An admin can publish a SWU opp. without review (API only)

[joserwan]

Classic steps are :

1. Draft (if base validation passes)
2. Submit for review (if complete validation passes)
3. Publish (if previous step passes)

But an admin can go from step 1. to step 3. Then, no validation is done at step 2.

Relevant code parts :

// src/shared/lib/resources/opportunity/sprint-with-us.ts
export function isValidStatusChange(from: SWUOpportunityStatus, to: SWUOpportunityStatus): boolean {
  switch (from) {
    case SWUOpportunityStatus.Draft:
      // UnderReview step can be omitted
      return [SWUOpportunityStatus.UnderReview, SWUOpportunityStatus.Published].includes(to);
// [...]

But validations take place while Reviewal step :

// src/back-end/lib/resources/opportunity/sprint-with-us.ts

case 'publish':
            // [...]
            // Opportunity will have been fully validated during review process, so no need to repeat
            const validatedPublishNote = opportunityValidation.validateNote(request.body.value);
            if (isInvalid(validatedPublishNote)) {
              return invalid({ opportunity: adt('publish' as const, validatedPublishNote.value) });
            }
            return valid({
              session: request.session,
              body: adt('publish', validatedPublishNote.value)
            });

Found this bug while converting postman tests to Mocha (https://github.com/CQEN-QDCE/digital_marketplace/tree/experimentation/tests/back-end/unit/lib/api)

[dhruvio]

Thanks, @joserwan, we will review this and share our updates here.

[dhruvio]

I have reviewed this issue, and it is indeed a bug. Thanks for bringing it to our attention, @joserwan. I have created a ticket in BCGov's JIRA backlog (DM-728). Some notes for posterity:

• The intended functionality is that Admins can publish draft SWU opportunities directly. Non-admin Government users can only submit draft SWU opportunities for review (to be published by Admins).
• The front-end UI validates draft SWU opportunities so they invalid ones can't be published by Admins (disables the "Publish" button). However, the back-end API does not perform the same validation.
• The solution involves adding a conditional check in src/back-end/lib/resources/opportunity/sprint-with-us.ts to ensure the SWU opportunity is valid before publishing.