From 94a83d89d15be751fa930f3c846171dbeadbe473 Mon Sep 17 00:00:00 2001
From: Pavel Baluev <pavel.baluev@parity.io>
Date: Wed, 8 May 2024 12:53:20 +0200
Subject: [PATCH] Update permissions in the HubMap and Profile components

---
 .../hub-map/client/components/HubMap.tsx      | 26 +++++++++++--------
 .../users/client/components/ProfileCard.tsx   | 22 +++++++++++++---
 .../users/client/components/PublicProfile.tsx | 23 +++++++++++-----
 src/modules/users/server/router.ts            | 14 +++++++---
 4 files changed, 60 insertions(+), 25 deletions(-)

diff --git a/src/modules/hub-map/client/components/HubMap.tsx b/src/modules/hub-map/client/components/HubMap.tsx
index e13ecc40..f8baf72a 100644
--- a/src/modules/hub-map/client/components/HubMap.tsx
+++ b/src/modules/hub-map/client/components/HubMap.tsx
@@ -26,17 +26,21 @@ import { useUpcoming } from '../queries'
 import { PermissionsValidator } from '#client/components/PermissionsValidator'
 import Permissions from '#shared/permissions'
 
-export const HubMap = () => (
-  <PermissionsValidator
-    required={[
-      Permissions.visits.Create,
-      Permissions['room-reservation'].Create,
-      Permissions['guest-invites'].Create,
-    ]}
-  >
-    <_HubMap />
-  </PermissionsValidator>
-)
+export const HubMap = () => {
+  const officeId = useStore(stores.officeId)
+  return (
+    <PermissionsValidator
+      officeId={officeId}
+      required={[
+        Permissions.visits.Create,
+        Permissions['room-reservation'].Create,
+        Permissions['guest-invites'].Create,
+      ]}
+    >
+      <_HubMap />
+    </PermissionsValidator>
+  )
+}
 
 export const _HubMap = () => {
   const officeId = useStore(stores.officeId)
diff --git a/src/modules/users/client/components/ProfileCard.tsx b/src/modules/users/client/components/ProfileCard.tsx
index b332383a..804a6844 100644
--- a/src/modules/users/client/components/ProfileCard.tsx
+++ b/src/modules/users/client/components/ProfileCard.tsx
@@ -83,11 +83,11 @@ export const Card = ({
       <div className={cn('flex flex-col', fullView ? 'gap-6' : 'gap-4')}>
         <div className="flex flex-col gap-1">
           <P className="mb-0">{user.fullName}</P>
-          <PermissionsValidator required={[Permissions.users.ListProfiles]}>
+          <MyDetailsVsOthersDetails isMine={isMine}>
             <div className="text-text-tertiary text-base leading-6">
               {[user.jobTitle, user.team].filter(Boolean).join(' · ')}
             </div>
-          </PermissionsValidator>
+          </MyDetailsVsOthersDetails>
           <div className="mt-3">
             {userRoles.map((x) => (
               <Tag key={x} size="small" color="gray" className="mr-1 mb-2">
@@ -96,7 +96,7 @@ export const Card = ({
             ))}
           </div>
         </div>
-        <PermissionsValidator required={[Permissions.users.ListProfiles]}>
+        <MyDetailsVsOthersDetails isMine={isMine}>
           <>
             <div className="flex flex-col gap-4">
               {location && (
@@ -151,12 +151,26 @@ export const Card = ({
               </PermissionsValidator>
             )}
           </>
-        </PermissionsValidator>
+        </MyDetailsVsOthersDetails>
       </div>
     </div>
   )
 }
 
+const MyDetailsVsOthersDetails: React.FC<{
+  isMine: boolean
+  children: React.ReactNode
+}> = (props) => {
+  if (props.isMine) {
+    return <>{props.children}</>
+  }
+  return (
+    <PermissionsValidator required={[Permissions.users.ListProfiles]}>
+      {props.children}
+    </PermissionsValidator>
+  )
+}
+
 export const ProfileCard = () => {
   const user = useStore(stores.me)
 
diff --git a/src/modules/users/client/components/PublicProfile.tsx b/src/modules/users/client/components/PublicProfile.tsx
index a8c319fd..064ce96b 100644
--- a/src/modules/users/client/components/PublicProfile.tsx
+++ b/src/modules/users/client/components/PublicProfile.tsx
@@ -27,14 +27,23 @@ const NoData = () => (
   </ComponentWrapper>
 )
 
-export const PublicProfile: React.FC<RootComponentProps> = (props) => (
-  <PermissionsValidator
-    required={[Permissions.users.ListProfiles]}
-    onRejectGoHome
-  >
+export const PublicProfile: React.FC<RootComponentProps> = (props) => {
+  const route = useStore(stores.router)
+  const me = useStore(stores.me)
+  const userId = route?.route === 'publicProfile' ? route.params.userId : null
+  const isMine = me?.id === userId
+
+  return isMine ? (
     <_PublicProfile {...props} />
-  </PermissionsValidator>
-)
+  ) : (
+    <PermissionsValidator
+      required={[Permissions.users.ListProfiles]}
+      onRejectGoHome
+    >
+      <_PublicProfile {...props} />
+    </PermissionsValidator>
+  )
+}
 
 const _PublicProfile: React.FC<RootComponentProps> = ({ portals }) => {
   const route = useStore(stores.router)
diff --git a/src/modules/users/server/router.ts b/src/modules/users/server/router.ts
index 7df97841..5efd0ab8 100644
--- a/src/modules/users/server/router.ts
+++ b/src/modules/users/server/router.ts
@@ -258,7 +258,9 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   fastify.get(
     '/profile/:userId',
     async (req: FastifyRequest<{ Params: { userId: string } }>, reply) => {
-      req.check(Permissions.ListProfiles)
+      if (req.user.id !== req.params.userId) {
+        req.check(Permissions.ListProfiles)
+      }
       const user = await fastify.db.User.findByPkActive(req.params.userId, {
         include: {
           as: 'tags',
@@ -392,8 +394,14 @@ const userRouter: FastifyPluginCallback = async function (fastify, opts) {
   )
 
   fastify.get('/me/tags', async (req, reply) => {
-    req.check(Permissions.ManageProfile)
-    req.check(Permissions.ListProfiles)
+    if (
+      !req.permissions.hasAnyOf([
+        Permissions.ListProfiles,
+        Permissions.ManageProfile,
+      ])
+    ) {
+      return reply.throw.accessDenied()
+    }
     // FIXME: missed types for sequelize lazy loading methods (many-to-many relation)
     // @ts-ignore
     const tags = (await req.user.getTags()) as Tag[]