From 9bcd2085f57882a3a7c7e64584f22f040dccede8 Mon Sep 17 00:00:00 2001
From: Chris Rodriguez <christian.rodriguez6497@outlook.com>
Date: Thu, 30 Jan 2025 16:53:54 -0500
Subject: [PATCH] Allow creator's of POAM to delete draft POAMs

---
 api/Services/poamService.js                   | 61 +++++++++++-----
 .../poam-details/poam-details.component.html  |  6 +-
 .../poam-details/poam-details.component.ts    | 73 +++++++++++--------
 3 files changed, 89 insertions(+), 51 deletions(-)

diff --git a/api/Services/poamService.js b/api/Services/poamService.js
index 7b67a818..ddb7e543 100644
--- a/api/Services/poamService.js
+++ b/api/Services/poamService.js
@@ -698,30 +698,55 @@ exports.updatePoamStatus = async function updatePoamStatus(req, res, next) {
         }
     };
 
-    exports.deletePoam = async function deletePoam(req, res, next) {
-        if (!req.params.poamId) {
+exports.deletePoam = async function deletePoam(req, res, next) {
+    if (!req.params.poamId) {
+        return next({
+            status: 400,
+            errors: {
+                poamId: 'is required',
+            }
+        });
+    }
+
+    let validatePermissionsSql = `
+        SELECT cp.accessLevel
+        FROM cpat.collectionpermissions cp
+        JOIN cpat.poam p ON cp.collectionId = p.collectionId
+        WHERE cp.userId = ? AND p.poamId = ?
+    `;
+
+    try {
+        const [rows] = await connection.query(validatePermissionsSql, [req.userObject.userId, req.params.poamId]);
+
+        if (rows.length === 0 || rows[0].accessLevel < 2) {
             return next({
-                status: 400,
+                status: 403,
                 errors: {
-                    poamId: 'is required',
+                    permission: 'User does not have permission to delete this POAM',
                 }
             });
         }
 
-        try {
-            await withConnection(async (connection) => {
-                await connection.beginTransaction();
+        await withConnection(async (connection) => {
+            await connection.beginTransaction();
 
-                let sqlDeleteAssets = "DELETE FROM cpat.poamassets WHERE poamId = ?;";
-                await connection.query(sqlDeleteAssets, [req.params.poamId]);
+            let sqlDeleteAssets = "DELETE FROM cpat.poamassets WHERE poamId = ?;";
+            await connection.query(sqlDeleteAssets, [req.params.poamId]);
 
-                let sqlDeletePoam = "DELETE FROM cpat.poam WHERE poamId = ?;";
-                await connection.query(sqlDeletePoam, [req.params.poamId]);
+            let sqlDeletePoam = "DELETE FROM cpat.poam WHERE poamId = ?;";
+            await connection.query(sqlDeletePoam, [req.params.poamId]);
 
