Merge pull request #14859 from overleaf/jpa-web-restrict-ip-override

[web] ignore ip override for non admin users

GitOrigin-RevId: c11b938fa05d0328531b0ce088c7c3c29a9f13f5

services/web/app/src/Features/Subscription/SubscriptionController.js

@@ -25,6 +25,7 @@ const SubscriptionHelper = require('./SubscriptionHelper')
 const Features = require('../../infrastructure/Features')
 const UserGetter = require('../User/UserGetter')
 const Modules = require('../../infrastructure/Modules')
+const AuthorizationManager = require('../Authorization/AuthorizationManager')
 
 const groupPlanModalOptions = Settings.groupPlanModalOptions
 const validGroupPlanModalOptions = {
@@ -814,9 +815,15 @@ async function redirectToHostedPage(req, res) {
 }
 
 async function _getRecommendedCurrency(req, res) {
-  const currencyLookup = await GeoIpLookup.promises.getCurrencyCode(
+  const userId = SessionManager.getLoggedInUserId(req.session)
-    req.query?.ip || req.ip
+  let ip = req.ip
-  )
+  if (
+    req.query?.ip &&
+    (await AuthorizationManager.promises.isUserSiteAdmin(userId))
+  ) {
+    ip = req.query.ip
+  }
+  const currencyLookup = await GeoIpLookup.promises.getCurrencyCode(ip)
   const countryCode = currencyLookup.countryCode
   let assignmentINR, assignmentLATAM
   let recommendedCurrency = currencyLookup.currencyCode

services/web/test/unit/src/Subscription/SubscriptionControllerTests.js

@@ -109,6 +109,11 @@ describe('SubscriptionController', function () {
       },
       siteUrl: 'http://de.sharelatex.dev:3000',
     }
+    this.AuthorizationManager = {
+      promises: {
+        isUserSiteAdmin: sinon.stub().resolves(false),
+      },
+    }
     this.GeoIpLookup = {
       isValidCurrencyParam: sinon.stub().returns(true),
       getCurrencyCode: sinon.stub(),
@@ -135,6 +140,7 @@ describe('SubscriptionController', function () {
     }
     this.SubscriptionController = SandboxedModule.require(modulePath, {
       requires: {
+        '../Authorization/AuthorizationManager': this.AuthorizationManager,
         '../SplitTests/SplitTestHandler': this.SplitTestV2Hander,
         '../Authentication/SessionManager': this.SessionManager,
         './SubscriptionHandler': this.SubscriptionHandler,
@@ -183,6 +189,36 @@ describe('SubscriptionController', function () {
       })
     })
 
+    describe('ip override', function () {
+      beforeEach(function () {
+        this.req.ip = '1.2.3.4'
+        this.req.query = { ip: '5.6.7.8' }
+        this.GeoIpLookup.promises.getCurrencyCode.withArgs('1.2.3.4').resolves({
+          currencyCode: 'GBP',
+        })
+        this.GeoIpLookup.promises.getCurrencyCode.withArgs('5.6.7.8').resolves({
+          currencyCode: 'USD',
+        })
+      })
+      it('should ignore override for non admin', function (done) {
+        this.res.render = (page, opts) => {
+          opts.recommendedCurrency.should.equal('GBP')
+          done()
+        }
+        this.AuthorizationManager.promises.isUserSiteAdmin.resolves(false)
+        this.SubscriptionController.plansPage(this.req, this.res)
+      })
+
+      it('should accept override for admin', function (done) {
+        this.res.render = (page, opts) => {
+          opts.recommendedCurrency.should.equal('USD')
+          done()
+        }
+        this.AuthorizationManager.promises.isUserSiteAdmin.resolves(true)
+        this.SubscriptionController.plansPage(this.req, this.res)
+      })
+    })
+
     describe('groupPlanModal data', function () {
       it('should pass local currency if valid', function (done) {
         this.res.render = (page, opts) => {