Merge pull request #9 from topcoder-platform/dev

jmgasper · web-flow · commit 043663e24744 · 2026-03-26T07:59:00.000+11:00
Prod deploy - Allow Talent Managers to launch challenges
diff --git a/README.md b/README.md
@@ -96,10 +96,12 @@ For the full v5 -> v6 mapping table, see `docs/api-usage-analysis.md`.
 | `DELETE` | `/v6/projects/:projectId` | Admin only | Soft-delete project |
 | `GET` | `/v6/projects/:projectId/billingAccount` | JWT / M2M | Default billing account (Salesforce) |
 | `GET` | `/v6/projects/:projectId/billingAccounts` | JWT / M2M | All billing accounts for project |
-| `GET` | `/v6/projects/:projectId/permissions` | JWT / M2M | Regular human JWT: caller work-management policy map. M2M, admins, project managers, and project copilots on the project: per-member permission matrix with project permissions and template policies |
+| `GET` | `/v6/projects/:projectId/permissions` | JWT / M2M | Regular human JWT: caller work-management policy map. M2M, admins, project managers, talent managers, and project copilots on the project: per-member permission matrix with project permissions and template policies |
 
 Talent Manager note:
 - `Talent Manager` and `Topcoder Talent Manager` callers create projects as primary `manager` members.
+- `Talent Manager` and `Topcoder Talent Manager` users can also be assigned the `manager` (`Full Access`) project role through member add/update/invite flows.
+- `Talent Manager` and `Topcoder Talent Manager` callers also receive the elevated per-member response from `GET /v6/projects/:projectId/permissions`, which is used to provision challenge-related actions in Work Manager.
 - Updating `billingAccountId` is restricted to human administrators and project members whose role on that project is `manager` (`Full Access`).
 
 ### Members
diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md
@@ -31,7 +31,9 @@ Swagger auth notes:
 ## Talent Manager Behavior
 
 - `Talent Manager` and `Topcoder Talent Manager` satisfy `CREATE_PROJECT_AS_MANAGER`, so project creation persists them as the primary `manager` project member.
+- The same Talent Manager roles also satisfy the `manager` project-role validation used by member add/update/invite flows, so they can be granted `Full Access` from Work Manager's Users tab.
 - That primary `manager` membership then unlocks the standard manager-level project-owner paths, such as edit and delete checks that rely on project-member context.
+- `Talent Manager` and `Topcoder Talent Manager` also qualify for the elevated `GET /v6/projects/:projectId/permissions` response, which keeps Work Manager's challenge-provisioning matrix aligned with project-manager access.
 
 ## Billing Account Editing
 
diff --git a/src/api/project-member/project-member.service.spec.ts b/src/api/project-member/project-member.service.spec.ts
@@ -2,6 +2,7 @@ import { BadRequestException, ForbiddenException } from '@nestjs/common';
 import { ProjectMemberRole } from '@prisma/client';
 import { Permission } from 'src/shared/constants/permissions';
 import { KAFKA_TOPIC } from 'src/shared/config/kafka.config';
+import { UserRole } from 'src/shared/enums/userRole.enum';
 import { MemberService } from 'src/shared/services/member.service';
 import { PermissionService } from 'src/shared/services/permission.service';
 import { ProjectMemberService } from './project-member.service';
@@ -177,6 +178,73 @@ describe('ProjectMemberService', () => {
     });
   });
 
