From 7f9530c576ad5069ec7f532705866456d8874786 Mon Sep 17 00:00:00 2001
From: Nicolas Chambrier <naholyr@gmail.com>
Date: Fri, 8 Sep 2017 12:22:43 +0200
Subject: [PATCH] fix(edit-logs): finishes previous refactor and fixes invalid
 sync call to userCanEdit*()

---
 server/routes/editLog.js | 40 +++++++++++++++++++++++++---------------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/server/routes/editLog.js b/server/routes/editLog.js
index 2027724a..192055f5 100644
--- a/server/routes/editLog.js
+++ b/server/routes/editLog.js
@@ -1,7 +1,7 @@
 'use strict'
 
 const { Router } = require('express')
-const { UnauthorizedError } = require('../lib/errors')
+const { UnauthorizedError, NotFoundError } = require('../lib/errors')
 const { EditLog, flattenDiff } = require('../lib/edit-logs')
 const { requiresAuthentication, scopeOrganizationMiddleware } = require('../lib/permissions')
 const models = require('../lib/model')
@@ -67,21 +67,31 @@ function getEditLog(req, res){
 	const itemID = req.query.itemID
 	const query = req.query
 
-	// User has to be central admin to access editLog list feature
-	if (!itemID && req.userCentralRole !== 'admin'){
-		res.send(UnauthorizedError({ title: 'EditLog is restricted to central admin users'}))
-	}
-
-	// User has to have write access on an object to access its editlog
-	if(
-			(model === 'people' && itemID && !req.userCanEditPeople(itemID)) ||
-			(model === 'activity' && itemID && !req.userCanEditActivity(itemID)) ||
-			(model === 'organization' && itemID && !req.userCanEditOrganization(itemID))
-	){
-		res.send(UnauthorizedError({ title: 'Write access is mandatory to access EditLog'}))
-	}
+	const validParamsP = Promise.resolve()
+		// Check validity of model param
+		.then(() => {
+			if (!model) {
+				throw new NotFoundError({ title: 'Invalid model' })
+			}
+		})
+		// User has to be central admin to access editLog list feature
+		.then(() => {
+			if (!itemID && req.userCentralRole !== 'admin'){
+				throw new UnauthorizedError({ title: 'EditLog is restricted to central admin users'})
+			}
+		})
+		// User has to have write access on an object to access its editlog
+		.then(() => {
+			if (itemID) {
+				return req['userCanEdit' + model](itemID).then(ok => {
+					if (!ok) {
+						throw new UnauthorizedError({ title: 'Write access is mandatory to access EditLog'})
+					}
+				})
+			}
+		})
 
-	const whoIdsItemIdsP = Promise.resolve()
+	const whoIdsItemIdsP = validParamsP
 		.then(() => {
 			if (!query.whoID && (query.isariLab || query.isariRole)){
 				//need to retrieve list of targeted creators first