Only load assignee for reviewers or admins

beabee-communityrm · Dec 5, 2024 · d88c6d6 · d88c6d6
1 parent 3835a25
commit d88c6d6
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/apps/backend/src/api/dto/CalloutResponseDto.ts b/apps/backend/src/api/dto/CalloutResponseDto.ts
@@ -36,6 +36,7 @@ import { Callout } from "@beabee/core/models";
 
 export interface BaseGetCalloutResponseOptsDto {
   callout?: Callout;
+  isReviewer?: boolean;
 }
 
 export enum GetCalloutResponseWith {

diff --git a/apps/backend/src/api/transformers/CalloutResponseTransformer.ts b/apps/backend/src/api/transformers/CalloutResponseTransformer.ts
@@ -86,13 +86,18 @@ export class CalloutResponseTransformer extends BaseCalloutResponseTransformer<
     auth: AuthInfo,
     query: GetCalloutResponseOptsDto
   ): Promise<RuleGroup> {
+    const reviewerRules = await getReviewerRules(auth.contact, "calloutId");
+
+    // This is a hacky way to pass the reviewer status to modifyQueryBuilder
+    query.isReviewer = reviewerRules.length > 0;
+
     return {
       condition: "OR",
       rules: [
         // User's can always see their own responses
         { field: "contact", operator: "equal", value: ["me"] },
         // And any responses for callouts they are reviewers for
-        ...(await getReviewerRules(auth.contact, "calloutId"))
+        ...reviewerRules
       ]
     };
   }
@@ -103,8 +108,10 @@ export class CalloutResponseTransformer extends BaseCalloutResponseTransformer<
     query: ListCalloutResponsesDto,
     auth: AuthInfo
   ): void {
-    // TODO: Add auth check for assignee
-    if (query.with?.includes(GetCalloutResponseWith.Assignee)) {
+    if (
+      query.with?.includes(GetCalloutResponseWith.Assignee) &&
+      (query.isReviewer || auth.roles.includes("admin"))
+    ) {
       qb.leftJoinAndSelect(`${fieldPrefix}assignee`, "assignee");
     }
     if (query.with?.includes(GetCalloutResponseWith.Callout)) {