag) in {
+      val task1 = taskDAL
+        .insert(
+          getTestTask(UUID.randomUUID().toString, challenge.id),
+          User.superUser
+        )
+      var task2 = taskDAL
+        .insert(
+          getTestTask(UUID.randomUUID().toString, challenge.id),
+          User.superUser
+        )
+
+      val bundle = this.service
+        .createTaskBundle(
+          User.superUser,
+          "my bundle for unbundle",
+          Some(task1.id),
+          List(task1.id, task2.id)
+        )
+
+      // tasks.bundle_id is NOT set until setTaskStatus is called
+      taskDAL.setTaskStatus(
+        List(task1, task2),
+        Task.STATUS_FIXED,
+        User.superUser,
+        bundleId = Some(bundle.bundleId),
+        primaryTaskId = Some(task1.id)
+      )
+
+      val randomUser = serviceManager.user.create(
+        this.getTestUser(1022345, "RandomOUser2"),
+        User.superUser
+      )
+
+      // Random user is not allowed to delete this bundle
+      an[IllegalAccessException] should be thrownBy
+        this.service.unbundleTasks(randomUser, bundle.bundleId, List(task2.id))()
+    }
+
   }
 
   override implicit val projectTestName: String = "TaskBundleSpecProject"