Allow delete of own submissions by members

Author: jmgasper

src/controllers/SubmissionController.js

@@ -74,7 +74,7 @@ function * patchSubmission (req, res) {
  * @param res the http response
  */
 function * deleteSubmission (req, res) {
-  yield SubmissionService.deleteSubmission(req.params.submissionId)
+  yield SubmissionService.deleteSubmission(req.authUser, req.params.submissionId)
   res.status(204).send()
 }
 

src/routes/SubmissionRoutes.js

@@ -50,7 +50,7 @@ module.exports = {
       controller: 'SubmissionController',
       method: 'deleteSubmission',
       auth: 'jwt',
-      access: ['Administrator'],
+      access: ['Topcoder User', 'Administrator', 'Copilot'],
       scopes: ['delete:submission', 'all:submission'],
       blockByIp: true
     }

src/services/SubmissionService.js

@@ -568,15 +568,20 @@ patchSubmission.schema = {
 
 /**
  * Function to delete submission
+ * @param {Object} authUser Authenticated User
  * @param {String} submissionId submissionId which need to be deleted
  * @return {Promise}
  */
-function * deleteSubmission (submissionId) {
+function * deleteSubmission (authUser, submissionId) {
   const exist = yield _getSubmission(submissionId)
   if (!exist) {
     throw new errors.HttpStatusError(404, `Submission with ID = ${submissionId} is not found`)
   }
 
+  if (_.intersection(authUser.roles, ['Administrator', 'administrator']).length === 0 && exist.memberId !== authUser.uerId) {
+    throw new errors.HttpStatusError(403, 'You are now allowed to delete this submission.')
+  }
+
   // Filter used to delete the record
   const filter = {
     TableName: table,

test/unit/SubmissionService.test.js

@@ -470,16 +470,15 @@ describe('Submission Service tests', () => {
         })
     })
 
-    it('Deleting submission with user token should throw 403', (done) => {
+    it('Deleting submission with User token should get succeeded', (done) => {
       chai.request(app)
         .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)
         .set('Authorization', `Bearer ${config.USER_TOKEN}`)
         .end((err, res) => {
-          res.should.have.status(403)
-          res.body.message.should.be.eql('You are not allowed to perform this action!')
+          res.should.have.status(204)
           done()
         })
-    })
+    }).timeout(10000)
 
     it('Deleting non-existent submission should throw 404', (done) => {
       chai.request(app)
@@ -492,6 +491,16 @@ describe('Submission Service tests', () => {
         })
     })
 
+    it('Deleting submission with Copilot token should get succeeded', (done) => {
+      chai.request(app)
+        .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)
+        .set('Authorization', `Bearer ${config.COPILOT_TOKEN}`)
+        .end((err, res) => {
+          res.should.have.status(204)
+          done()
+        })
+    }).timeout(10000)
+
     it('Deleting submission with Admin token should get succeeded', (done) => {
       chai.request(app)
         .delete(`${config.API_VERSION}/submissions/${testSubmission.Item.id}`)