Merge branch 'develop' into #3873-guest-home-page

Author: chpy04

.github/workflows/system-tests.yml

@@ -5,6 +5,7 @@ on:
   push:
     branches:
       - main
+      - multitenancy
       - develop
       - feature/**
 

src/backend/src/prisma/migrations/20260310005624_string_sabo_numbers/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Reimbursement_Request" ALTER COLUMN "saboId" SET DATA TYPE TEXT;

src/backend/src/prisma/schema.prisma

@@ -720,7 +720,7 @@ model Receipt {
 model Reimbursement_Request {
   reimbursementRequestId   String                          @id @default(uuid())
   identifier               Int
-  saboId                   Int?                            @unique
+  saboId                   String?                            @unique
   dateCreated              DateTime                        @default(now())
   dateDeleted              DateTime?
   dateOfExpense            DateTime?
@@ -805,7 +805,7 @@ model Vendor {
   organizationId        String
   organization          Organization            @relation(fields: [organizationId], references: [organizationId])
   username              String?
-  password              String? // password is encrypted  
+  password              String? // password is encrypted
   discountCode          String?
   twoFactorContacts     User[]                  @relation(name: "twoFactorContactVendors")
   notes                 String?

src/backend/src/prisma/seed-data/reimbursement-requests.seed.ts

@@ -1314,7 +1314,7 @@ export const seedReimbursementRequests = async (
     organization,
     new Date('2024-07-15')
   );
-  await ReimbursementRequestService.setSaboNumber(rr30.reimbursementRequestId, 12345, users.richieRich, organization);
+  await ReimbursementRequestService.setSaboNumber(rr30.reimbursementRequestId, 'abc123', users.richieRich, organization);
   await ReimbursementRequestService.inputReimbursementRequestInSabo(
     rr30.reimbursementRequestId,
     users.richieRich,
@@ -1382,7 +1382,7 @@ export const seedReimbursementRequests = async (
     organization,
     new Date('2024-07-18')
   );
-  await ReimbursementRequestService.setSaboNumber(rr31.reimbursementRequestId, 12346, users.mrKrabs, organization);
+  await ReimbursementRequestService.setSaboNumber(rr31.reimbursementRequestId, 'sdfkj3', users.mrKrabs, organization);
   await ReimbursementRequestService.inputReimbursementRequestInSabo(
     rr31.reimbursementRequestId,
     users.mrKrabs,
@@ -1450,7 +1450,7 @@ export const seedReimbursementRequests = async (
     organization,
     new Date('2024-06-10')
   );
-  await ReimbursementRequestService.setSaboNumber(rr32.reimbursementRequestId, 12340, users.monopolyMan, organization);
+  await ReimbursementRequestService.setSaboNumber(rr32.reimbursementRequestId, '324jj', users.monopolyMan, organization);
   await ReimbursementRequestService.inputReimbursementRequestInSabo(
     rr32.reimbursementRequestId,
     users.monopolyMan,
@@ -1523,7 +1523,7 @@ export const seedReimbursementRequests = async (
     organization,
     new Date('2024-05-20')
   );
-  await ReimbursementRequestService.setSaboNumber(rr33.reimbursementRequestId, 12335, users.johnBoddy, organization);
+  await ReimbursementRequestService.setSaboNumber(rr33.reimbursementRequestId, 'kaljf23', users.johnBoddy, organization);
   await ReimbursementRequestService.inputReimbursementRequestInSabo(
     rr33.reimbursementRequestId,
     users.johnBoddy,
@@ -1596,7 +1596,7 @@ export const seedReimbursementRequests = async (
     organization,
     new Date('2024-05-08')
   );
-  await ReimbursementRequestService.setSaboNumber(rr34.reimbursementRequestId, 12330, users.richieRich, organization);
+  await ReimbursementRequestService.setSaboNumber(rr34.reimbursementRequestId, 'newklajfd', users.richieRich, organization);
   await ReimbursementRequestService.inputReimbursementRequestInSabo(
     rr34.reimbursementRequestId,
     users.richieRich,