+  [UserRole.TALENT_MANAGER, UserRole.TOPCODER_TALENT_MANAGER].forEach(
+    (topcoderRole) => {
+      it(`allows ${topcoderRole} users to be added as manager project members`, async () => {
+        prismaMock.project.findFirst.mockResolvedValue({
+          id: BigInt(1001),
+          members: [],
+        });
+
+        const txMock = {
+          projectMember: {
+            create: jest.fn().mockResolvedValue({
+              id: BigInt(3),
+              projectId: BigInt(1001),
+              userId: BigInt(456),
+              role: ProjectMemberRole.manager,
+              isPrimary: false,
+              createdAt: new Date(),
+              updatedAt: new Date(),
+              createdBy: 123,
+              updatedBy: 123,
+              deletedAt: null,
+              deletedBy: null,
+            }),
+          },
+          projectMemberInvite: {
+            updateMany: jest.fn().mockResolvedValue({ count: 0 }),
+          },
+        };
+
+        prismaMock.$transaction.mockImplementation(
+          (callback: (tx: unknown) => Promise<unknown>) => callback(txMock),
+        );
+
+        permissionServiceMock.hasNamedPermission.mockImplementation(
+          (permission: Permission): boolean =>
+            permission === Permission.CREATE_PROJECT_MEMBER_NOT_OWN,
+        );
+        memberServiceMock.getUserRoles.mockResolvedValue([topcoderRole]);
+        memberServiceMock.getMemberDetailsByUserIds.mockResolvedValue([]);
+
+        await service.addMember(
+          '1001',
+          {
+            userId: '456',
+            role: ProjectMemberRole.manager,
+          },
+          {
+            userId: '123',
+            roles: [UserRole.TOPCODER_ADMIN],
+            isMachine: false,
+          },
+          undefined,
+        );
+
+        expect(txMock.projectMember.create).toHaveBeenCalledWith({
+          data: {
+            projectId: BigInt(1001),
+            userId: BigInt(456),
+            role: ProjectMemberRole.manager,
+            createdBy: 123,
+            updatedBy: 123,
+          },
+        });
+      });
+    },
+  );
+
   it('rejects invalid target user ids before querying the project', async () => {
     await expect(
       service.addMember(
@@ -297,6 +365,86 @@ describe('ProjectMemberService', () => {
     });
   });
 
+  [UserRole.TALENT_MANAGER, UserRole.TOPCODER_TALENT_MANAGER].forEach(
+    (topcoderRole) => {
+      it(`allows ${topcoderRole} users to be promoted to manager project members`, async () => {
+        prismaMock.project.findFirst.mockResolvedValue({
+          id: BigInt(1001),
+          members: [
+            {
+              id: BigInt(2),
+              projectId: BigInt(1001),
+              userId: BigInt(456),
+              role: ProjectMemberRole.customer,
+              isPrimary: false,
+              createdAt: new Date(),
+              updatedAt: new Date(),
+              createdBy: 1,
+              updatedBy: 1,
+              deletedAt: null,
+              deletedBy: null,
+            },
+          ],
+        });
+
+        const txMock = {
+          projectMember: {
+            updateMany: jest.fn().mockResolvedValue({ count: 0 }),
+            update: jest.fn().mockResolvedValue({
+              id: BigInt(2),
+              projectId: BigInt(1001),
+              userId: BigInt(456),
+              role: ProjectMemberRole.manager,
+              isPrimary: false,
+              createdAt: new Date(),
+              updatedAt: new Date(),
+              createdBy: 1,
+              updatedBy: 123,
+              deletedAt: null,
+              deletedBy: null,
+            }),
+          },
+        };
+
+        prismaMock.$transaction.mockImplementation(
+          (callback: (tx: unknown) => Promise<unknown>) => callback(txMock),
+        );
+
+        permissionServiceMock.hasNamedPermission.mockImplementation(
+          (permission: Permission): boolean =>
+            permission === Permission.UPDATE_PROJECT_MEMBER_NON_CUSTOMER,
+        );
+        memberServiceMock.getUserRoles.mockResolvedValue([topcoderRole]);
+        memberServiceMock.getMemberDetailsByUserIds.mockResolvedValue([]);
+
+        await service.updateMember(
+          '1001',
+          '2',
+          {
+            role: ProjectMemberRole.manager,
+          },
+          {
+            userId: '123',
+            roles: [UserRole.TOPCODER_ADMIN],
+            isMachine: false,
+          },
+          undefined,
+        );
+
+        expect(txMock.projectMember.update).toHaveBeenCalledWith({
+          where: {
+            id: BigInt(2),
+          },
+          data: {
+            role: ProjectMemberRole.manager,
+            isPrimary: undefined,
+            updatedBy: 123,
+          },
+        });
+      });
+    },
+  );
+
   it('deletes a project member for machine principals inferred from token claims', async () => {
     prismaMock.project.findFirst.mockResolvedValue({
       id: BigInt(1001),
diff --git a/src/api/project/project.controller.ts b/src/api/project/project.controller.ts
@@ -316,9 +316,10 @@ export class ProjectController {
    * @param projectId Project id path parameter.
    * @param user Authenticated caller context.
    * @returns Non-privileged human callers receive a caller policy map. M2M,
-   * admins, global project managers, and project copilots on the requested
-   * project receive a per-user matrix containing memberships, Topcoder roles,
-   * named project permissions, and template work-management policies.
+   * admins, global project managers, global talent managers, and project
+   * copilots on the requested project receive a per-user matrix containing
+   * memberships, Topcoder roles, named project permissions, and template
+   * work-management policies.
    * @throws BadRequestException When `projectId` is not numeric.
    * @throws UnauthorizedException When the caller is unauthenticated.
    * @throws ForbiddenException When caller cannot access the project.
@@ -334,7 +335,11 @@ export class ProjectController {
     Scope.CONNECT_PROJECT_ADMIN,
   )
   @RequirePermission(Permission.VIEW_PROJECT, {
-    topcoderRoles: [UserRole.PROJECT_MANAGER],
+    topcoderRoles: [
+      UserRole.PROJECT_MANAGER,
+      UserRole.TALENT_MANAGER,
+      UserRole.TOPCODER_TALENT_MANAGER,
+    ],
   })
   @ApiOperation({ summary: 'Get user permissions for project' })
   @ApiParam({
@@ -345,7 +350,7 @@ export class ProjectController {
   @ApiResponse({
     status: 200,
     description:
-      'Caller policy map for regular human JWTs, or a per-user permission matrix for M2M/admin/project-manager/project-copilot callers',
+      'Caller policy map for regular human JWTs, or a per-user permission matrix for M2M/admin/project-manager/talent-manager/project-copilot callers',
     schema: {
       oneOf: [
         {
diff --git a/src/api/project/project.service.spec.ts b/src/api/project/project.service.spec.ts
@@ -521,6 +521,32 @@ describe('ProjectService', () => {
     });
   });
 
