Sosynpl: [premieroctet#156] Allow PUT recommandation when not logged

Wappizy · Aug 1, 2024 · 4ea3774 · 4ea3774
1 parent 57c21b1
commit 4ea3774
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 5 deletions.
diff --git a/backend/web/server/plugins/sosynpl/functions.js b/backend/web/server/plugins/sosynpl/functions.js
@@ -676,6 +676,7 @@ const preCreate = async ({model, params, user, skip_validation}) => {
   }
   if (model == 'recommandation') {
     skip_validation=true
+    params.freelance=user
   }
   if (model == 'question' ) {
     skip_validation = true

diff --git a/backend/web/server/plugins/sosynpl/permissions.js b/backend/web/server/plugins/sosynpl/permissions.js
@@ -0,0 +1,17 @@
+const { VERB_GET, VERB_PUT } = require("../../../utils/consts")
+const { NotLoggedError } = require("../../utils/errors")
+
+const checkPermission = async ({verb, model, id, user}) => {
+  console.log('Checking permission', verb, model, id, !!user)
+  // Allow anonymous recommandation GET and PUT for one item
+  if (!user) {
+    if (model=='recommandation' && [VERB_GET, VERB_PUT].includes(verb) && !!id) {
+      return
+    }
+    throw new NotLoggedError('Unauthorized')
+  }
+}
+
+module.exports={
+  checkPermission,
+}
diff --git a/backend/web/server/routes/api/studio.js b/backend/web/server/routes/api/studio.js
@@ -29,7 +29,7 @@ const mongoose = require('mongoose')
 const passport = require('passport')
 const {resizeImage} = require('../../middlewares/resizeImage')
 const {sendFilesToAWS, getFilesFromAWS, deleteFileFromAWS} = require('../../middlewares/aws')
-const {IMAGE_SIZE_MARKER, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED} = require('../../../utils/consts')
+const {IMAGE_SIZE_MARKER, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED, VERB_GET, VERB_PUT} = require('../../../utils/consts')
 const {date_str, datetime_str} = require('../../../utils/dateutils')
 const Payment = require('../../models/Payment')
 const {
@@ -98,6 +98,7 @@ const { getLocationSuggestions } = require('../../../utils/geo')
 const { TaggingDirective } = require('@aws-sdk/client-s3')
 const PageTag_ = require('../../models/PageTag_')
 const Purchase = require('../../models/Purchase')
+const { checkPermission } = require('../../plugins/sosynpl/permissions')
 
 const router = express.Router()
 
@@ -333,7 +334,6 @@ router.post('/action', passport.authenticate(['cookie', 'anonymous']), (req, res
     console.error(`Unkown action:${action}`)
     return res.status(404).json(`Unkown action:${action}`)
   }
-  console.log('Starting action', action)
 
   return actionFn(req.body, req.user, req.get('Referrer'))
     .then(result => res.json(result))
@@ -539,7 +539,8 @@ const putFromRequest = (req, res) => {
     })
 }
 
-router.put('/:model/:id', passport.authenticate('cookie', {session: false}), (req, res) => {
+router.put('/:model/:id', passport.authenticate(['cookie', 'anonymous'], {session: false}), async (req, res) => {
+  await checkPermission?.({verb: VERB_PUT, model: req.params.model, id: req.params.id, user: req.user})
   return putFromRequest(req, res)
 })
 
@@ -580,7 +581,9 @@ router.get('/sector/:id?', passport.authenticate(['cookie', 'anonymous'], {sessi
 })
 
 // Update last_activity
-router.get('/:model/:id?', passport.authenticate('cookie', {session: false}), (req, res) => {
+router.get('/:model/:id?', passport.authenticate(['cookie', 'anonymous'], {session: false}), async (req, res) => {
+  console.log('Getting model', req.params.model, req.user)
+  await checkPermission?.({verb: VERB_GET, model: req.params.model, id: req.params.id, user: req.user})
   return User.findByIdAndUpdate(req.user?._id, {last_activity: moment()})
     .then(()=>loadFromRequest(req, res))
 })

diff --git a/backend/web/utils/consts.js b/backend/web/utils/consts.js
@@ -271,6 +271,18 @@ Object.freeze(REGIONS_FULL)
 
 const AVG_DAYS_IN_MONTH=30.436875
 
+const VERB_GET=`VERB_GET`
+const VERB_PUT=`VERB_PUT`
+const VERB_POST=`VERB_POST`
+const VERB_DELETE=`VERB_DELETE`
+
+const VERBS={
+  [VERB_GET]:`get`,
+  [VERB_PUT]:`put`,
+  [VERB_POST]:`post`,
+  [VERB_DELETE]:`delete`,
+}
+
 module.exports = {
   ALL_SERVICES, ALF_CONDS, CANCEL_MODE, CUSTOM_PRESTATIONS_FLTR,
   generate_id, GID_LEN, CESU,
@@ -294,5 +306,6 @@ module.exports = {
   IMAGE_SIZE_MARKER,
   THUMBNAILS_DIR,
   PURCHASE_STATUS, PURCHASE_STATUS_NEW, PURCHASE_STATUS_PENDING, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED,
-  API_ROOT, NATIONALITIES, LANGUAGE_LEVEL, REGIONS, REGIONS_FULL, AVG_DAYS_IN_MONTH,LANGUAGE_LEVEL_ADVANCED
+  API_ROOT, NATIONALITIES, LANGUAGE_LEVEL, REGIONS, REGIONS_FULL, AVG_DAYS_IN_MONTH,LANGUAGE_LEVEL_ADVANCED,
+  VERBS, VERB_GET, VERB_POST, VERB_PUT, VERB_DELETE,
 }