#1658 Allowed finance team to edit all RR's

jessicayzhao · jessicayzhao · commit 2fea7bc9b1c3 · 2023-10-29T19:49:52.000-04:00
diff --git a/src/backend/src/services/reimbursement-requests.services.ts b/src/backend/src/services/reimbursement-requests.services.ts
@@ -255,10 +255,12 @@ export default class ReimbursementRequestService {
 
     if (!oldReimbursementRequest) throw new NotFoundException('Reimbursement Request', requestId);
     if (oldReimbursementRequest.dateDeleted) throw new DeletedException('Reimbursement Request', requestId);
-    if (oldReimbursementRequest.recipientId !== submitter.userId)
-      throw new AccessDeniedException(
-        'You do not have access to delete this reimbursement request, only the creator can edit a reimbursement request'
-      );
+    try {
+      await validateUserIsPartOfFinanceTeam(submitter);
+    } catch {
+      if (oldReimbursementRequest.recipientId !== submitter.userId)
+        throw new AccessDeniedException('You do not have access to edit this reimbursement request');
+    }
 
     const vendor = await prisma.vendor.findUnique({
       where: { vendorId }
diff --git a/src/backend/tests/reimbursement-requests.test.ts b/src/backend/tests/reimbursement-requests.test.ts
@@ -222,11 +222,24 @@ describe('Reimbursement Requests', () => {
           [],
           superman
         )
-      ).rejects.toThrow(
-        new AccessDeniedException(
-          'You do not have access to delete this reimbursement request, only the creator can edit a reimbursement request'
+      ).rejects.toThrow(new AccessDeniedException('You do not have access to edit this reimbursement request'));
+    });
+
+    test('Edit Reimbursement Request fails if Submitter not on Finance Team', async () => {
+      vi.spyOn(prisma.team, 'findUnique').mockResolvedValue({ ...primsaTeam2, headId: 1 });
+      await expect(
+        ReimbursementRequestService.editReimbursementRequest(
+          GiveMeMyMoney.reimbursementRequestId,
+          GiveMeMyMoney.dateOfExpense,
+          GiveMeMyMoney.vendorId,
+          GiveMeMyMoney.account as ClubAccount,
+          GiveMeMyMoney.expenseTypeId,
+          GiveMeMyMoney.totalCost,
+          [],
+          [],
+          alfred
         )
-      );
+      ).rejects.toThrow(new AccessDeniedException('You do not have access to edit this reimbursement request'));
     });
 
     test('Edit Reimbursement Request Fails When Vendor does not exist', async () => {
diff --git a/src/frontend/src/pages/FinancePage/ReimbursementRequestDetailPage/ReimbursementRequestDetailsView.tsx b/src/frontend/src/pages/FinancePage/ReimbursementRequestDetailPage/ReimbursementRequestDetailsView.tsx
@@ -187,14 +187,16 @@ const ReimbursementRequestDetailsView: React.FC<ReimbursementRequestDetailsViewP
   };
 
   const allowEdit =
-    user.userId === reimbursementRequest.recipient.userId && !isReimbursementRequestAdvisorApproved(reimbursementRequest);
+    (user.userId === reimbursementRequest.recipient.userId &&
+      !isReimbursementRequestAdvisorApproved(reimbursementRequest)) ||
+    user.isFinance;
 
   const buttons: ButtonInfo[] = [
     {
       title: 'Edit',
       onClick: () => history.push(`${routes.REIMBURSEMENT_REQUESTS}/${reimbursementRequest.reimbursementRequestId}/edit`),
       icon: <Edit />,
-      disabled: !allowEdit
+      disabled: !allowEdit && !user.isFinance
     },
     {
       title: 'Delete',
