Merge pull request #4018 from Northeastern-Electric-Racing/prospective-sponsors

prospective sponsor access control changes

Author: walker-sean

src/backend/src/services/prospective-sponsor.services.ts

@@ -1,14 +1,12 @@
 import {
   CreateSponsorTask,
   FirstContactMethod,
-  isHead,
   ProspectiveSponsor,
   ProspectiveSponsorStatus,
   SponsorTask,
   User
 } from 'shared';
 import { Organization, Prospective_Sponsor_Status, Sponsor_Value_Type } from '@prisma/client';
-import { userHasPermission } from '../utils/users.utils.js';
 import { getProspectiveSponsorQueryArgs } from '../prisma-query-args/prospective-sponsor.query-args.js';
 import { getSponsorTaskQueryArgs } from '../prisma-query-args/sponsor.query.args.js';
 import {
@@ -22,7 +20,7 @@ import prisma from '../prisma/prisma.js';
 import { prospectiveSponsorTransformer } from '../transformers/prospective-sponsor.transformer.js';
 import { sponsorTaskTransformer } from '../transformers/sponsor-task.transformer.js';
 import { notifySponsorTaskAssignee } from '../utils/slack.utils.js';
-import { isUserFinanceTeamOrHead } from '../utils/reimbursement-requests.utils.js';
+import { isUserFinanceLeadOrHead, isUserFinanceTeamOrHead } from '../utils/reimbursement-requests.utils.js';
 
 export default class ProspectiveSponsorServices {
   /**
@@ -293,8 +291,8 @@ export default class ProspectiveSponsorServices {
     deleter: User,
     organization: Organization
   ): Promise<ProspectiveSponsor> {
-    if (!(await userHasPermission(deleter.userId, organization.organizationId, isHead))) {
-      throw new AccessDeniedException('Only heads can delete prospective sponsors');
+    if (!(await isUserFinanceLeadOrHead(deleter, organization.organizationId))) {
+      throw new AccessDeniedException('Only finance leads or heads can delete prospective sponsors');
     }
 
     const prospectiveSponsor = await prisma.prospective_Sponsor.findUnique({
@@ -416,9 +414,11 @@ export default class ProspectiveSponsorServices {
     if (prospectiveSponsor.dateDeleted) throw new DeletedException('ProspectiveSponsor', prospectiveSponsorId);
 
     const isContactor = prospectiveSponsor.contactorUserId === submitter.userId;
-    const isUserHead = await userHasPermission(submitter.userId, organization.organizationId, isHead);
-    if (!isUserHead && !isContactor) {
-      throw new AccessDeniedException('Only heads or the assigned contactor can accept prospective sponsors');
+    const canAccept = await isUserFinanceLeadOrHead(submitter, organization.organizationId);
+    if (!canAccept && !isContactor) {
+      throw new AccessDeniedException(
+        'Only finance leads, heads, or the assigned contactor can accept prospective sponsors'
+      );
     }
     if (prospectiveSponsor.status === Prospective_Sponsor_Status.ACCEPTED) {
       throw new HttpException(400, 'This prospective sponsor has already been accepted');

src/backend/src/utils/reimbursement-requests.utils.ts

@@ -502,6 +502,25 @@ export const isUserLeadOrHeadOfFinanceTeam = async (user: User, organizationId:
   return user.userId === financeTeam.headId || financeTeam.leads.map((u) => u.userId).includes(user.userId);
 };
 
