Merge branch 'dev' of github.com:cloudspokes/tc-api into dev

skyhit · skyhit · commit 899023c7a5d9 · 2015-01-22T20:33:48.000+08:00
diff --git a/actions/srmRoundQuestions.js b/actions/srmRoundQuestions.js
@@ -24,7 +24,6 @@ var ForbiddenError = require('../errors/ForbiddenError');
 
 var DATE_FORMAT = "YYYY-MM-DD HH:mm";
 
-
 /**
  * Get Round Question Answers.
  *
@@ -35,12 +34,21 @@ var DATE_FORMAT = "YYYY-MM-DD HH:mm";
  */
 var getRoundQuestionAnswers = function (api, connection, dbConnectionMap, next) {
     var helper = api.helper,
+        caller = connection.caller,
         result = [],
         questionId = Number(connection.params.questionId);
 
     async.waterfall([
         function (cb) {
-            cb(helper.checkAdmin(connection, 'Authorized information needed.', 'Admin access only.'));
+            if (!helper.isAdmin(caller) && !caller.isWebArenaSuper) {
+                if (!helper.isMember(caller)) {
+                    cb(new UnauthorizedError("Authorized information needed."));
+                } else {
+                    cb(new ForbiddenError("Admin or web Arena super user only."));
+                }
+            } else {
+                cb();
+            }
         }, function (cb) {
             cb(helper.checkIdParameter(questionId, "questionId"));
         }, function (cb) {
@@ -386,6 +394,7 @@ function checkAnswerValues(api, text, sortOrder, correct, callback) {
  */
 var addRoundQuestionAnswer = function (api, connection, dbConnectionMap, next) {
     var helper = api.helper,
+        caller = connection.caller,
         sqlParams = {},
         questionId = Number(connection.params.questionId),
         text = connection.params.text,
@@ -394,7 +403,15 @@ var addRoundQuestionAnswer = function (api, connection, dbConnectionMap, next) {
 
     async.waterfall([
         function (cb) {
-            cb(helper.checkAdmin(connection, 'Authorized information needed.', 'Admin access only.'));
+            if (!helper.isAdmin(caller) && !caller.isWebArenaSuper) {
+                if (!helper.isMember(caller)) {
+                    cb(new UnauthorizedError("Authorized information needed."));
+                } else {
+                    cb(new ForbiddenError("Admin or web Arena super user only."));
+                }
+            } else {
+                cb();
+            }
         }, function (cb) {
             checkQuestionId(api, dbConnectionMap, questionId, cb);
         }, function (error, cb) {
diff --git a/test/test.srmRoundQuestions.js b/test/test.srmRoundQuestions.js
@@ -251,14 +251,19 @@ describe('SRM Round Questions APIs', function () {
             assertError("/v2/data/srm/rounds/1000000/answers", null, 401, "Authorized information needed.", done);
         });
 
-        it("Admin access only.", function (done) {
-            assertError("/v2/data/srm/rounds/1000000/answers", 'user', 403, "Admin access only.", done);
+        it("Admin or web arena only.", function (done) {
+            assertError("/v2/data/srm/rounds/1000000/answers", 'user', 403, "Admin or web Arena super user only.", done);
         });
 
+        // Only admin or web arena super user can get into this step
         it("questionId should be number.", function (done) {
             assertError("/v2/data/srm/rounds/aaa/answers", 'heffan', 400, "questionId should be number.", done);
         });
 
+        it("questionId should be number.", function (done) {
+            assertError("/v2/data/srm/rounds/aaa/answers", 'ksmith', 400, "questionId should be number.", done);
+        });
+
         it("questionId should be Integer.", function (done) {
             assertError("/v2/data/srm/rounds/100000.01/answers", 'heffan', 400, "questionId should be Integer.", done);
         });
@@ -390,14 +395,19 @@ describe('SRM Round Questions APIs', function () {
             assertPostError("/v2/data/srm/questions/306/answers", null, validRequest, 401, "Authorized information needed.", done);
         });
 
-        it("Admin access only.", function (done) {
-            assertPostError("/v2/data/srm/questions/306/answers", 'user', validRequest, 403, "Admin access only.", done);
+        it("Admin or web Arena super user only.", function (done) {
+            assertPostError("/v2/data/srm/questions/306/answers", 'user', validRequest, 403, "Admin or web Arena super user only.", done);
         });
 
+        // Only admin or web arena super user can get into this step
         it("questionId should be number.", function (done) {
             assertPostError("/v2/data/srm/questions/aaa/answers", 'heffan', validRequest, 400, "questionId should be number.", done);
         });
 
+        it("questionId should be number.", function (done) {
+            assertPostError("/v2/data/srm/questions/aaa/answers", 'ksmith', validRequest, 400, "questionId should be number.", done);
+        });
+
         it("questionId should be Integer.", function (done) {
             assertPostError("/v2/data/srm/questions/30.6/answers", 'heffan', validRequest, 400, "questionId should be Integer.", done);
         });