+  it('returns project billing account markup for machine principals inferred from token claims', async () => {
+    prismaMock.project.findFirst.mockResolvedValue({
+      id: BigInt(1001),
+      billingAccountId: BigInt(12),
+    });
+    billingAccountServiceMock.getDefaultBillingAccount.mockResolvedValue({
+      tcBillingAccountId: '12',
+      markup: 0.58,
+      active: true,
+    });
+
+    const result = await service.getProjectBillingAccount('1001', {
+      isMachine: false,
+      scopes: [],
+      tokenPayload: {
+        gty: 'client-credentials',
+      },
+    });
+
+    expect(result).toEqual({
+      tcBillingAccountId: '12',
+      markup: 0.58,
+      active: true,
+    });
+  });
+
   it('falls back to project billingAccountId when Salesforce billing lookup is empty', async () => {
     prismaMock.project.findFirst.mockResolvedValue({
       id: BigInt(1001),
@@ -832,6 +858,22 @@ describe('ProjectService', () => {
         isMachine: false,
       },
     ],
+    [
+      'talent manager',
+      {
+        userId: '999',
+        roles: [UserRole.TALENT_MANAGER],
+        isMachine: false,
+      },
+    ],
+    [
+      'topcoder talent manager',
+      {
+        userId: '999',
+        roles: [UserRole.TOPCODER_TALENT_MANAGER],
+        isMachine: false,
+      },
+    ],
   ])(
     'returns a per-user permission matrix for %s callers on all projects',
     async (
diff --git a/src/api/project/project.service.ts b/src/api/project/project.service.ts
@@ -878,8 +878,8 @@ export class ProjectService {
    *
    * Human JWT callers keep the legacy v5/v6 behavior and receive the
    * work-management policy map allowed for the authenticated caller unless
-   * they are an admin, a global `Project Manager`, or a `copilot` member on
-   * the requested project.
+   * they are an admin, a global `Project Manager`/`Talent Manager`, or a
+   * `copilot` member on the requested project.
    *
    * M2M callers receive a per-user matrix built from active project members.
    * Each entry includes the user's active memberships, fetched Topcoder roles,
@@ -1067,7 +1067,7 @@ export class ProjectService {
           tcBillingAccountId: projectBillingAccountId,
         };
 