src/backend/src/routes/reimbursement-requests.routes.ts

@@ -157,14 +157,14 @@ reimbursementRequestsRouter.get('/pending-advisor/list', ReimbursementRequestCon
 reimbursementRequestsRouter.post(
   '/pending-advisor/send',
   body('saboNumbers').isArray(),
-  intMinZero(body('saboNumbers.*')),
+  nonEmptyString(body('saboNumbers.*')),
   validateInputs,
   ReimbursementRequestController.sendPendingAdvisorList
 );
 
 reimbursementRequestsRouter.post(
   '/:requestId/set-sabo-number',
-  intMinZero(body('saboNumber')),
+  nonEmptyString(body('saboNumber')),
   validateInputs,
   ReimbursementRequestController.setSaboNumber
 );

src/backend/src/services/prospective-sponsor.services.ts

@@ -1,14 +1,12 @@
 import {
   CreateSponsorTask,
   FirstContactMethod,
-  isHead,
   ProspectiveSponsor,
   ProspectiveSponsorStatus,
   SponsorTask,
   User
 } from 'shared';
 import { Organization, Prospective_Sponsor_Status, Sponsor_Value_Type } from '@prisma/client';
-import { userHasPermission } from '../utils/users.utils.js';
 import { getProspectiveSponsorQueryArgs } from '../prisma-query-args/prospective-sponsor.query-args.js';
 import { getSponsorTaskQueryArgs } from '../prisma-query-args/sponsor.query.args.js';
 import {
@@ -22,7 +20,7 @@ import prisma from '../prisma/prisma.js';
 import { prospectiveSponsorTransformer } from '../transformers/prospective-sponsor.transformer.js';
 import { sponsorTaskTransformer } from '../transformers/sponsor-task.transformer.js';
 import { notifySponsorTaskAssignee } from '../utils/slack.utils.js';
-import { isUserFinanceTeamOrHead } from '../utils/reimbursement-requests.utils.js';
+import { isUserFinanceLeadOrHead, isUserFinanceTeamOrHead } from '../utils/reimbursement-requests.utils.js';
 
 export default class ProspectiveSponsorServices {
   /**
@@ -293,8 +291,8 @@ export default class ProspectiveSponsorServices {
     deleter: User,
     organization: Organization
   ): Promise<ProspectiveSponsor> {
-    if (!(await userHasPermission(deleter.userId, organization.organizationId, isHead))) {
-      throw new AccessDeniedException('Only heads can delete prospective sponsors');
+    if (!(await isUserFinanceLeadOrHead(deleter, organization.organizationId))) {
+      throw new AccessDeniedException('Only finance leads or heads can delete prospective sponsors');
     }
 
     const prospectiveSponsor = await prisma.prospective_Sponsor.findUnique({
@@ -416,9 +414,11 @@ export default class ProspectiveSponsorServices {
     if (prospectiveSponsor.dateDeleted) throw new DeletedException('ProspectiveSponsor', prospectiveSponsorId);
 
     const isContactor = prospectiveSponsor.contactorUserId === submitter.userId;
-    const isUserHead = await userHasPermission(submitter.userId, organization.organizationId, isHead);
-    if (!isUserHead && !isContactor) {
-      throw new AccessDeniedException('Only heads or the assigned contactor can accept prospective sponsors');
+    const canAccept = await isUserFinanceLeadOrHead(submitter, organization.organizationId);
+    if (!canAccept && !isContactor) {
+      throw new AccessDeniedException(
+        'Only finance leads, heads, or the assigned contactor can accept prospective sponsors'
+      );
     }
     if (prospectiveSponsor.status === Prospective_Sponsor_Status.ACCEPTED) {
       throw new HttpException(400, 'This prospective sponsor has already been accepted');