+/**
+ * Checks if a user is a lead/head of the finance team or has a system role of Head or higher.
+ * Checks isHead first since it doesn't require the finance team to exist.
+ *
+ * @param user the user to check
+ * @param organizationId the organization id
+ * @returns whether the user is a finance lead/head or has Head+ system role
+ */
+export const isUserFinanceLeadOrHead = async (user: User, organizationId: string): Promise<boolean> => {
+  if (await userHasPermission(user.userId, organizationId, isHead)) {
+    return true;
+  }
+  try {
+    return await isUserLeadOrHeadOfFinanceTeam(user, organizationId);
+  } catch {
+    return false;
+  }
+};
+
 export const isCurrentUserOnFinance = (user: Prisma.UserGetPayload<AuthUserQueryArgs>) => {
   return (
     user.teamsAsHead.some((team) => team.financeTeam) ||

src/backend/tests/unit/prospective-sponsor.test.ts

@@ -3,7 +3,7 @@ import ProspectiveSponsorServices from '../../src/services/prospective-sponsor.s
 import FinanceServices from '../../src/services/finance.services.js';
 import { AccessDeniedException, DeletedException, HttpException, NotFoundException } from '../../src/utils/errors.utils.js';
 import { batmanAppAdmin, wonderwomanGuest, supermanAdmin } from '../test-data/users.test-data.js';
-import { createTestOrganization, createTestUser, resetUsers } from '../test-utils.js';
+import { createFinanceTeamAndLead, createTestOrganization, createTestUser, resetUsers } from '../test-utils.js';
 import prisma from '../../src/prisma/prisma.js';
 import { FirstContactMethod, ProspectiveSponsorStatus } from 'shared';
 
@@ -627,7 +627,7 @@ describe('Prospective Sponsor Tests', () => {
   });
 
   describe('Delete Prospective Sponsor', () => {
-    it('Fails if user is not a head', async () => {
+    it('Fails if user is not a finance lead or head', async () => {
       const head = await createTestUser(batmanAppAdmin, orgId);
       const guest = await createTestUser(wonderwomanGuest, orgId);
 
@@ -646,7 +646,49 @@ describe('Prospective Sponsor Tests', () => {
 
       await expect(
         ProspectiveSponsorServices.deleteProspectiveSponsor(ps.prospectiveSponsorId, guest, organization)
-      ).rejects.toThrow(new AccessDeniedException('Only heads can delete prospective sponsors'));
+      ).rejects.toThrow(new AccessDeniedException('Only finance leads or heads can delete prospective sponsors'));
+    });
+
+    it('Fails if user is a finance team member (not lead)', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeMember = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeMember' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      await expect(
+        ProspectiveSponsorServices.deleteProspectiveSponsor(ps.prospectiveSponsorId, financeMember, organization)
+      ).rejects.toThrow(new AccessDeniedException('Only finance leads or heads can delete prospective sponsors'));
+    });
+
+    it('Succeeds if user is a finance team lead', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeLead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeLead' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      const result = await ProspectiveSponsorServices.deleteProspectiveSponsor(
+        ps.prospectiveSponsorId,
+        financeLead,
+        organization
+      );
+
+      expect(result.prospectiveSponsorId).toBe(ps.prospectiveSponsorId);
+      const deletedPs = await prisma.prospective_Sponsor.findUnique({
+        where: { prospectiveSponsorId: ps.prospectiveSponsorId }
+      });
+      expect(deletedPs?.dateDeleted).not.toBeNull();
     });
 
     it('Fails if prospective sponsor does not exist', async () => {
@@ -891,7 +933,7 @@ describe('Prospective Sponsor Tests', () => {
   });
 
   describe('Accept Prospective Sponsor', () => {
-    it('Fails if user is not a head or contactor', async () => {
+    it('Fails if user is not a finance lead, head, or contactor', async () => {
       const head = await createTestUser(batmanAppAdmin, orgId);
       const guest = await createTestUser(wonderwomanGuest, orgId);
 
