PM-1504 - strip out extra props in scorecard request

vas3a · vas3a · commit 40be5caa08b7 · 2025-08-19T15:16:40.000+03:00
diff --git a/src/api/scorecard/scorecard.controller.ts b/src/api/scorecard/scorecard.controller.ts
@@ -8,6 +8,7 @@ import {
   Param,
   Query,
   UseInterceptors,
+  ValidationPipe,
 } from '@nestjs/common';
 import {
   ApiTags,
@@ -56,7 +57,8 @@ export class ScorecardController {
   })
   @ApiResponse({ status: 403, description: 'Forbidden.' })
   async addScorecard(
-    @Body() body: ScorecardRequestDto,
+    @Body(new ValidationPipe({ whitelist: true, transform: true }))
+    body: ScorecardRequestDto,
     @User() user: JwtUser,
   ): Promise<ScorecardWithGroupResponseDto> {
     return await this.scorecardService.addScorecard(body, user);
@@ -84,7 +86,8 @@ export class ScorecardController {
   @ApiResponse({ status: 404, description: 'Scorecard not found.' })
   async editScorecard(
     @Param('id') id: string,
-    @Body() body: ScorecardRequestDto,
+    @Body(new ValidationPipe({ whitelist: true, transform: true }))
+    body: ScorecardRequestDto,
     @User() user: JwtUser,
   ): Promise<ScorecardWithGroupResponseDto> {
     return await this.scorecardService.editScorecard(id, body, user);
@@ -114,6 +117,7 @@ export class ScorecardController {
   }
 
   @Get('/:id')
+  @Roles(UserRole.Admin)
   @Scopes(Scope.ReadScorecard)
   @ApiOperation({
     summary: 'View a scorecard',
diff --git a/src/api/scorecard/scorecard.service.ts b/src/api/scorecard/scorecard.service.ts
@@ -5,6 +5,7 @@ import {
 } from '@nestjs/common';
 import { Prisma } from '@prisma/client';
 import {
+  mapScorecardRequestForCreate,
   mapScorecardRequestToDto,
   ScorecardGroupBaseDto,
   ScorecardPaginatedResponseDto,
@@ -33,7 +34,7 @@ export class ScoreCardService {
   ): Promise<ScorecardWithGroupResponseDto> {
     const data = await this.prisma.scorecard.create({
       data: {
-        ...(mapScorecardRequestToDto({
+        ...(mapScorecardRequestForCreate({
           ...body,
           createdBy: user.isMachine ? 'System' : (user.userId as string),
           updatedBy: user.isMachine ? 'System' : (user.userId as string),
diff --git a/src/dto/scorecard.dto.ts b/src/dto/scorecard.dto.ts
@@ -322,6 +322,37 @@ export class ScorecardQueryDto {
   scorecardTypesArray?: $Enums.ScorecardType[];
 }
 
+export function mapScorecardRequestForCreate(request: ScorecardRequestDto) {
+  const userFields = {
+    ...(request.createdBy ? { createdBy: request.createdBy } : {}),
+    updatedBy: request.updatedBy,
+  };
+
+  return {
+    ...request,
+    ...userFields,
+    scorecardGroups: {
+      create: request.scorecardGroups.map((group) => ({
+        ...group,
+        ...userFields,
+        sections: {
+          create: group.sections.map((section) => ({
+            ...section,
+            ...userFields,
+            questions: {
+              create: section.questions.map((question) => ({
+                ...question,
+                sortOrder: 1,
+                ...userFields,
+              })),
+            },
+          })),
+        },
+      })),
+    },
+  };
+}
+
 export function mapScorecardRequestToDto(request: ScorecardRequestDto) {
   const userFields = {
     ...(request.createdBy ? { createdBy: request.createdBy } : {}),
