Restrict form actions based on permissions and if form owner

CBIIT · Dec 18, 2024 · ea86277 · ea86277
1 parent fb0c6f5
commit ea86277
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 9 deletions.
diff --git a/src/content/questionnaire/FormView.tsx b/src/content/questionnaire/FormView.tsx
@@ -170,6 +170,7 @@ const FormView: FC<Props> = ({ section }: Props) => {
     ? `/submission/${data?.["_id"]}/${sectionKeys[sectionIndex + 1]}`
     : null;
   const isSectionD = activeSection === "D";
+  const isFormOwner = data?.applicant?.applicantID === user?._id;
   const formContentRef = useRef(null);
   const lastSectionRef = useRef(null);
   const hasReopenedFormRef = useRef(false);
@@ -539,12 +540,12 @@ const FormView: FC<Props> = ({ section }: Props) => {
 
   const handleSubmitForm = () => {
     if (
-      !hasPermission(user, "submission_request", "submit", data) ||
-      (data?.status !== "In Progress" &&
-        (data?.status !== "Inquired" || user?.role !== "Federal Lead"))
+      (!isFormOwner && !hasPermission(user, "submission_request", "submit", data)) ||
+      !["In Progress", "Inquired"].includes(data?.status)
     ) {
       Logger.error("Invalid request to submit Submission Request form.", {
-        userRole: user?.role,
+        isFormOwner,
+        hasPermission,
         submissionStatus: data?.status,
       });
       return;
@@ -730,7 +731,9 @@ const FormView: FC<Props> = ({ section }: Props) => {
               )}
 
               {activeSection === "REVIEW" &&
-                hasPermission(user, "submission_request", "submit") &&
+                // Submission Request owners aren't granted the permission,
+                // but should be allowed to submit
+                (isFormOwner || hasPermission(user, "submission_request", "submit", data)) &&
                 ["In Progress", "Inquired"].includes(data?.status) && (
                   <StyledExtendedLoadingButton
                     id="submission-form-submit-button"

diff --git a/src/utils/formModeUtils.ts b/src/utils/formModeUtils.ts
@@ -23,10 +23,8 @@ export const getFormMode = (user: User, data: Application): FormMode => {
   if (!data) {
     return FormModes.UNAUTHORIZED;
   }
-  if (
-    !hasPermission(user, "submission_request", "view") &&
-    user?._id !== data.applicant?.applicantID
-  ) {
+  const isFormOwner = user?._id === data.applicant?.applicantID;
+  if (!hasPermission(user, "submission_request", "view") && !isFormOwner) {
     return FormModes.UNAUTHORIZED;
   }