@@ -920,7 +962,69 @@ describe('Prospective Sponsor Tests', () => {
           false,
           5000
         )
-      ).rejects.toThrow(new AccessDeniedException('Only heads or the assigned contactor can accept prospective sponsors'));
+      ).rejects.toThrow(
+        new AccessDeniedException('Only finance leads, heads, or the assigned contactor can accept prospective sponsors')
+      );
+    });
+
+    it('Fails if user is a finance team member (not lead or contactor)', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeMember = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeMember' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      await expect(
+        ProspectiveSponsorServices.acceptProspectiveSponsor(
+          financeMember,
+          organization,
+          ps.prospectiveSponsorId,
+          undefined,
+          ['MONETARY'],
+          new Date(),
+          [2024],
+          false
+        )
+      ).rejects.toThrow(
+        new AccessDeniedException('Only finance leads, heads, or the assigned contactor can accept prospective sponsors')
+      );
+    });
+
+    it('Succeeds if user is a finance team lead', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeLead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeLead' } });
+      const joinDate = new Date(2024, 6, 1);
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Finance Lead Accept Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      const result = await ProspectiveSponsorServices.acceptProspectiveSponsor(
+        financeLead,
+        organization,
+        ps.prospectiveSponsorId,
+        undefined,
+        ['MONETARY'],
+        joinDate,
+        [2024],
+        false,
+        2500
+      );
+
+      expect(result.status).toBe(ProspectiveSponsorStatus.ACCEPTED);
+      const sponsors = await FinanceServices.getAllSponsors(organization);
+      const createdSponsor = sponsors.find((s) => s.name === 'Finance Lead Accept Corp');
+      expect(createdSponsor).toBeDefined();
+      expect(createdSponsor!.sponsorValue).toBe(2500);
     });
 
     it('Succeeds when the contactor accepts', async () => {

src/frontend/src/pages/FinancePage/FinanceComponents/ProspectiveSponsorTasksModal.tsx

@@ -11,13 +11,18 @@ import SponsorTasksModal from './SponsorTasksModal';
 interface ProspectiveSponsorTasksModalProps {
   onClose: () => void;
   prospectiveSponsor: ProspectiveSponsor;
+  canEdit?: boolean;
 }
 
-const ProspectiveSponsorTasksModal: React.FC<ProspectiveSponsorTasksModalProps> = ({ onClose, prospectiveSponsor }) => {
+const ProspectiveSponsorTasksModal: React.FC<ProspectiveSponsorTasksModalProps> = ({
+  onClose,
+  prospectiveSponsor,
+  canEdit = true
+}) => {
   const { data: tasks } = useProspectiveSponsorTasks(prospectiveSponsor.prospectiveSponsorId);
   const { mutate: createTask } = useCreateProspectiveSponsorTask(prospectiveSponsor.prospectiveSponsorId);
 
-  return <SponsorTasksModal onClose={onClose} tasks={tasks} createTask={createTask} />;
+  return <SponsorTasksModal onClose={onClose} tasks={tasks} createTask={createTask} canEdit={canEdit} />;
 };
 
 export default ProspectiveSponsorTasksModal;

src/frontend/src/pages/FinancePage/FinanceComponents/SponsorTaskCard.tsx

@@ -20,6 +20,7 @@ interface SponsorTaskCardProps {
   showDoneCheckbox?: boolean;
   isExistingTask?: boolean;
   defaultAssigneeName?: string;
+  canEdit?: boolean;
 }
 
 const SponsorTaskCard: React.FC<SponsorTaskCardProps> = ({
@@ -30,7 +31,8 @@ const SponsorTaskCard: React.FC<SponsorTaskCardProps> = ({
   onRemove,
   showDoneCheckbox = false,
   isExistingTask = false,
-  defaultAssigneeName
+  defaultAssigneeName,
+  canEdit = true
 }) => {
   const doneValue = useWatch({ control, name: `${fieldPrefix}.done` });
   const isDone = !!doneValue;
@@ -81,16 +83,20 @@ const SponsorTaskCard: React.FC<SponsorTaskCardProps> = ({
               />
             )}
           />
-          <IconButton size="small" onClick={onRemove}>
-            <RemoveCircle sx={{ fontSize: 20 }} />
-          </IconButton>
+          {canEdit && (
+            <IconButton size="small" onClick={onRemove}>
+              <RemoveCircle sx={{ fontSize: 20 }} />
+            </IconButton>
+          )}
         </Box>
       ) : (
-        <Box sx={{ position: 'absolute', top: 4, right: 4 }}>
-          <IconButton size="small" onClick={onRemove}>
-            <RemoveCircleOutlineIcon sx={{ color: 'white', fontSize: 20 }} />
-          </IconButton>
-        </Box>
+        canEdit && (
+          <Box sx={{ position: 'absolute', top: 4, right: 4 }}>
+            <IconButton size="small" onClick={onRemove}>
+              <RemoveCircleOutlineIcon sx={{ color: 'white', fontSize: 20 }} />
+            </IconButton>
+          </Box>
+        )
       )}
       <Box sx={{ display: 'flex', gap: 2, flexWrap: 'wrap', mb: 1.5 }}>
         <Box sx={{ flex: '1 1 180px', minWidth: 0 }}>