-    if (user.isMachine) {
+    if (this.isMachinePrincipal(user)) {
       return billingAccount;
     }
 
@@ -1754,7 +1754,7 @@ export class ProjectService {
    * Matrix access is granted to:
    * - machine principals
    * - admins
-   * - global `Project Manager` role holders
+   * - global `Project Manager` and `Talent Manager` role holders
    * - callers who are a `copilot` member on the current project
    *
    * @param user Authenticated caller context.
@@ -1774,10 +1774,12 @@ export class ProjectService {
         .map((role) => String(role).trim().toLowerCase())
         .filter((role) => role.length > 0),
     );
-    const hasGlobalMatrixRole = [...ADMIN_ROLES, UserRole.PROJECT_MANAGER].some(
-      (role) =>
-        normalizedUserRoles.has(String(role).trim().toLowerCase()),
-    );
+    const hasGlobalMatrixRole = [
+      ...ADMIN_ROLES,
+      UserRole.PROJECT_MANAGER,
+      UserRole.TALENT_MANAGER,
+      UserRole.TOPCODER_TALENT_MANAGER,
+    ].some((role) => normalizedUserRoles.has(String(role).trim().toLowerCase()));
 
     if (hasGlobalMatrixRole) {
       return true;
diff --git a/src/shared/constants/permissions.constants.ts b/src/shared/constants/permissions.constants.ts
@@ -1102,6 +1102,8 @@ export const PROJECT_TO_TOPCODER_ROLES_MATRIX = {
     USER_ROLE.PROGRAM_MANAGER,
     USER_ROLE.SOLUTION_ARCHITECT,
     USER_ROLE.PROJECT_MANAGER,
+    USER_ROLE.TALENT_MANAGER,
+    USER_ROLE.TOPCODER_TALENT_MANAGER,
     USER_ROLE.COPILOT_MANAGER,
   ],
   [PROJECT_MEMBER_ROLE.COPILOT]: [USER_ROLE.COPILOT, 'copilot'],
diff --git a/src/shared/services/permission.service.spec.ts b/src/shared/services/permission.service.spec.ts
@@ -535,6 +535,25 @@ describe('PermissionService', () => {
     expect(allowed).toBe(false);
   });
 
+  it('allows Project Manager role to edit projects when they have full-access membership', () => {
+    const allowed = service.hasNamedPermission(
+      Permission.EDIT_PROJECT,
+      {
+        userId: '3001',
+        roles: [UserRole.PROJECT_MANAGER],
+        isMachine: false,
+      },
+      [
+        {
+          userId: '3001',
+          role: ProjectMemberRole.MANAGER,
+        },
+      ],
+    );
+
+    expect(allowed).toBe(true);
+  });
+
   it('allows deleting project for machine token with project write scope', () => {
     const allowed = service.hasNamedPermission(Permission.DELETE_PROJECT, {
       scopes: [Scope.PROJECTS_ALL],
diff --git a/src/shared/utils/member.utils.spec.ts b/src/shared/utils/member.utils.spec.ts
@@ -0,0 +1,15 @@
+import { ProjectMemberRole } from '@prisma/client';
+import { UserRole } from 'src/shared/enums/userRole.enum';
+import { validateUserHasProjectRole } from './member.utils';
+
+describe('validateUserHasProjectRole', () => {
+  [UserRole.TALENT_MANAGER, UserRole.TOPCODER_TALENT_MANAGER].forEach(
+    (topcoderRole) => {
+      it(`accepts ${topcoderRole} for manager project role validation`, () => {
+        expect(
+          validateUserHasProjectRole(ProjectMemberRole.manager, [topcoderRole]),
+        ).toBe(true);
+      });
+    },
+  );
+});
diff --git a/src/shared/utils/member.utils.ts b/src/shared/utils/member.utils.ts
