Merge pull request #1672 from Northeastern-Electric-Racing/#1658-finance-team-edit-RRs

RChandler234 · web-flow · commit 01f2af043448 · 2023-11-14T02:02:21.000-05:00
#1658 Allowed finance team to edit all RR's
diff --git a/src/backend/src/services/reimbursement-requests.services.ts b/src/backend/src/services/reimbursement-requests.services.ts
@@ -24,6 +24,7 @@ import {
   removeDeletedReceiptPictures,
   updateReimbursementProducts,
   validateReimbursementProducts,
+  validateUserEditRRPermissions,
   validateUserIsPartOfFinanceTeam
 } from '../utils/reimbursement-requests.utils';
 import {
@@ -255,10 +256,7 @@ export default class ReimbursementRequestService {
 
     if (!oldReimbursementRequest) throw new NotFoundException('Reimbursement Request', requestId);
     if (oldReimbursementRequest.dateDeleted) throw new DeletedException('Reimbursement Request', requestId);
-    if (oldReimbursementRequest.recipientId !== submitter.userId)
-      throw new AccessDeniedException(
-        'You do not have access to delete this reimbursement request, only the creator can edit a reimbursement request'
-      );
+    await validateUserEditRRPermissions(submitter, oldReimbursementRequest);
 
     const vendor = await prisma.vendor.findUnique({
       where: { vendorId }
diff --git a/src/backend/src/utils/reimbursement-requests.utils.ts b/src/backend/src/utils/reimbursement-requests.utils.ts
@@ -6,7 +6,7 @@
 import { ReimbursementProductCreateArgs, ReimbursementReceiptCreateArgs, WbsNumber, wbsPipe } from 'shared';
 import prisma from '../prisma/prisma';
 import { AccessDeniedException, DeletedException, HttpException, NotFoundException } from './errors.utils';
-import { Prisma, Receipt, Reimbursement_Product, Team, User } from '@prisma/client';
+import { Prisma, Receipt, Reimbursement_Product, Reimbursement_Request, Team, User } from '@prisma/client';
 import authUserQueryArgs from '../prisma-query-args/auth-user.query-args';
 import { isUserOnTeam } from './teams.utils';
 
@@ -233,3 +233,17 @@ export const isAuthUserHeadOfFinance = (user: Prisma.UserGetPayload<typeof authU
 const isTeamIdInList = (teamId: string, teamsList: Team[]) => {
   return teamsList.map((team) => team.teamId).includes(teamId);
 };
+
+/**
+ * Validates user has permission to edit the reimbursement request.
+ * @param user the person editing the reimbursement request
+ * @param reimbursementRequest the reimbursement request to edit
+ */
+export const validateUserEditRRPermissions = async (user: User, reimbursementRequest: Reimbursement_Request) => {
+  try {
+    await validateUserIsPartOfFinanceTeam(user);
+  } catch {
+    if (reimbursementRequest.recipientId !== user.userId)
+      throw new AccessDeniedException('Only the creator or finance team can edit a reimbursement request');
+  }
+};
diff --git a/src/backend/tests/reimbursement-requests.test.ts b/src/backend/tests/reimbursement-requests.test.ts
@@ -224,11 +224,24 @@ describe('Reimbursement Requests', () => {
           [],
           superman
         )
-      ).rejects.toThrow(
-        new AccessDeniedException(
-          'You do not have access to delete this reimbursement request, only the creator can edit a reimbursement request'
+      ).rejects.toThrow(new AccessDeniedException('Only the creator or finance team can edit a reimbursement request'));
+    });
+
+    test('Edit Reimbursement Request fails if Submitter not on Finance Team', async () => {
+      vi.spyOn(prisma.team, 'findUnique').mockResolvedValue({ ...primsaTeam2, headId: 1 });
+      await expect(
+        ReimbursementRequestService.editReimbursementRequest(
+          GiveMeMyMoney.reimbursementRequestId,
+          GiveMeMyMoney.dateOfExpense,
+          GiveMeMyMoney.vendorId,
+          GiveMeMyMoney.account as ClubAccount,
+          GiveMeMyMoney.expenseTypeId,
+          GiveMeMyMoney.totalCost,
+          [],
+          [],
+          alfred
         )
-      );
+      ).rejects.toThrow(new AccessDeniedException('Only the creator or finance team can edit a reimbursement request'));
     });
 
     test('Edit Reimbursement Request Fails When Vendor does not exist', async () => {
diff --git a/src/frontend/src/pages/FinancePage/ReimbursementRequestDetailPage/ReimbursementRequestDetailsView.tsx b/src/frontend/src/pages/FinancePage/ReimbursementRequestDetailPage/ReimbursementRequestDetailsView.tsx
@@ -194,7 +194,7 @@ const ReimbursementRequestDetailsView: React.FC<ReimbursementRequestDetailsViewP
       title: 'Edit',
       onClick: () => history.push(`${routes.REIMBURSEMENT_REQUESTS}/${reimbursementRequest.reimbursementRequestId}/edit`),
       icon: <Edit />,
-      disabled: !allowEdit
+      disabled: !allowEdit && !user.isFinance
     },
     {
       title: 'Delete',

Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ const ReimbursementRequestDetailsView: React.FC<ReimbursementRequestDetailsViewP`
`194`	`194`	`title: 'Edit',`
`195`	`195`	onClick: () => history.push(`${routes.REIMBURSEMENT_REQUESTS}/${reimbursementRequest.reimbursementRequestId}/edit`),
`196`	`196`	`icon: <Edit />,`
`197`		`- disabled: !allowEdit`
	`197`	`+ disabled: !allowEdit && !user.isFinance`
`198`	`198`	`},`
`199`	`199`	`{`
`200`	`200`	`title: 'Delete',`