Allow submitters to edit their own appeals (PM-2030)

jmgasper · jmgasper · commit 4f56528625db · 2025-09-26T10:42:00.000+10:00
diff --git a/src/api/appeal/appeal.service.spec.ts b/src/api/appeal/appeal.service.spec.ts
@@ -190,7 +190,7 @@ describe('AppealService.createAppeal', () => {
 describe('AppealService.updateAppeal', () => {
   const baseAppeal = {
     id: 'appeal-1',
-    resourceId: 'member-123',
+    resourceId: 'resource-123',
     reviewItemCommentId: 'review-item-comment-1',
     content: 'Original appeal content',
     reviewItemComment: {
@@ -209,7 +209,6 @@ describe('AppealService.updateAppeal', () => {
   const updateRequest = {
     reviewItemCommentId: baseAppeal.reviewItemCommentId,
     content: 'Updated appeal content',
-    resourceId: baseAppeal.resourceId,
   } as any;
 
   const submitterAuthUser = {
@@ -230,6 +229,10 @@ describe('AppealService.updateAppeal', () => {
       ...baseAppeal,
       content: updateRequest.content,
     });
+    resourcePrismaMock.resource.findUnique.mockResolvedValue({
+      id: baseAppeal.resourceId,
+      memberId: submitterAuthUser.userId,
+    });
     prismaErrorServiceMock.handleError.mockImplementation((error: any) => {
       throw error;
     });
@@ -250,6 +253,9 @@ describe('AppealService.updateAppeal', () => {
     expect(challengeApiServiceMock.getChallengeDetail).toHaveBeenCalledWith(
       'challenge-1',
     );
+    expect(resourcePrismaMock.resource.findUnique).toHaveBeenCalledWith({
+      where: { id: baseAppeal.resourceId },
+    });
     expect(prismaMock.appeal.update).toHaveBeenCalledWith({
       where: { id: baseAppeal.id },
       data: expect.objectContaining({
@@ -275,12 +281,30 @@ describe('AppealService.updateAppeal', () => {
 
     expect(prismaMock.appeal.update).not.toHaveBeenCalled();
   });
+
+  it('prevents updates when resource ownership does not match the requester', async () => {
+    resourcePrismaMock.resource.findUnique.mockResolvedValueOnce({
+      id: baseAppeal.resourceId,
+      memberId: 'member-999',
+    });
+
+    await expect(
+      service.updateAppeal(submitterAuthUser, baseAppeal.id, updateRequest),
+    ).rejects.toMatchObject({
+      status: 403,
+      response: expect.objectContaining({
+        code: 'APPEAL_RESOURCE_OWNER_FORBIDDEN',
+      }),
+    });
+
+    expect(prismaMock.appeal.update).not.toHaveBeenCalled();
+  });
 });
 
 describe('AppealService.deleteAppeal', () => {
   const baseAppeal = {
     id: 'appeal-1',
-    resourceId: 'member-123',
+    resourceId: 'resource-123',
     reviewItemComment: {
       reviewItem: {
         review: {
@@ -309,6 +333,10 @@ describe('AppealService.deleteAppeal', () => {
     });
     prismaMock.appeal.findUnique.mockResolvedValue(baseAppeal);
     prismaMock.appeal.delete.mockResolvedValue(undefined);
+    resourcePrismaMock.resource.findUnique.mockResolvedValue({
+      id: baseAppeal.resourceId,
+      memberId: submitterAuthUser.userId,
+    });
     prismaErrorServiceMock.handleError.mockImplementation((error: any) => {
       throw error;
     });
@@ -328,6 +356,9 @@ describe('AppealService.deleteAppeal', () => {
     expect(challengeApiServiceMock.getChallengeDetail).toHaveBeenCalledWith(
       'challenge-1',
     );
+    expect(resourcePrismaMock.resource.findUnique).toHaveBeenCalledWith({
+      where: { id: baseAppeal.resourceId },
+    });
     expect(prismaMock.appeal.delete).toHaveBeenCalledWith({
       where: { id: baseAppeal.id },
     });
diff --git a/src/api/appeal/appeal.service.ts b/src/api/appeal/appeal.service.ts
@@ -256,6 +256,14 @@ export class AppealService {
           ?.challengeId;
       const isPrivileged = Boolean(authUser?.isMachine || isAdmin(authUser));
 
+      if (!isPrivileged) {
+        await this.ensureAppealResourceOwnership(
+          authUser,
+          existingAppeal.resourceId,
+          appealId,
+        );
+      }
+
       if (!isPrivileged) {
         await this.ensureChallengeAllowsAppealChange(challengeId, {
           logContext: 'updateAppeal',
@@ -269,6 +277,7 @@ export class AppealService {
       if (
         !authUser?.isMachine &&
         !isAdmin(authUser) &&
+        body.resourceId !== undefined &&
         body.resourceId !== existingAppeal.resourceId
       ) {
         throw new ForbiddenException({
@@ -370,6 +379,14 @@ export class AppealService {
           ?.challengeId;
       const isPrivileged = Boolean(authUser?.isMachine || isAdmin(authUser));
 
+      if (!isPrivileged) {
+        await this.ensureAppealResourceOwnership(
+          authUser,
+          existingAppeal.resourceId,
+          appealId,
+        );
+      }
+
       if (!isPrivileged) {
         await this.ensureChallengeAllowsAppealChange(challengeId, {
           logContext: 'deleteAppeal',
@@ -829,6 +846,67 @@ export class AppealService {
     );
   }
 
+  private async ensureAppealResourceOwnership(
+    authUser: JwtUser,
+    resourceId: string | null | undefined,
+    appealId: string,
+  ): Promise<void> {
+    const requesterMemberId = authUser?.userId ? String(authUser.userId) : '';
+
+    if (!requesterMemberId) {
+      throw new ForbiddenException({
+        message:
+          'Only the owner of the resource associated with this appeal may modify it.',
+        code: 'APPEAL_RESOURCE_OWNER_FORBIDDEN',
+        details: { appealId, resourceId, requesterMemberId },
+      });
+    }
+
+    if (!resourceId) {
+      throw new BadRequestException({
+        message: `Appeal ${appealId} does not have an associated resourceId.`,
+        code: 'APPEAL_MISSING_RESOURCE_ID',
+        details: { appealId },
+      });
+    }
+
+    const resource = await this.resourcePrisma.resource.findUnique({
+      where: { id: resourceId },
+    });
+
+    if (!resource) {
+      throw new NotFoundException({
+        message: `Resource ${resourceId} associated with appeal ${appealId} was not found.`,
+        code: 'APPEAL_RESOURCE_NOT_FOUND',
+        details: { appealId, resourceId },
+      });
+    }
+
+    const resourceMemberId = resource.memberId ? String(resource.memberId) : '';
+
+    if (!resourceMemberId) {
+      throw new BadRequestException({
+        message: `Resource ${resourceId} associated with appeal ${appealId} does not have a memberId.`,
+        code: 'APPEAL_RESOURCE_MISSING_MEMBER_ID',
+        details: { appealId, resourceId },
+      });
+    }
+
+    if (resourceMemberId !== requesterMemberId) {
+      throw new ForbiddenException({
+        message:
+          'Only the owner of the resource associated with this appeal may modify it.',
+        code: 'APPEAL_RESOURCE_OWNER_FORBIDDEN',
+        details: {
+          appealId,
+          resourceId,
+          resourceMemberId,
+          requesterMemberId,
+        },
+      });
+    }
+  }
+
   private async ensureChallengeAllowsAppealChange(
     challengeId: string | null | undefined,
     context: {
