s.yahyaee/yara724-api
1
0
Fork 0
forked from Yara724/api
Code Pull Requests Activity

YARA-725

Browse Source
This commit is contained in:
SepehrYahyaee
2026-01-26 11:50:34 +03:30
parent 623f165fee
commit 8db56d38be
2 changed files with 90 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/expert-blame/expert-blame.service.ts
View File

@@ -263,15 +263,31 @@ export class ExpertBlameService {
} }
// 2. Initial validation to ensure the expert has access // 2. Initial validation to ensure the expert has access
if (String(request?.actorLocked?.actorId) === actorId && request.lockFile) { // Check if locked by current expert and lock is still active
const isLockedByCurrentExpert =
String(request?.actorLocked?.actorId) === actorId && request.lockFile;
// Check if lock has expired
let isLockExpired = false;
if (request.unlockTime) {
const unlockTime = new Date(request.unlockTime).getTime();
const now = Date.now();
isLockExpired = now >= unlockTime;
}
if (isLockedByCurrentExpert && !isLockExpired) {
// This is the correct expert, and the file is locked to them, which is fine. // This is the correct expert, and the file is locked to them, which is fine.
// They can access it even if they closed the browser and came back.
} else if ( } else if (
request.lockFile || (request.lockFile && !isLockExpired) ||
request.blameStatus === ReqBlameStatus.ReviewRequest request.blameStatus === ReqBlameStatus.ReviewRequest
) { ) {
// The file is locked, but not by the current expert. // The file is locked by someone else, or lock expired but status hasn't updated yet
// Only block if lock is still active and not by current expert
if (request.lockFile && !isLockExpired && !isLockedByCurrentExpert) {
throw new BadRequestException("Request is locked by another expert"); throw new BadRequestException("Request is locked by another expert");
} }
}
// 3. Populate the resend links if the data exists // 3. Populate the resend links if the data exists
if (request.expertResendReply) { if (request.expertResendReply) {
@@ -474,9 +490,18 @@ export class ExpertBlameService {
"Access denied to this request. You are not the locked expert.", "Access denied to this request. You are not the locked expert.",
); );
} }
if (request.unlockTime == null) {
// Check if lock has expired (unlockTime has passed)
if (request.unlockTime) {
const unlockTime = new Date(request.unlockTime).getTime();
const now = Date.now();
if (now >= unlockTime) {
throw new ForbiddenException("Your lock time has expired."); throw new ForbiddenException("Your lock time has expired.");
} }
} else if (request.unlockTime == null) {
throw new ForbiddenException("Your lock time has expired.");
}
if (!request.lockFile) { if (!request.lockFile) {
throw new ForbiddenException( throw new ForbiddenException(
"You must lock the request before submitting a reply.", "You must lock the request before submitting a reply.",

72
src/expert-claim/expert-claim.service.ts
View File

@@ -818,7 +818,8 @@ export class ExpertClaimService {
return new ClaimPerIdRs(requestUpdated); return new ClaimPerIdRs(requestUpdated);
} }
if (this.isRequestLocked(requestUpdated)) { // Check if locked by someone else (allow if locked by current user)
if (this.isRequestLocked(requestUpdated, currentUser)) {
throw new HttpException( throw new HttpException(
{ responseCode: 1007, message: "Request is locked" }, { responseCode: 1007, message: "Request is locked" },
HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN,
@@ -846,7 +847,7 @@ export class ExpertClaimService {
if (this.isCurrentUserAllowed(request, currentUser)) { if (this.isCurrentUserAllowed(request, currentUser)) {
return (await this.claimRequestManagementDbService.findOne(requestId)) return (await this.claimRequestManagementDbService.findOne(requestId))
.imageRequired; .imageRequired;
} else if (this.isRequestLocked(requestId)) { } else if (this.isRequestLocked(request, currentUser)) {
throw new HttpException( throw new HttpException(
{ responseCode: 1007, message: "Request is locked" }, { responseCode: 1007, message: "Request is locked" },
HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN,
@@ -889,8 +890,8 @@ export class ExpertClaimService {
); );
} }
// Perform authorization checks // Perform authorization checks - allow if locked by current user
if (this.isRequestLocked(request) && !this.isCurrentUserAllowed(request, currentUser)) { if (this.isRequestLocked(request, currentUser)) {
throw new HttpException( throw new HttpException(
{ responseCode: 1007, message: "Request is locked" }, { responseCode: 1007, message: "Request is locked" },
HttpStatus.FORBIDDEN, HttpStatus.FORBIDDEN,
@@ -933,16 +934,54 @@ export class ExpertClaimService {
} }
private isCurrentUserAllowed(request: any, currentUser: any): boolean { private isCurrentUserAllowed(request: any, currentUser: any): boolean {
return ( // Check if locked by current user and lock is still active
const isLockedByCurrentUser =
String(request?.actorLocked?.actorId) === currentUser.sub && String(request?.actorLocked?.actorId) === currentUser.sub &&
request.lockFile request.lockFile;
);
if (!isLockedByCurrentUser) {
return false;
} }
private isRequestLocked(request: any): boolean { // Also check if lock has expired (unlockTime has passed)
return ( if (request.unlockTime) {
request.lockFile && request.claimStatus === ReqClaimStatus.ReviewRequest const unlockTime = new Date(request.unlockTime).getTime();
); const now = Date.now();
if (now >= unlockTime) {
// Lock has expired, but still allow access if they were the one who locked it
// The unlockApi will handle the cleanup
return true;
}
}
return true;
}
private isRequestLocked(request: any, currentUser?: any): boolean {
if (!request.lockFile || request.claimStatus !== ReqClaimStatus.ReviewRequest) {
return false;
}
// Check if lock has expired
if (request.unlockTime) {
const unlockTime = new Date(request.unlockTime).getTime();
const now = Date.now();
if (now >= unlockTime) {
// Lock has expired, treat as not locked
return false;
}
}
// If currentUser is provided, allow access if they are the one who locked it
if (currentUser) {
const isLockedByCurrentUser =
String(request?.actorLocked?.actorId) === currentUser.sub;
// Return false (not locked) if locked by current user, true if locked by someone else
return !isLockedByCurrentUser;
}
// If no currentUser provided, treat as locked
return true;
} }
async submitReplyRequest( async submitReplyRequest(
@@ -963,9 +1002,18 @@ export class ExpertClaimService {
) { ) {
throw new ForbiddenException("Access denied to this request"); throw new ForbiddenException("Access denied to this request");
} }
if (request?.unlockTime == null && !request?.objection) {
// Check if lock has expired (unlockTime has passed)
if (request?.unlockTime && !request?.objection) {
const unlockTime = new Date(request.unlockTime).getTime();
const now = Date.now();
if (now >= unlockTime) {
throw new ForbiddenException("Your time has expired"); throw new ForbiddenException("Your time has expired");
} }
} else if (request?.unlockTime == null && !request?.objection) {
throw new ForbiddenException("Your time has expired");
}
if (!request.lockFile && !request?.objection) { if (!request.lockFile && !request?.objection) {
throw new ForbiddenException( throw new ForbiddenException(
"For submit reply you must lock the request", "For submit reply you must lock the request",