From a0c1ac2798fe871d7711b18db501a46b71ae72fb Mon Sep 17 00:00:00 2001
From: CollinBeczak <ctbeczak08@gmail.com>
Date: Tue, 23 Apr 2024 12:35:00 -0500
Subject: [PATCH] add bundling user restrictions and test back

---
 .../framework/service/TaskBundleService.scala | 15 +++++++
 .../service/TaskBundleServiceSpec.scala       | 39 +++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/app/org/maproulette/framework/service/TaskBundleService.scala b/app/org/maproulette/framework/service/TaskBundleService.scala
index bf6c81c6..318a6c54 100644
--- a/app/org/maproulette/framework/service/TaskBundleService.scala
+++ b/app/org/maproulette/framework/service/TaskBundleService.scala
@@ -100,6 +100,14 @@ class TaskBundleService @Inject() (
       bundleId: Long,
       taskIds: List[Long]
   ): TaskBundle = {
+    val bundle = this.getTaskBundle(user, bundleId)
+
+    if (!permission.isSuperUser(user) && bundle.ownerId != user.id) {
+      throw new IllegalAccessException(
+        "Only a super user or the original user can reset this bundle."
+      )
+    }
+
     this.repository.resetTaskBundle(user, bundleId, taskIds)
     this.getTaskBundle(user, bundleId)
   }
@@ -117,6 +125,13 @@ class TaskBundleService @Inject() (
   )(): TaskBundle = {
     val bundle = this.getTaskBundle(user, bundleId)
 
+    // Verify permissions to modify this bundle
+    if (!permission.isSuperUser(user) && bundle.ownerId != user.id) {
+      throw new IllegalAccessException(
+        "Only a super user or the original user can delete this bundle."
+      )
+    }
+
     this.repository.unbundleTasks(user, bundleId, taskIds, preventTaskIdUnlocks)
     this.getTaskBundle(user, bundleId)
   }
diff --git a/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala b/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala
index 7ed94c51..fbf07da4 100644
--- a/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala
+++ b/test/org/maproulette/framework/service/TaskBundleServiceSpec.scala
@@ -245,6 +245,45 @@ class TaskBundleServiceSpec(implicit val application: Application) extends Frame
       response.taskIds.head mustEqual task1.id
     }
 
+    "unbundle a task with permission check" taggedAs (TaskTag) in {
+      val task1 = taskDAL
+        .insert(
+          getTestTask(UUID.randomUUID().toString, challenge.id),
+          User.superUser
+        )
+      var task2 = taskDAL
+        .insert(
+          getTestTask(UUID.randomUUID().toString, challenge.id),
+          User.superUser
+        )
+
+      val bundle = this.service
+        .createTaskBundle(
+          User.superUser,
+          "my bundle for unbundle",
+          Some(task1.id),
+          List(task1.id, task2.id)
+        )
+
+      // tasks.bundle_id is NOT set until setTaskStatus is called
+      taskDAL.setTaskStatus(
+        List(task1, task2),
+        Task.STATUS_FIXED,
+        User.superUser,
+        bundleId = Some(bundle.bundleId),
+        primaryTaskId = Some(task1.id)
+      )
+
+      val randomUser = serviceManager.user.create(
+        this.getTestUser(1022345, "RandomOUser2"),
+        User.superUser
+      )
+
+      // Random user is not allowed to delete this bundle
+      an[IllegalAccessException] should be thrownBy
+        this.service.unbundleTasks(randomUser, bundle.bundleId, List(task2.id))()
+    }
+
   }
 
   override implicit val projectTestName: String = "TaskBundleSpecProject"