Merge pull request #555 from techmatters/CHi-2382-fix_connect_perms

CHI-2382: fix connect perms
techmatters · Feb 8, 2024 · b11f8b6 · b11f8b6
2 parents 2bdc8c2 + a62e343
commit b11f8b6
Show file tree

Hide file tree

Showing 9 changed files with 436 additions and 242 deletions.
diff --git a/hrm-domain/hrm-core/contact/canPerformContactAction.ts b/hrm-domain/hrm-core/contact/canPerformContactAction.ts
@@ -50,7 +50,7 @@ const canPerformActionOnContact = (
           // This is a dirty hack that relies on the catch block in the try/catch below to return a 404
           throw new Error('contact not found');
         }
-        if (contactObj.finalizedAt) {
+        if (contactObj.finalizedAt || action !== 'editContact') {
           if (can(user, action, contactObj)) {
             await authorizeIfAdditionalValidationPasses(
               req,
@@ -107,10 +107,7 @@ const canPerformActionOnContact = (
           }
         }
       } catch (err) {
-        if (
-          err instanceof Error &&
-          err.message.toLowerCase().includes('contact not found')
-        ) {
+        if (err instanceof Error && err.message.toLowerCase().includes('not found')) {
           throw createError(404);
         } else {
           console.error('Failed to authorize contact editing', err);

diff --git a/hrm-domain/hrm-core/contact/contactRoutesV0.ts b/hrm-domain/hrm-core/contact/contactRoutesV0.ts
@@ -71,7 +71,6 @@ contactsRouter.get('/byTaskSid/:taskSid', publicEndpoint, async (req, res) => {
 
 contactsRouter.put(
   '/:contactId/connectToCase',
-  publicEndpoint,
   canChangeContactConnection,
   async (req, res) => {
     const { accountSid, user } = req;
@@ -99,7 +98,6 @@ contactsRouter.put(
 
 contactsRouter.delete(
   '/:contactId/connectToCase',
-  publicEndpoint,
   canDisconnectContact,
   async (req, res) => {
     const { accountSid, user } = req;