-                await connection.commit();
-            });
-            return {};
-        } catch (error) {
-            return { error: error.message };
-        }
-    };
\ No newline at end of file
+            await connection.commit();
+        });
+
+        res.status(200).json({ message: "POAM deleted successfully" });
+
+    } catch (error) {
+        return next({
+            status: 500,
+            errors: {
+                database: error.message,
+            }
+        });
+    }
+};
\ No newline at end of file
diff --git a/client/src/app/pages/poam-processing/poam-details/poam-details.component.html b/client/src/app/pages/poam-processing/poam-details/poam-details.component.html
index 2badb1b0..48f8d1cf 100644
--- a/client/src/app/pages/poam-processing/poam-details/poam-details.component.html
+++ b/client/src/app/pages/poam-processing/poam-details/poam-details.component.html
@@ -1,4 +1,4 @@
-<!--
+<!--
 !##########################################################################
 ! CRANE PLAN OF ACTION AND MILESTONE AUTOMATION TOOL (C-PAT) SOFTWARE
 ! Use is governed by the Open Source Academic Research License Agreement
@@ -55,7 +55,7 @@
             <p-toggleswitch id="stigCheckData" [(ngModel)]="showCheckData"></p-toggleswitch>
             <label for="stigCheckData">View STIG Manager Check Data</label>
           </div>
-          <div class="card mt-6 showCheckData" *ngIf="showCheckData">
+          <div class="card showCheckData mt-6" *ngIf="showCheckData">
             <pre>{{poam.stigCheckData}}</pre>
           </div>
         </div>
@@ -65,7 +65,7 @@
             <p-toggleswitch id="tenablePluginData" [(ngModel)]="showCheckData"></p-toggleswitch>
             <label for="tenablePluginData">View Tenable Plugin Data</label>
           </div>
-          <div class="card mt-6 showCheckData" *ngIf="showCheckData">
+          <div class="card showCheckData mt-6" *ngIf="showCheckData">
             <pre>{{tenablePluginData}}</pre>
           </div>
         </div>
diff --git a/client/src/app/pages/poam-processing/poam-details/poam-details.component.ts b/client/src/app/pages/poam-processing/poam-details/poam-details.component.ts
index ec9375a8..37a8bed7 100644
--- a/client/src/app/pages/poam-processing/poam-details/poam-details.component.ts
+++ b/client/src/app/pages/poam-processing/poam-details/poam-details.component.ts
@@ -262,7 +262,7 @@ export class PoamDetailsComponent implements OnInit, OnDestroy {
       this.setPayloadService.accessLevel$.subscribe(async level => {
         this.accessLevel = level;
         if (this.accessLevel > 0) {
-          await this.obtainCollectionData(true);
+          this.obtainCollectionData(true);
           this.getData();
           this.updateMenuItems();
         }
@@ -378,7 +378,19 @@ export class PoamDetailsComponent implements OnInit, OnDestroy {
     }
   }
 
-  private updateMenuItems() {
+  private async updateMenuItems() {
+    if (!this.poam || !this.user) {
+      await firstValueFrom(
+        forkJoin({
+          poam: this.poam ? of(this.poam) : this.poamService.getPoam(this.poamId),
+          user: this.user ? of(this.user) : this.setPayloadService.user$,
+        })
+      ).then(({ poam, user }) => {
+        this.poam = poam;
+        this.user = user;
+      });
+    }
+
     this.menuItems = [
       {
         label: 'POAM History',
@@ -400,46 +412,47 @@ export class PoamDetailsComponent implements OnInit, OnDestroy {
       },
       ...(this.accessLevel >= 2
         ? [
-            {
-              label: 'Submit for Review',
-              icon: 'pi pi-file-plus',
-              styleClass: 'menu-item-success',
-              command: () => {
-                this.verifySubmitPoam();
-                this.menu.hide();
-              },
+          {
+            label: 'Submit for Review',
+            icon: 'pi pi-file-plus',
+            styleClass: 'menu-item-success',
+            command: () => {
+              this.verifySubmitPoam();
+              this.menu.hide();
             },
-          ]
+          },
+        ]
         : []),
       ...(this.accessLevel >= 3
         ? [
-            {
-              label: 'POAM Approval',
-              icon: 'pi pi-verified',
-              styleClass: 'menu-item-primary',
-              command: () => {
-                this.poamApproval();
-                this.menu.hide();
-              },
+          {
+            label: 'POAM Approval',
+            icon: 'pi pi-verified',
+            styleClass: 'menu-item-primary',
+            command: () => {
+              this.poamApproval();
+              this.menu.hide();
             },
-          ]
+          },
+        ]
         : []),
-      ...(this.accessLevel >= 4
+      ...(this.accessLevel >= 4 || (this.poam?.submitterId === this.user?.userId && this.poam?.status === 'Draft')
         ? [
-            {
-              label: 'Delete POAM',
-              icon: 'pi pi-trash',
-              styleClass: 'menu-item-danger',
-              command: () => {
-                this.deletePoam();
-                this.menu.hide();
-              },
+          {
+            label: 'Delete POAM',
+            icon: 'pi pi-trash',
+            styleClass: 'menu-item-danger',
+            command: () => {
+              this.deletePoam();
+              this.menu.hide();
             },
-          ]
+          },
+        ]
         : []),
     ];
   }
 
+
   private loadVulnerability(pluginId: string): Promise<void> {
     return new Promise((resolve, reject) => {
       const analysisParams = {