Update create permissions to allow any role as long as they have the …

…permission and are the submission owner. Also updated tests
CBIIT · Jan 9, 2025 · 953ef63 · 953ef63
1 parent 0c6a242
commit 953ef63
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 48 deletions.
diff --git a/src/config/AuthPermissions.test.ts b/src/config/AuthPermissions.test.ts
@@ -226,53 +226,21 @@ describe("data_submission:create Permission", () => {
     expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(true);
   });
 
-  it("should allow a 'Federal Lead' who is the submission owner WITH 'data_submission:create' key if they have the matching study", () => {
+  it("should allow a 'Federal Lead' who is the submission owner WITH 'data_submission:create' key", () => {
     const user = createUser("Federal Lead", ["data_submission:create"]);
     user._id = "owner-123";
-    user.studies = [{ _id: "study-1" }];
     expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(true);
   });
 
-  it("should allow a 'Federal Lead' who is the submission owner WITH 'data_submission:create' key if they have the 'All' study", () => {
-    const user = createUser("Federal Lead", ["data_submission:create"]);
-    user._id = "owner-123";
-    user.studies = [{ _id: "All" }];
-    expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(true);
-  });
-
-  it("should deny a 'Federal Lead' who is the submission owner WITH 'data_submission:create' key without a matching study", () => {
-    const user = createUser("Federal Lead", ["data_submission:create"]);
-    user._id = "owner-123";
-    expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(false);
-  });
-
-  it("should deny a 'Federal Lead' who is NOT the submission owner WITH 'data_submission:create' and matching study", () => {
-    const user = createUser("Federal Lead", ["data_submission:create"]);
-    user.studies = [{ _id: "study-1" }];
-    expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(false);
-  });
-
   it("should allow a 'Data Commons Personnel' who is the submission owner WITH 'data_submission:create' key", () => {
     const user = createUser("Data Commons Personnel", ["data_submission:create"]);
     user._id = "owner-123";
-    user.dataCommons = ["commons-1"];
     expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(true);
   });
 
-  it("should deny a 'Data Commons Personnel' who is the submission owner WITH 'data_submission:create' key without matching dataCommons", () => {
-    const user = createUser("Data Commons Personnel", ["data_submission:create"]);
-    user._id = "owner-123";
-    expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(false);
-  });
-
-  it("should deny a 'Data Commons Personnel' who is NOT the submission owner WITH 'data_submission:create' key and matching dataCommons", () => {
-    const user = createUser("Data Commons Personnel", ["data_submission:create"]);
-    user.dataCommons = ["commons-1"];
-    expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(false);
-  });
-
-  it("should allow 'Admin' with 'data_submission:create' key", () => {
+  it("should allow 'Admin' who is the submission owner WITH 'data_submission:create' key", () => {
     const user = createUser("Admin", ["data_submission:create"]);
+    user._id = "owner-123";
     expect(hasPermission(user, "data_submission", "create", createSubmission)).toBe(true);
   });
 

diff --git a/src/config/AuthPermissions.ts b/src/config/AuthPermissions.ts
@@ -68,26 +68,14 @@ export const PERMISSION_MAP = {
   data_submission: {
     view: NO_CONDITIONS,
     create: (user, submission) => {
-      const { role, dataCommons, studies } = user;
       const hasPermissionKey = user?.permissions?.includes("data_submission:create");
       const isSubmissionOwner = submission?.submitterID === user?._id;
       const isCollaborator = submission?.collaborators?.some((c) => c.collaboratorID === user?._id);
 
       if (isCollaborator) {
         return true;
       }
-      // Submitters from the same study are able to view the same submissions
-      // Therefore, they must be the submission owner or collaborator with permission key
-      if (role === "Submitter" && isSubmissionOwner && hasPermissionKey) {
-        return true;
-      }
-      if (role === "Federal Lead" && isSubmissionOwner && hasPermissionKey) {
-        return studies?.some((s) => s._id === submission.studyID || s._id === "All");
-      }
-      if (role === "Data Commons Personnel" && isSubmissionOwner && hasPermissionKey) {
-        return dataCommons?.some((dc) => dc === submission?.dataCommons);
-      }
-      if (role === "Admin" && hasPermissionKey) {
+      if (isSubmissionOwner && hasPermissionKey) {
         return true;
       }