Humemah(userProfile): add final day API route#1749
Merged
one-community merged 3 commits intodevelopmentfrom Nov 20, 2025
Merged
Humemah(userProfile): add final day API route#1749one-community merged 3 commits intodevelopmentfrom
one-community merged 3 commits intodevelopmentfrom
Conversation
nathanah
requested changes
Nov 11, 2025
Comment on lines
+2368
to
+2373
| const requestor = req.body.requestor; | ||
| const hasPermission = | ||
| requestor?.role === 'Owner' || | ||
| requestor?.role === 'Administrator' || | ||
| requestor?.permissions?.frontPermissions?.includes('setUserFinalDay') || | ||
| requestor?.permissions?.backPermissions?.includes('interactWithSetFinalDayButton'); |
Contributor
There was a problem hiding this comment.
Suggested change
| const requestor = req.body.requestor; | |
| const hasPermission = | |
| requestor?.role === 'Owner' || | |
| requestor?.role === 'Administrator' || | |
| requestor?.permissions?.frontPermissions?.includes('setUserFinalDay') || | |
| requestor?.permissions?.backPermissions?.includes('interactWithSetFinalDayButton'); | |
| const hasPermission = await hasPermission(req.body.requestor, 'setFinalDay'); |
Need to use hasPermission() to check role and individual permissions and be consistent with the rest of the codebase. Also, not sure if these permission keys are consistent with the FE now.
| 'accessHgnSkillsDashboard', | ||
| 'manageFAQs', | ||
| 'manageHGNAccessSetup', | ||
| 'interactWithSetFinalDayButton' |
Contributor
There was a problem hiding this comment.
Suggested change
| 'interactWithSetFinalDayButton' | |
| 'setFinalDay' |
I believe this was the key we used on the FE.
| 'editTeamCode', | ||
| 'accessHgnSkillsDashboard', | ||
| 'manageFAQs', | ||
| 'interactWithSetFinalDayButton', |
Contributor
There was a problem hiding this comment.
Suggested change
| 'interactWithSetFinalDayButton', | |
| 'setFinalDay', |
I believe this was the key we used on the FE.
Comment on lines
+2340
to
+2357
|
|
||
|
|
||
| // if (!req.user.permissions.includes('interactWithSetFinalDayButton')) { | ||
| // return res.status(403).json({ | ||
| // success: false, | ||
| // message: 'Access denied. Insufficient permissions.', | ||
| // }); | ||
| // } | ||
| // if (!req.user || !req.user.permissions || !req.user.permissions.includes('interactWithSetFinalDayButton')) { | ||
| // return res.status(403).json({ | ||
| // success: false, | ||
| // message: 'Access denied. Insufficient permissions.', | ||
| // }); | ||
| // } | ||
| console.log('=== DEBUG setFinalDay ==='); | ||
| console.log('req.body.requestor:', req.body.requestor); | ||
| console.log('req.body.requestor.role:', req.body.requestor?.role); | ||
| console.log('req.body.requestor.permissions:', req.body.requestor?.permissions); |
Contributor
There was a problem hiding this comment.
Suggested change
| // if (!req.user.permissions.includes('interactWithSetFinalDayButton')) { | |
| // return res.status(403).json({ | |
| // success: false, | |
| // message: 'Access denied. Insufficient permissions.', | |
| // }); | |
| // } | |
| // if (!req.user || !req.user.permissions || !req.user.permissions.includes('interactWithSetFinalDayButton')) { | |
| // return res.status(403).json({ | |
| // success: false, | |
| // message: 'Access denied. Insufficient permissions.', | |
| // }); | |
| // } | |
| console.log('=== DEBUG setFinalDay ==='); | |
| console.log('req.body.requestor:', req.body.requestor); | |
| console.log('req.body.requestor.role:', req.body.requestor?.role); | |
| console.log('req.body.requestor.permissions:', req.body.requestor?.permissions); |
Cleaning up
| const { hasPermission, canRequestorUpdateUser } = require('../utilities/permissions'); | ||
| const helper = require('../utilities/permissions'); | ||
|
|
||
| // const { hasPermission } = require('../utilities/createInitialPermissions'); |
Contributor
There was a problem hiding this comment.
Suggested change
| // const { hasPermission } = require('../utilities/createInitialPermissions'); |
more cleaning
Contributor
Author
There was a problem hiding this comment.
Hi @nathanah
Thanks for the review! I’ve updated the code
its working with set final day key
Volunter with no permision is denied acesss
Member
|
Thank you all, merging! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR introduces functionality to set the final day (endDate) for a user.
Related PRS (if any):
This backend PR is related to the frontend PR.
…
Main changes explained:
Implemented permission checks to ensure only authorized users (Owners, Administrators, or those with the appropriate front/back permissions) can set a Final Day
Permission Rules
Users with the setFinalDay permission can set the final day.
This includes Owners and Administrators by default.
Users without the setFinalDay permission (e.g., Volunteers) will receive an access denied response.
How to test:
Checkout this branch.
Run npm install and start the backend with npm run dev.
Send a PATCH request via Postman
Note:
Include the information the reviewers need to know.