src/frontend/src/pages/FinancePage/FinanceComponents/SponsorTasksModal.tsx

@@ -16,6 +16,7 @@ interface SponsorTasksModalProps {
   onClose: () => void;
   tasks: SponsorTask[] | undefined;
   createTask: (payload: { dueDate: Date; notifyDate?: Date; assigneeUserId?: string; notes: string }) => void;
+  canEdit?: boolean;
 }
 
 const taskSchema = yup.object().shape({
@@ -31,7 +32,12 @@ const schema = yup.object().shape({
   tasks: yup.array().of(taskSchema)
 });
 
-const SponsorTasksModal: React.FC<SponsorTasksModalProps> = ({ onClose, tasks: sponsorTasks, createTask }) => {
+const SponsorTasksModal: React.FC<SponsorTasksModalProps> = ({
+  onClose,
+  tasks: sponsorTasks,
+  createTask,
+  canEdit = true
+}) => {
   const toast = useToast();
   const { data: users, isLoading: usersIsLoading, isError: usersIsError, error: usersError } = useAllMembers();
   const { mutate: editTask } = useEditSponsorTask();
@@ -119,6 +125,7 @@ const SponsorTasksModal: React.FC<SponsorTasksModalProps> = ({ onClose, tasks: s
             members={users}
             showDoneCheckbox
             isExistingTask={!!item.sponsorTaskId}
+            canEdit={canEdit}
             onRemove={() => {
               if (item.sponsorTaskId) {
                 deletedTaskIds.current.push(item.sponsorTaskId);
@@ -128,29 +135,33 @@ const SponsorTasksModal: React.FC<SponsorTasksModalProps> = ({ onClose, tasks: s
           />
         </Box>
       ))}
-      <Button
-        startIcon={<AddCircle />}
-        onClick={() =>
-          append({
-            dueDate: new Date(),
-            notifyDate: undefined,
-            assigneeUserId: '',
-            notes: '',
-            sponsorTaskId: undefined,
-            done: false
-          })
-        }
-        sx={{ mb: 2 }}
-      >
-        Add Task
-      </Button>
+      {canEdit && (
+        <Button
+          startIcon={<AddCircle />}
+          onClick={() =>
+            append({
+              dueDate: new Date(),
+              notifyDate: undefined,
+              assigneeUserId: '',
+              notes: '',
+              sponsorTaskId: undefined,
+              done: false
+            })
+          }
+          sx={{ mb: 2 }}
+        >
+          Add Task
+        </Button>
+      )}
       <Box sx={{ display: 'flex', justifyContent: 'flex-end' }}>
         <Button onClick={onClose} sx={{ mr: 2, color: 'white', border: '1px solid white', borderRadius: 1, px: 2 }}>
-          Cancel
-        </Button>
-        <Button onClick={handleSave} sx={{ backgroundColor: '#EF4345', color: 'white', borderRadius: 1, px: 2 }}>
-          Save
+          {canEdit ? 'Cancel' : 'Close'}
         </Button>
+        {canEdit && (
+          <Button onClick={handleSave} sx={{ backgroundColor: '#EF4345', color: 'white', borderRadius: 1, px: 2 }}>
+            Save
+          </Button>
+        )}
       </Box>
     </Box>
   );