Merge pull request #309 from Enterprise-CMCS/master

Release to val
Enterprise-CMCS · Jan 9, 2024 · 22ec4c2 · 22ec4c2
2 parents 24b9367 + bcbcbc6
commit 22ec4c2
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 6 deletions.
diff --git a/src/services/api/handlers/getPackageActions.ts b/src/services/api/handlers/getPackageActions.ts
@@ -3,7 +3,7 @@ import { getAvailableActions } from "shared-utils";
 import { getPackage } from "../libs/package/getPackage";
 import {
   getAuthDetails,
-  isAuthorized,
+  isAuthorizedToGetPackageActions,
   lookupUserAttributes,
 } from "../libs/auth/user";
 import { response } from "../libs/handler";
@@ -22,7 +22,10 @@ export const getPackageActions = async (event: APIGatewayEvent) => {
   const body = JSON.parse(event.body) as GetPackageActionsBody;
   try {
     const result = await getPackage(body.id);
-    const passedStateAuth = await isAuthorized(event, result._source.state);
+    const passedStateAuth = await isAuthorizedToGetPackageActions(
+      event,
+      result._source.state
+    );
     if (!passedStateAuth)
       return response({
         statusCode: 401,

diff --git a/src/services/api/libs/auth/user.ts b/src/services/api/libs/auth/user.ts
@@ -5,7 +5,7 @@ import {
 } from "@aws-sdk/client-cognito-identity-provider";
 import { CognitoUserAttributes } from "shared-types";
 import { APIGatewayEvent } from "aws-lambda";
-import { isCmsUser } from "shared-utils";
+import { isCmsWriteUser, isCmsUser } from "shared-utils";
 
 // Retrieve user authentication details from the APIGatewayEvent
 export function getAuthDetails(event: APIGatewayEvent) {
@@ -105,6 +105,24 @@ export const isAuthorized = async (
   );
 };
 
+export const isAuthorizedToGetPackageActions = async (
+  event: APIGatewayEvent,
+  stateCode?: string | null
+) => {
+  // Retrieve authentication details of the user
+  const authDetails = getAuthDetails(event);
+
+  // Look up user attributes from Cognito
+  const userAttributes = await lookupUserAttributes(
+    authDetails.userId,
+    authDetails.poolId
+  );
+  return (
+    isCmsWriteUser(userAttributes) ||
+    (stateCode && userAttributes?.["custom:state"]?.includes(stateCode))
+  );
+};
+
 export const getStateFilter = async (event: APIGatewayEvent) => {
   // Retrieve authentication details of the user
   const authDetails = getAuthDetails(event);

diff --git a/src/services/ui/src/pages/detail/index.tsx b/src/services/ui/src/pages/detail/index.tsx
@@ -70,12 +70,12 @@ const PackageActionsCard = ({ id }: { id: string }) => {
   const [isSuccessModalOpen, setIsSuccessModalOpen] = useState(false);
   const [isErrorModalOpen, setIsErrorModalOpen] = useState(false);
   const [isLoading, setIsLoading] = useState(false);
-  const { data, error } = useGetPackageActions(id);
-  if (!data?.actions || error || isLoading) return <LoadingSpinner />;
+  const { data } = useGetPackageActions(id, { retry: false });
+  if (isLoading) return <LoadingSpinner />;
   return (
     <DetailCardWrapper title={"Actions"}>
       <div>
-        {!data.actions.length ? (
+        {!data || !data.actions.length ? (
           <em className="text-gray-400">
             No actions are currently available for this submission.
           </em>