src/backend/src/services/reimbursement-requests.services.ts

@@ -612,7 +612,7 @@ export default class ReimbursementRequestService {
    * @param saboNumbers the sabo numbers of the reimbursement requests to send
    * @param organizationId the organization the user is currently in
    */
-  static async sendPendingAdvisorList(sender: User, saboNumbers: number[], organizationId: string) {
+  static async sendPendingAdvisorList(sender: User, saboNumbers: string[], organizationId: string) {
     const organization = await prisma.organization.findUnique({
       where: { organizationId },
       include: { advisor: true }
@@ -688,7 +688,7 @@ export default class ReimbursementRequestService {
 
   static async setSaboNumber(
     reimbursementRequestId: string,
-    saboNumber: number,
+    saboNumber: string,
     submitter: User,
     organization: Organization
   ) {

src/backend/src/utils/reimbursement-requests.utils.ts

@@ -502,6 +502,25 @@ export const isUserLeadOrHeadOfFinanceTeam = async (user: User, organizationId:
   return user.userId === financeTeam.headId || financeTeam.leads.map((u) => u.userId).includes(user.userId);
 };
 
+/**
+ * Checks if a user is a lead/head of the finance team or has a system role of Head or higher.
+ * Checks isHead first since it doesn't require the finance team to exist.
+ *
+ * @param user the user to check
+ * @param organizationId the organization id
+ * @returns whether the user is a finance lead/head or has Head+ system role
+ */
+export const isUserFinanceLeadOrHead = async (user: User, organizationId: string): Promise<boolean> => {
+  if (await userHasPermission(user.userId, organizationId, isHead)) {
+    return true;
+  }
+  try {
+    return await isUserLeadOrHeadOfFinanceTeam(user, organizationId);
+  } catch {
+    return false;
+  }
+};
+
 export const isCurrentUserOnFinance = (user: Prisma.UserGetPayload<AuthUserQueryArgs>) => {
   return (
     user.teamsAsHead.some((team) => team.financeTeam) ||

src/backend/src/utils/slack.utils.ts

@@ -225,7 +225,7 @@ export const sendPendingSaboSubmissionNotification = async (
     threads,
     `${await getUserSlackMentionOrName(financeUserId)} has added this reimbursement request to Concur. ${await getUserSlackMentionOrName(pendingSubmissionFromId)}, please check your email to approve the request in Concur and mark it as submitted on Finishline.`
   );
-  const userId = await getUserSlackId(financeUserId);
+  const userId = await getUserSlackId(pendingSubmissionFromId);
   if (threads && threads.length !== 0 && userId) {
     const msgs = threads.map((thread) =>
       sendEphemeralMessage(

src/backend/tests/unit/prospective-sponsor.test.ts

@@ -3,7 +3,7 @@ import ProspectiveSponsorServices from '../../src/services/prospective-sponsor.s
 import FinanceServices from '../../src/services/finance.services.js';
 import { AccessDeniedException, DeletedException, HttpException, NotFoundException } from '../../src/utils/errors.utils.js';
 import { batmanAppAdmin, wonderwomanGuest, supermanAdmin } from '../test-data/users.test-data.js';
-import { createTestOrganization, createTestUser, resetUsers } from '../test-utils.js';
+import { createFinanceTeamAndLead, createTestOrganization, createTestUser, resetUsers } from '../test-utils.js';
 import prisma from '../../src/prisma/prisma.js';
 import { FirstContactMethod, ProspectiveSponsorStatus } from 'shared';
 
@@ -627,7 +627,7 @@ describe('Prospective Sponsor Tests', () => {
   });
 
   describe('Delete Prospective Sponsor', () => {
-    it('Fails if user is not a head', async () => {
+    it('Fails if user is not a finance lead or head', async () => {
       const head = await createTestUser(batmanAppAdmin, orgId);
       const guest = await createTestUser(wonderwomanGuest, orgId);
 
