[PROD] - Security, clean up & bug fixes

src/apps/review/src/lib/components/ChallengeDetailsContent/TabContentSubmissions.tsx

@@ -25,14 +25,15 @@ import {
     BackendSubmission,
     ChallengeDetailContextModel,
     convertBackendSubmissionToSubmissionInfo,
+    ReviewAppContextModel,
     SubmissionInfo,
 } from '../../models'
 import { TableNoRecord } from '../TableNoRecord'
 import { TableWrapper } from '../TableWrapper'
 import { SubmissionHistoryModal } from '../SubmissionHistoryModal'
 import { useSubmissionDownloadAccess } from '../../hooks/useSubmissionDownloadAccess'
 import type { UseSubmissionDownloadAccessResult } from '../../hooks/useSubmissionDownloadAccess'
-import { ChallengeDetailContext } from '../../contexts'
+import { ChallengeDetailContext, ReviewAppContext } from '../../contexts'
 import {
     challengeHasSubmissionLimit,
     getSubmissionHistoryKey,
@@ -42,6 +43,7 @@ import {
 import type { SubmissionHistoryPartition } from '../../utils'
 import { TABLE_DATE_FORMAT } from '../../../config/index.config'
 import { CollapsibleAiReviewsRow } from '../CollapsibleAiReviewsRow'
+import { useRolePermissions, UseRolePermissionsResult } from '../../hooks'
 
 import styles from './TabContentSubmissions.module.scss'
 
@@ -67,9 +69,36 @@ export const TabContentSubmissions: FC<Props> = props => {
         isSubmissionDownloadRestrictedForMember,
         getRestrictionMessageForMember,
     }: UseSubmissionDownloadAccessResult = useSubmissionDownloadAccess()
+    const { loginUserInfo }: ReviewAppContextModel = useContext(ReviewAppContext)
+    const { canViewAllSubmissions }: UseRolePermissionsResult = useRolePermissions()
 
     const { challengeInfo }: ChallengeDetailContextModel = useContext(ChallengeDetailContext)
 
+    const isCompletedDesignChallenge = useMemo(() => {
+        if (!challengeInfo) return false
+        const type = challengeInfo.track.name ? String(challengeInfo.track.name)
+            .toLowerCase() : ''
+        const status = challengeInfo.status ? String(challengeInfo.status)
+            .toLowerCase() : ''
+        return type === 'design' && (
+            status === 'completed'
+        )
+    }, [challengeInfo])
+
+    const isSubmissionsViewable = useMemo(() => {
+        if (!challengeInfo?.metadata?.length) return false
+        return challengeInfo.metadata.some(m => m.name === 'submissionsViewable' && String(m.value)
+            .toLowerCase() === 'true')
+    }, [challengeInfo])
+
+    const canViewSubmissions = useMemo(() => {
+        if (isCompletedDesignChallenge) {
+            return canViewAllSubmissions || isSubmissionsViewable
+        }
+
+        return true
+    }, [isCompletedDesignChallenge, isSubmissionsViewable, canViewAllSubmissions])
+
     const submissionMetaById = useMemo(
         () => {
             const map = new Map<string, BackendSubmission>()
@@ -205,19 +234,32 @@ export const TabContentSubmissions: FC<Props> = props => {
 
     const filteredSubmissions = useMemo<BackendSubmission[]>(
         () => {
+
+            const filterFunc = (submissions: BackendSubmission[]): BackendSubmission[] => submissions
+                .filter(submission => {
+                    if (!canViewSubmissions) {
+                        return String(submission.memberId) === String(loginUserInfo?.userId)
+                    }
+
+                    return true
+                })
+            const filteredByUserId = filterFunc(latestBackendSubmissions)
+            const filteredByUserIdSubmissions = filterFunc(props.submissions)
             if (restrictToLatest && hasLatestFlag) {
                 return latestBackendSubmissions.length
-                    ? latestBackendSubmissions
-                    : props.submissions
+                    ? filteredByUserId
+                    : filteredByUserIdSubmissions
             }
 
-            return props.submissions
+            return filteredByUserIdSubmissions
         },
         [
             latestBackendSubmissions,
             props.submissions,
             restrictToLatest,
             hasLatestFlag,
+            canViewSubmissions,
+            loginUserInfo?.userId,
         ],
     )
 

src/apps/review/src/lib/components/Scorecard/ScorecardViewer/ScorecardQuestion/ReviewResponse/ReviewComment/ReviewComment.tsx

@@ -10,6 +10,7 @@ import { get, includes } from 'lodash'
 import { yupResolver } from '@hookform/resolvers/yup'
 import { IconAppeal, IconEdit } from '~/apps/review/src/lib/assets/icons'
 import { ADMIN, COPILOT, REVIEWER } from '~/apps/review/src/config/index.config'
+import { useRolePermissions, UseRolePermissionsResult } from '~/apps/review/src/lib/hooks'
 
 import {
     AppealInfo,
@@ -44,6 +45,7 @@ const ReviewComment: FC<ReviewCommentProps> = props => {
         addAppeal,
         isSavingAppeal,
     }: ScorecardViewerContextValue = useScorecardViewerContext()
+    const { isAdmin, hasReviewerRole }: UseRolePermissionsResult = useRolePermissions()
 
     const { challengeInfo }: ChallengeDetailContextModel = useContext(
         ChallengeDetailContext,
@@ -175,7 +177,7 @@ const ReviewComment: FC<ReviewCommentProps> = props => {
                         appeal={props.appeal}
                         reviewItem={props.reviewItem}
                         scorecardQuestion={props.question}
-                        canRespondToAppeal={isReviewerRole}
+                        canRespondToAppeal={isAdmin || hasReviewerRole}
                     >
                         {isSubmitter && canAddAppeal && (
                             <div className={styles.blockBtns}>