#1425: small permissions refactor

Author: jonathan-chen10

src/backend/src/services/reimbursement-requests.services.ts

@@ -454,16 +454,12 @@ export default class ReimbursementRequestService {
    * @returns the created vendor
    */
   static async createVendor(submitter: User, name: string) {
-    const validateCreateVendorSubmitter = async (submitter: User): Promise<void> => {
-      const failedAuthorizationException = new AccessDeniedException(
-        'Only admins, finance leads, and finance heads can create vendors.'
-      );
-
-      const isAuthorized = isAdmin(submitter.role) || (await isUserLeadOrHeadOfFinanceTeam(submitter));
-      if (!isAuthorized) throw failedAuthorizationException;
-    };
+    const failedAuthorizationException = new AccessDeniedException(
+      'Only admins, finance leads, and finance heads can create vendors.'
+    );
 
-    await validateCreateVendorSubmitter(submitter);
+    const isAuthorized = isAdmin(submitter.role) || (await isUserLeadOrHeadOfFinanceTeam(submitter));
+    if (!isAuthorized) throw failedAuthorizationException;
 
     const vendor = await prisma.vendor.create({
       data: {

src/backend/src/transformers/auth-user.transformer.ts

@@ -3,7 +3,7 @@ import { AuthenticatedUser } from 'shared';
 import authUserQueryArgs from '../prisma-query-args/auth-user.query-args';
 import {
   isAuthUserHeadOfFinance,
-  isAuthUserLeadForFinance,
+  isAuthUserAtLeastLeadForFinance,
   isAuthUserOnFinance
 } from '../utils/reimbursement-requests.utils';
 
@@ -20,7 +20,7 @@ const authenticatedUserTransformer = (user: Prisma.UserGetPayload<typeof authUse
     favoritedProjectsId: user.favoriteProjects.map((project) => project.projectId),
     isFinance: isAuthUserOnFinance(user),
     isHeadOfFinance: isAuthUserHeadOfFinance(user),
-    isFinanceLead: isAuthUserLeadForFinance(user),
+    isAtLeastFinanceLead: isAuthUserAtLeastLeadForFinance(user),
     changeRequestsToReviewId: user.changeRequestsToReview.map((changeRequest) => changeRequest.crId)
   };
 };

src/backend/src/utils/reimbursement-requests.utils.ts

@@ -230,7 +230,7 @@ export const validateUserIsPartOfFinanceTeam = async (user: User) => {
  */
 export const isUserOnFinanceTeam = async (user: User): Promise<boolean> => {
   if (!process.env.FINANCE_TEAM_ID) {
-    console.warn('FINANCE_TEAM_ID not in env');
+    throw new Error('FINANCE_TEAM_ID not in env');
   }
 
   const financeTeam = await prisma.team.findUnique({
@@ -246,7 +246,7 @@ export const isUserOnFinanceTeam = async (user: User): Promise<boolean> => {
  * Determines if a user is lead or head of the finance team.
  *
  * To be used for Prisma input validation of a plain User, as opposed to
- * <code>isAuthUserLeadForFinance</code>, which uses the additional fields
+ * <code>isAuthUserAtLeastLeadForFinance</code>, which uses the additional fields
  * produced by authUserQueryArgs that are not in the User type by default.
  *
  * @param user the user to authenticate
@@ -255,7 +255,7 @@ export const isUserOnFinanceTeam = async (user: User): Promise<boolean> => {
  */
 export const isUserLeadOrHeadOfFinanceTeam = async (user: User): Promise<boolean> => {
   if (!process.env.FINANCE_TEAM_ID) {
-    console.error('FINANCE_TEAM_ID not in env');
+    throw new Error('FINANCE_TEAM_ID not in env');
   }
 
   const financeTeam = await prisma.team.findUnique({
@@ -284,7 +284,7 @@ export const isAuthUserOnFinance = (user: Prisma.UserGetPayload<typeof authUserQ
  * @param user the user to check
  * @returns Whether they are a finance lead.
  */
-export const isAuthUserLeadForFinance = (user: Prisma.UserGetPayload<typeof authUserQueryArgs>) => {
+export const isAuthUserAtLeastLeadForFinance = (user: Prisma.UserGetPayload<typeof authUserQueryArgs>) => {
   if (!process.env.FINANCE_TEAM_ID) return false;
   const financeTeamId = process.env.FINANCE_TEAM_ID;
   const { teamAsHead, teamsAsLead } = user;

src/frontend/src/pages/AdminToolsPage/AdminToolsPage.tsx

@@ -18,7 +18,7 @@ const AdminToolsPage: React.FC = () => {
     <PageLayout title="Admin Tools">
       {isHead(currentUser.role) && <AdminToolsUserManagement />}
       {isAdmin(currentUser.role) && <AdminToolsSlackUpcomingDeadlines />}
-      {(isAdmin(currentUser.role) || currentUser.isFinanceLead) && <AdminToolsFinanceConfig />}
+      {(isAdmin(currentUser.role) || currentUser.isAtLeastFinanceLead) && <AdminToolsFinanceConfig />}
       {isAdmin(currentUser.role) && <TeamsTools />}
     </PageLayout>
   );

src/frontend/src/utils/users.ts

@@ -17,5 +17,6 @@ export const userToAutocompleteOption = (user: User): { label: string; id: numbe
  * @returns whether they can view Admin Tools
  */
 export const canAccessAdminTools = (user?: AuthenticatedUser): boolean => {
-  return isHead(user?.role) || user?.isFinanceLead || false;
+  if (!user || !user.isAtLeastFinanceLead) return false;
+  return isHead(user.role) || user.isAtLeastFinanceLead;
 };

src/shared/src/types/user-types.ts

@@ -42,7 +42,7 @@ export interface AuthenticatedUser {
   favoritedProjectsId: number[];
   changeRequestsToReviewId: number[];
   isHeadOfFinance?: boolean;
-  isFinanceLead?: boolean;
+  isAtLeastFinanceLead?: boolean;
 }
 
 export interface UserSettings {