topcoder-platform · vikasrohit · Jun 3, 2021 · Mar 11, 2021 · May 17, 2021 · May 17, 2021
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -152,7 +152,7 @@ workflows:
             - UnitTests
           filters:
             branches:
-              only: ['develop', 'connect-performance-testing', 'feature/get-markup-from-billing-account']
+              only: ['develop', 'connect-performance-testing', 'feature/shapeup_billing_accounts_protections']
       - deployProd:
           context : org-global
           requires:

diff --git a/config/development.json b/config/development.json
@@ -9,5 +9,6 @@
   "identityServiceEndpoint": "https://api.topcoder-dev.com/v3/",
   "taasJobApiUrl": "https://api.topcoder-dev.com/v5/jobs",
   "sfdcBillingAccountNameField": "Billing_Account_Name__c",
-  "sfdcBillingAccountMarkupField": "Mark_Up__c"
+  "sfdcBillingAccountMarkupField": "Mark_Up__c",
+  "sfdcBillingAccountActiveField": "Active__c"
 }
diff --git a/config/production.json b/config/production.json
@@ -2,5 +2,6 @@
   "authDomain": "topcoder.com",
   "connectProjectsUrl": "https://connect.topcoder.com/projects/",
   "sfdcBillingAccountNameField": "Billing_Account_name__c",
-  "sfdcBillingAccountMarkupField": "Mark_up__c"
+  "sfdcBillingAccountMarkupField": "Mark_up__c",
+  "sfdcBillingAccountActiveField": "Active__c"
 }
diff --git a/src/permissions/constants.js b/src/permissions/constants.js
@@ -293,6 +293,13 @@ export const PERMISSION = { // eslint-disable-line import/prefer-default-export
       group: 'Project Billing Accounts',
       description: 'Who can view the details of the Billing Account attached to the project',
     },
+    projectRoles: [
+      ...PROJECT_ROLES_MANAGEMENT,
+      PROJECT_MEMBER_ROLE.COPILOT,
+    ],
+    topcoderRoles: [
+      USER_ROLE.TOPCODER_ADMIN,
+    ],
     scopes: SCOPES_PROJECTS_READ_BILLING_ACCOUNT_DETAILS,
   },
 

diff --git a/src/routes/billingAccounts/get.js b/src/routes/billingAccounts/get.js
@@ -42,9 +42,15 @@ module.exports = [
       }
       const { accessToken, instanceUrl } = await SalesforceService.authenticate();
       // eslint-disable-next-line
-      const sql = `SELECT  TopCoder_Billing_Account_Id__c, Mark_Up__c from Topcoder_Billing_Account__c tba where TopCoder_Billing_Account_Id__c='${billingAccountId}'`;
+      const sql = `SELECT  TopCoder_Billing_Account_Id__c, Mark_Up__c, Active__c from Topcoder_Billing_Account__c tba where TopCoder_Billing_Account_Id__c='${billingAccountId}'`;
       req.log.debug(sql);
       const billingAccount = await SalesforceService.queryBillingAccount(sql, accessToken, instanceUrl, req.log);
+      const isMachineToken = _.get(req, 'authUser.isMachine', false);
+      if (!isMachineToken) {
+        // delete sensitive information for non machine access
+        // does not revalidate the scope as it assumes that is already taken care
+        delete billingAccount.markup;
+      }
       res.json(billingAccount);
     } catch (error) {
       req.log.error(error);

diff --git a/src/routes/billingAccounts/get.spec.js b/src/routes/billingAccounts/get.spec.js
@@ -8,7 +8,7 @@ import server from '../../app';
 import testUtil from '../../tests/util';
 import SalesforceService from '../../services/salesforceService';
 
-chai.should();
+const should = chai.should();
 
 // demo data which might be returned by the `SalesforceService.query`
 const billingAccountData = {
@@ -114,16 +114,6 @@ describe('Project Billing Accounts list', () => {
         .expect(403, done);
     });
 
-    it('should return 403 for admin', (done) => {
-      request(server)
-        .get(`/v5/projects/${project1.id}/billingAccount`)
-        .set({
-          Authorization: `Bearer ${testUtil.jwts.admin}`,
-        })
-        .send()
-        .expect(403, done);
-    });
-
     it('should return 404 if the project is not found', (done) => {
       request(server)
         .get('/v5/projects/11223344/billingAccount')
@@ -163,5 +153,26 @@ describe('Project Billing Accounts list', () => {
             }
           });
       });
+
+    it('should return billing account details using user token but without markup field',
+      (done) => {
+        request(server)
+          .get(`/v5/projects/${project1.id}/billingAccount`)
+          .set({
+            Authorization: `Bearer ${testUtil.jwts.admin}`,
+          })
+          .send()
+          .expect(200)
+          .end((err, res) => {
+            if (err) {
+              done(err);
+            } else {
+              const resJson = res.body;
+              resJson.tcBillingAccountId.should.be.eql(billingAccountData.tcBillingAccountId);
+              should.not.exist(resJson.markup);
+              done();
+            }
+          });
+      });
   });
 });
diff --git a/src/services/salesforceService.js b/src/services/salesforceService.js
@@ -102,6 +102,7 @@ class SalesforceService {
           null, // fallback to null if cannot parse
         ),
         markup: _.get(o, config.get('sfdcBillingAccountMarkupField')),
+        active: _.get(o, config.get('sfdcBillingAccountActiveField')),
       }));
       return billingAccounts.length > 0 ? billingAccounts[0] : {};
     });