fix(ExternalProperties): only project admins should be able to modify sensitive AgencyId prop

Author: landonreed

lib/manager/components/ExternalPropertiesTable.js

@@ -5,12 +5,23 @@ import EditableTextField from '../../common/components/EditableTextField'
 
 export default class ExternalPropertiesTable extends Component {
   static propTypes = {
+    editingIsDisabled: PropTypes.bool,
+    externalPropertyChanged: PropTypes.func,
+    isProjectAdmin: PropTypes.bool,
+    resourceProps: PropTypes.array,
     resourceType: PropTypes.string
   }
   render () {
+    const {
+      editingIsDisabled,
+      externalPropertyChanged,
+      isProjectAdmin,
+      resourceProps,
+      resourceType
+    } = this.props
     return (
       <Panel
-        header={<h3>{this.props.resourceType} properties</h3>}
+        header={<h3>{resourceType} properties</h3>}
       >
         <Table striped fill>
           <thead>
@@ -20,16 +31,19 @@ export default class ExternalPropertiesTable extends Component {
             </tr>
           </thead>
           <tbody>
-            {Object.keys(this.props.resourceProps).sort().map(propName => {
+            {Object.keys(resourceProps).sort().map(propName => {
+              const disabled = resourceType === 'MTC' && propName === 'AgencyId'
+                ? !isProjectAdmin
+                : editingIsDisabled
               return (
                 <tr>
                   <td>{propName}</td>
                   <td>
                     <EditableTextField
                       key={propName}
-                      disabled={this.props.editingIsDisabled}
-                      value={this.props.resourceProps[propName]}
-                      onChange={(value) => this.props.externalPropertyChanged(propName, value)}
+                      disabled={disabled}
+                      value={resourceProps[propName]}
+                      onChange={(value) => externalPropertyChanged(propName, value)}
                     />
                   </td>
                 </tr>

lib/manager/components/FeedSourceViewer.js

@@ -65,7 +65,7 @@ export default class FeedSourceViewer extends Component {
     }
   }
   confirmDeleteFeedSource (feedSource) {
-    this.refs['page'].showConfirmModal({
+    this.refs.page.showConfirmModal({
       title: 'Delete Feed Source?',
       body: 'Are you sure you want to delete this feed source? This action cannot be undone and all feed versions will be deleted.',
       onConfirm: () => {
@@ -126,6 +126,7 @@ export default class FeedSourceViewer extends Component {
     } = this.props
     const messages = getComponentMessages('FeedSourceViewer')
     const disabled = !user.permissions.hasFeedPermission(project.organizationId, project.id, fs.id, 'manage-feed')
+    const isProjectAdmin = user.permissions.isProjectAdmin(project.id, project.organizationId)
     // const editGtfsDisabled = !user.permissions.hasFeedPermission(project.organizationId, project.id, fs.id, 'edit-gtfs')
     const autoFetchFeed = fs.retrievalMethod === 'FETCHED_AUTOMATICALLY'
     const resourceType = activeComponent === 'settings' && activeSubComponent && activeSubComponent.toUpperCase()
@@ -218,6 +219,7 @@ export default class FeedSourceViewer extends Component {
         <ExternalPropertiesTable
           resourceType={resourceType}
           editingIsDisabled={disabled}
+          isProjectAdmin={isProjectAdmin}
           resourceProps={fs.externalProperties[resourceType]}
           externalPropertyChanged={(name, value) => {
             externalPropertyChanged(fs, resourceType, name, value)