fix(bulk script editor): restrict to user organization

politics-rewired · Aug 4, 2023 · 2d562dd · 2d562dd
1 parent 35410cb
commit 2d562dd
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 20 deletions.
diff --git a/libs/gql-schema/schema.ts b/libs/gql-schema/schema.ts
@@ -48,6 +48,7 @@ const rootSchema = `
     searchString: String!
     replaceString: String!
     campaignIds: [String!]!
+    organizationId: String!
   }
 
   input ContactActionInput {
@@ -261,7 +262,7 @@ const rootSchema = `
     notices(organizationId: String): NoticePage!
     campaignGroups(organizationId: String! after: Cursor, first: Int): CampaignGroupPage!
     campaignNavigation(campaignId: String!): CampaignNavigation!
-    bulkUpdateScriptChanges(organizationId: String!, findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateChange!]!
+    bulkUpdateScriptChanges(findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateChange!]!
     superadmins: [User!]
     optOuts(organizationId: String!): [OptOutByCampaign!]!
     isValidAttachment(fileUrl: String!): Boolean!
@@ -282,7 +283,7 @@ const rootSchema = `
     saveCampaignGroups(organizationId: String!, campaignGroups: [CampaignGroupInput!]!): [CampaignGroup!]!
     deleteCampaignGroup(organizationId: String!, campaignGroupId: String!): Boolean!
     filterLandlines(id:String!): Campaign
-    bulkUpdateScript(organizationId:String!, findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateResult]
+    bulkUpdateScript(findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateResult]
     deleteJob(campaignId:String!, id:String!): JobRequest
     copyCampaign(id: String!): Campaign
     copyCampaigns(sourceCampaignId: String!, quantity: Int!, targetOrgId: String): [Campaign!]!

diff --git a/libs/spoke-codegen/src/graphql/bulk-script-editor.graphql b/libs/spoke-codegen/src/graphql/bulk-script-editor.graphql
@@ -17,11 +17,9 @@ query GetCampaignsBulkScriptEditor(
 }
 
 query GetScriptUpdateChanges(
-  $organizationId: String!
   $findAndReplace: BulkUpdateScriptInput!
 ) {
   bulkUpdateScriptChanges(
-    organizationId: $organizationId
     findAndReplace: $findAndReplace
   ) {
     id
@@ -32,11 +30,9 @@ query GetScriptUpdateChanges(
 }
 
 mutation BulkUpdateScript(
-  $organizationId: String!
   $findAndReplace: BulkUpdateScriptInput!
 ) {
   bulkUpdateScript(
-    organizationId: $organizationId
     findAndReplace: $findAndReplace
   ) {
     campaignId

diff --git a/src/schema.graphql b/src/schema.graphql
@@ -14,6 +14,7 @@ input BulkUpdateScriptInput {
   searchString: String!
   replaceString: String!
   campaignIds: [String!]!
+  organizationId: String!
 }
 
 input ContactActionInput {
@@ -227,7 +228,7 @@ type RootQuery {
   notices(organizationId: String): NoticePage!
   campaignGroups(organizationId: String! after: Cursor, first: Int): CampaignGroupPage!
   campaignNavigation(campaignId: String!): CampaignNavigation!
-  bulkUpdateScriptChanges(organizationId: String!, findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateChange!]!
+  bulkUpdateScriptChanges(findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateChange!]!
   superadmins: [User!]
   optOuts(organizationId: String!): [OptOutByCampaign!]!
   isValidAttachment(fileUrl: String!): Boolean!
@@ -248,7 +249,7 @@ type RootMutation {
   saveCampaignGroups(organizationId: String!, campaignGroups: [CampaignGroupInput!]!): [CampaignGroup!]!
   deleteCampaignGroup(organizationId: String!, campaignGroupId: String!): Boolean!
   filterLandlines(id:String!): Campaign
-  bulkUpdateScript(organizationId:String!, findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateResult]
+  bulkUpdateScript(findAndReplace: BulkUpdateScriptInput!): [ScriptUpdateResult]
   deleteJob(campaignId:String!, id:String!): JobRequest
   copyCampaign(id: String!): Campaign
   copyCampaigns(sourceCampaignId: String!, quantity: Int!, targetOrgId: String): [Campaign!]!

diff --git a/src/server/api/lib/bulk-script-editor.ts b/src/server/api/lib/bulk-script-editor.ts
@@ -9,7 +9,7 @@ export const getStepsToUpdate = async (
   trx: Knex.Transaction,
   findAndReplace: BulkUpdateScriptInput
 ) => {
-  const { searchString, campaignIds } = findAndReplace;
+  const { searchString, campaignIds, organizationId } = findAndReplace;
   const campaignsIds = campaignIds.map((cid: string) => parseInt(cid, 10));
 
   // Using array_to_string is easier and faster than using unnest(script_options) (https://stackoverflow.com/a/7222285)
@@ -25,7 +25,8 @@ export const getStepsToUpdate = async (
     .join("campaign", "campaign_id", "campaign.id")
     .whereRaw("array_to_string(script_options, '||') like ?", [
       `%${searchString}%`
-    ]);
+    ])
+    .where({ organization_id: organizationId });
   if (campaignsIds.length > 0) {
     interactionStepsToChangeQuery = interactionStepsToChangeQuery.whereIn(
       "campaign_id",

diff --git a/src/server/api/root-mutations.ts b/src/server/api/root-mutations.ts
@@ -1115,11 +1115,8 @@ const rootMutations = {
       return loaders.campaign.load(id);
     },
 
-    bulkUpdateScript: async (
-      _root,
-      { organizationId, findAndReplace },
-      { user }
-    ) => {
+    bulkUpdateScript: async (_root, { findAndReplace }, { user }) => {
+      const { organizationId } = findAndReplace;
       await accessRequired(user, organizationId, "OWNER");
 
       const scriptUpdatesResult = await r.knex.transaction(async (trx) => {

diff --git a/src/server/api/root-resolvers.ts b/src/server/api/root-resolvers.ts
@@ -442,11 +442,8 @@ const rootResolvers = {
         nextCampaignId
       };
     },
-    bulkUpdateScriptChanges: async (
-      _root,
-      { organizationId, findAndReplace },
-      { user }
-    ) => {
+    bulkUpdateScriptChanges: async (_root, { findAndReplace }, { user }) => {
+      const { organizationId } = findAndReplace;
       await accessRequired(user, organizationId, "OWNER");
 
       const steps = await r.knex.transaction((trx) => {