Limit reviews to only those owned by the reviewer in the JWT

jmgasper · jmgasper · commit 4bd1f23cb2a9 · 2025-09-26T16:31:36.000+10:00
diff --git a/src/api/review/review.service.spec.ts b/src/api/review/review.service.spec.ts
@@ -425,6 +425,97 @@ describe('ReviewService.getReview authorization checks', () => {
   });
 });
 
+describe('ReviewService.getReviews reviewer visibility', () => {
+  let prismaMock: any;
+  let prismaErrorServiceMock: any;
+  let resourceApiServiceMock: any;
+  let challengeApiServiceMock: any;
+  let service: ReviewService;
+
+  const baseAuthUser: JwtUser = {
+    userId: 'reviewer-1',
+    roles: [],
+    isMachine: false,
+  };
+
+  const baseSubmission = { id: 'submission-1' };
+
+  const buildResource = (roleName: string) => ({
+    id: 'resource-1',
+    challengeId: 'challenge-1',
+    memberId: baseAuthUser.userId,
+    memberHandle: 'reviewerHandle',
+    roleId: 'role-reviewer',
+    phaseId: 'phase-review',
+    createdBy: 'tc',
+    created: new Date().toISOString(),
+    roleName,
+  });
+
+  beforeEach(() => {
+    jest.resetAllMocks();
+
+    prismaMock = {
+      submission: {
+        findMany: jest.fn().mockResolvedValue([baseSubmission]),
+      },
+      review: {
+        findMany: jest.fn().mockResolvedValue([]),
+        count: jest.fn().mockResolvedValue(0),
+      },
+    };
+
+    prismaErrorServiceMock = {
+      handleError: jest.fn(),
+    };
+
+    resourceApiServiceMock = {
+      getMemberResourcesRoles: jest.fn(),
+    };
+
+    challengeApiServiceMock = {
+      getChallengeDetail: jest.fn(),
+      getChallenges: jest.fn(),
+    };
+
+    service = new ReviewService(
+      prismaMock,
+      prismaErrorServiceMock,
+      resourceApiServiceMock,
+      challengeApiServiceMock,
+    );
+  });
+
+  it('filters reviews by the reviewer resource id when the requester is a reviewer', async () => {
+    resourceApiServiceMock.getMemberResourcesRoles.mockResolvedValue([
+      buildResource('Reviewer'),
+    ]);
+
+    await service.getReviews(baseAuthUser, undefined, 'challenge-1');
+
+    expect(resourceApiServiceMock.getMemberResourcesRoles).toHaveBeenCalledWith(
+      'challenge-1',
+      baseAuthUser.userId,
+    );
+
+    expect(prismaMock.review.findMany).toHaveBeenCalledTimes(1);
+    const callArgs = prismaMock.review.findMany.mock.calls[0][0];
+    expect(callArgs.where.resourceId).toEqual({ in: ['resource-1'] });
+    expect(callArgs.where.submissionId).toEqual({ in: [baseSubmission.id] });
+  });
+
+  it('does not restrict resource visibility for copilots', async () => {
+    resourceApiServiceMock.getMemberResourcesRoles.mockResolvedValue([
+      buildResource('Copilot'),
+    ]);
+
+    await service.getReviews(baseAuthUser, undefined, 'challenge-1');
+
+    const callArgs = prismaMock.review.findMany.mock.calls[0][0];
+    expect(callArgs.where.resourceId).toBeUndefined();
+  });
+});
+
 describe('ReviewService.updateReviewItem validations', () => {
   const prismaMock = {
     reviewItem: {
diff --git a/src/api/review/review.service.ts b/src/api/review/review.service.ts
@@ -1414,6 +1414,32 @@ export class ReviewService {
         }
       };
 
+      const restrictToResourceIds = (allowedIds: string[]) => {
+        if (!allowedIds || allowedIds.length === 0) {
+          reviewWhereClause.resourceId = { in: ['__none__'] };
+          return;
+        }
+        const existing = reviewWhereClause.resourceId;
+        if (!existing) {
+          reviewWhereClause.resourceId = { in: allowedIds };
+        } else if (typeof existing === 'string') {
+          if (!allowedIds.includes(existing)) {
+            reviewWhereClause.resourceId = { in: ['__none__'] };
+          } else {
+            reviewWhereClause.resourceId = existing;
+          }
+        } else if (existing.in && Array.isArray(existing.in)) {
+          const intersect = existing.in.filter((id: string) =>
+            allowedIds.includes(id),
+          );
+          reviewWhereClause.resourceId = {
+            in: intersect.length ? intersect : ['__none__'],
+          };
+        } else {
+          reviewWhereClause.resourceId = { in: allowedIds };
+        }
+      };
+
       if (submissionId) {
         reviewWhereClause.submissionId = submissionId;
       }
@@ -1452,25 +1478,36 @@ export class ReviewService {
 
         // If a challengeId is specified, check role context for that challenge
         if (challengeId) {
-          let isReviewerOrCopilot = false;
+          let reviewerResourceIds: string[] = [];
+          let hasCopilotRole = false;
           try {
             const resources =
               await this.resourceApiService.getMemberResourcesRoles(
                 challengeId,
                 uid,
               );
-            isReviewerOrCopilot = resources.some((r) => {
-              const rn = (r.roleName || '').toLowerCase();
-              return rn.includes('reviewer') || rn.includes('copilot');
-            });
+
+            const normalized = resources || [];
+            reviewerResourceIds = normalized
+              .filter((r) =>
+                (r.roleName || '').toLowerCase().includes('reviewer'),
+              )
+              .map((r) => r.id);
+            hasCopilotRole = normalized.some((r) =>
+              (r.roleName || '').toLowerCase().includes('copilot'),
+            );
           } catch (e) {
             const msg = e instanceof Error ? e.message : String(e);
             this.logger.debug(
               `Failed to verify reviewer/copilot roles via Resource API: ${msg}`,
             );
           }
 
-          if (!isReviewerOrCopilot) {
+          if (hasCopilotRole) {
+            // Copilots retain full visibility for the challenge
+          } else if (reviewerResourceIds.length) {
+            restrictToResourceIds(reviewerResourceIds);
+          } else {
             // Confirm the user has actually submitted to this challenge
             const mySubs = await this.prisma.submission.findMany({
               where: { challengeId, memberId: uid },