@@ -646,7 +646,49 @@ describe('Prospective Sponsor Tests', () => {
 
       await expect(
         ProspectiveSponsorServices.deleteProspectiveSponsor(ps.prospectiveSponsorId, guest, organization)
-      ).rejects.toThrow(new AccessDeniedException('Only heads can delete prospective sponsors'));
+      ).rejects.toThrow(new AccessDeniedException('Only finance leads or heads can delete prospective sponsors'));
+    });
+
+    it('Fails if user is a finance team member (not lead)', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeMember = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeMember' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      await expect(
+        ProspectiveSponsorServices.deleteProspectiveSponsor(ps.prospectiveSponsorId, financeMember, organization)
+      ).rejects.toThrow(new AccessDeniedException('Only finance leads or heads can delete prospective sponsors'));
+    });
+
+    it('Succeeds if user is a finance team lead', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeLead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeLead' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      const result = await ProspectiveSponsorServices.deleteProspectiveSponsor(
+        ps.prospectiveSponsorId,
+        financeLead,
+        organization
+      );
+
+      expect(result.prospectiveSponsorId).toBe(ps.prospectiveSponsorId);
+      const deletedPs = await prisma.prospective_Sponsor.findUnique({
+        where: { prospectiveSponsorId: ps.prospectiveSponsorId }
+      });
+      expect(deletedPs?.dateDeleted).not.toBeNull();
     });
 
     it('Fails if prospective sponsor does not exist', async () => {
@@ -891,7 +933,7 @@ describe('Prospective Sponsor Tests', () => {
   });
 
   describe('Accept Prospective Sponsor', () => {
-    it('Fails if user is not a head or contactor', async () => {
+    it('Fails if user is not a finance lead, head, or contactor', async () => {
       const head = await createTestUser(batmanAppAdmin, orgId);
       const guest = await createTestUser(wonderwomanGuest, orgId);
 
@@ -920,7 +962,69 @@ describe('Prospective Sponsor Tests', () => {
           false,
           5000
         )
-      ).rejects.toThrow(new AccessDeniedException('Only heads or the assigned contactor can accept prospective sponsors'));
+      ).rejects.toThrow(
+        new AccessDeniedException('Only finance leads, heads, or the assigned contactor can accept prospective sponsors')
+      );
+    });
+
+    it('Fails if user is a finance team member (not lead or contactor)', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeMember = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeMember' } });
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Acme Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      await expect(
+        ProspectiveSponsorServices.acceptProspectiveSponsor(
+          financeMember,
+          organization,
+          ps.prospectiveSponsorId,
+          undefined,
+          ['MONETARY'],
+          new Date(),
+          [2024],
+          false
+        )
+      ).rejects.toThrow(
+        new AccessDeniedException('Only finance leads, heads, or the assigned contactor can accept prospective sponsors')
+      );
+    });
+
+    it('Succeeds if user is a finance team lead', async () => {
+      await createFinanceTeamAndLead(organization);
+      const financeHead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeHead' } });
+      const financeLead = await prisma.user.findUniqueOrThrow({ where: { googleAuthId: 'financeLead' } });
+      const joinDate = new Date(2024, 6, 1);
+
+      const ps = await ProspectiveSponsorServices.createProspectiveSponsor(
+        financeHead,
+        organization,
+        'Finance Lead Accept Corp',
+        ProspectiveSponsorStatus.NOT_IN_CONTACT
+      );
+
+      const result = await ProspectiveSponsorServices.acceptProspectiveSponsor(
+        financeLead,
+        organization,
+        ps.prospectiveSponsorId,
+        undefined,
+        ['MONETARY'],
+        joinDate,
+        [2024],
+        false,
+        2500
+      );
+
+      expect(result.status).toBe(ProspectiveSponsorStatus.ACCEPTED);
+      const sponsors = await FinanceServices.getAllSponsors(organization);
+      const createdSponsor = sponsors.find((s) => s.name === 'Finance Lead Accept Corp');
+      expect(createdSponsor).toBeDefined();
+      expect(createdSponsor!.sponsorValue).toBe(2500);
     });
 
     it('Succeeds when the contactor accepts', async () => {