From 4ea3774ba11cfea7aac355339d7b40a7d5951cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Auvray?= <sebastien.auvray@wappizy.com>
Date: Thu, 1 Aug 2024 16:38:40 +0200
Subject: [PATCH] Sosynpl: [#156] Allow PUT recommandation when not logged

---
 backend/web/server/plugins/sosynpl/functions.js |  1 +
 .../web/server/plugins/sosynpl/permissions.js   | 17 +++++++++++++++++
 backend/web/server/routes/api/studio.js         | 11 +++++++----
 backend/web/utils/consts.js                     | 15 ++++++++++++++-
 4 files changed, 39 insertions(+), 5 deletions(-)
 create mode 100644 backend/web/server/plugins/sosynpl/permissions.js

diff --git a/backend/web/server/plugins/sosynpl/functions.js b/backend/web/server/plugins/sosynpl/functions.js
index e122fb24da..de9f4f6ada 100644
--- a/backend/web/server/plugins/sosynpl/functions.js
+++ b/backend/web/server/plugins/sosynpl/functions.js
@@ -676,6 +676,7 @@ const preCreate = async ({model, params, user, skip_validation}) => {
   }
   if (model == 'recommandation') {
     skip_validation=true
+    params.freelance=user
   }
   if (model == 'question' ) {
     skip_validation = true
diff --git a/backend/web/server/plugins/sosynpl/permissions.js b/backend/web/server/plugins/sosynpl/permissions.js
new file mode 100644
index 0000000000..3f6c7c9345
--- /dev/null
+++ b/backend/web/server/plugins/sosynpl/permissions.js
@@ -0,0 +1,17 @@
+const { VERB_GET, VERB_PUT } = require("../../../utils/consts")
+const { NotLoggedError } = require("../../utils/errors")
+
+const checkPermission = async ({verb, model, id, user}) => {
+  console.log('Checking permission', verb, model, id, !!user)
+  // Allow anonymous recommandation GET and PUT for one item
+  if (!user) {
+    if (model=='recommandation' && [VERB_GET, VERB_PUT].includes(verb) && !!id) {
+      return
+    }
+    throw new NotLoggedError('Unauthorized')
+  }
+}
+
+module.exports={
+  checkPermission,
+}
\ No newline at end of file
diff --git a/backend/web/server/routes/api/studio.js b/backend/web/server/routes/api/studio.js
index aad27c61d3..7c4d9bda97 100644
--- a/backend/web/server/routes/api/studio.js
+++ b/backend/web/server/routes/api/studio.js
@@ -29,7 +29,7 @@ const mongoose = require('mongoose')
 const passport = require('passport')
 const {resizeImage} = require('../../middlewares/resizeImage')
 const {sendFilesToAWS, getFilesFromAWS, deleteFileFromAWS} = require('../../middlewares/aws')
-const {IMAGE_SIZE_MARKER, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED} = require('../../../utils/consts')
+const {IMAGE_SIZE_MARKER, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED, VERB_GET, VERB_PUT} = require('../../../utils/consts')
 const {date_str, datetime_str} = require('../../../utils/dateutils')
 const Payment = require('../../models/Payment')
 const {
@@ -98,6 +98,7 @@ const { getLocationSuggestions } = require('../../../utils/geo')
 const { TaggingDirective } = require('@aws-sdk/client-s3')
 const PageTag_ = require('../../models/PageTag_')
 const Purchase = require('../../models/Purchase')
+const { checkPermission } = require('../../plugins/sosynpl/permissions')
 
 const router = express.Router()
 
@@ -333,7 +334,6 @@ router.post('/action', passport.authenticate(['cookie', 'anonymous']), (req, res
     console.error(`Unkown action:${action}`)
     return res.status(404).json(`Unkown action:${action}`)
   }
-  console.log('Starting action', action)
 
   return actionFn(req.body, req.user, req.get('Referrer'))
     .then(result => res.json(result))
@@ -539,7 +539,8 @@ const putFromRequest = (req, res) => {
     })
 }
 
-router.put('/:model/:id', passport.authenticate('cookie', {session: false}), (req, res) => {
+router.put('/:model/:id', passport.authenticate(['cookie', 'anonymous'], {session: false}), async (req, res) => {
+  await checkPermission?.({verb: VERB_PUT, model: req.params.model, id: req.params.id, user: req.user})
   return putFromRequest(req, res)
 })
 
@@ -580,7 +581,9 @@ router.get('/sector/:id?', passport.authenticate(['cookie', 'anonymous'], {sessi
 })
 
 // Update last_activity
-router.get('/:model/:id?', passport.authenticate('cookie', {session: false}), (req, res) => {
+router.get('/:model/:id?', passport.authenticate(['cookie', 'anonymous'], {session: false}), async (req, res) => {
+  console.log('Getting model', req.params.model, req.user)
+  await checkPermission?.({verb: VERB_GET, model: req.params.model, id: req.params.id, user: req.user})
   return User.findByIdAndUpdate(req.user?._id, {last_activity: moment()})
     .then(()=>loadFromRequest(req, res))
 })
diff --git a/backend/web/utils/consts.js b/backend/web/utils/consts.js
index f7d917c237..a833748cde 100644
--- a/backend/web/utils/consts.js
+++ b/backend/web/utils/consts.js
@@ -271,6 +271,18 @@ Object.freeze(REGIONS_FULL)
 
 const AVG_DAYS_IN_MONTH=30.436875
 
+const VERB_GET=`VERB_GET`
+const VERB_PUT=`VERB_PUT`
+const VERB_POST=`VERB_POST`
+const VERB_DELETE=`VERB_DELETE`
+
+const VERBS={
+  [VERB_GET]:`get`,
+  [VERB_PUT]:`put`,
+  [VERB_POST]:`post`,
+  [VERB_DELETE]:`delete`,
+}
+
 module.exports = {
   ALL_SERVICES, ALF_CONDS, CANCEL_MODE, CUSTOM_PRESTATIONS_FLTR,
   generate_id, GID_LEN, CESU,
@@ -294,5 +306,6 @@ module.exports = {
   IMAGE_SIZE_MARKER,
   THUMBNAILS_DIR,
   PURCHASE_STATUS, PURCHASE_STATUS_NEW, PURCHASE_STATUS_PENDING, PURCHASE_STATUS_COMPLETE, PURCHASE_STATUS_FAILED,
-  API_ROOT, NATIONALITIES, LANGUAGE_LEVEL, REGIONS, REGIONS_FULL, AVG_DAYS_IN_MONTH,LANGUAGE_LEVEL_ADVANCED
+  API_ROOT, NATIONALITIES, LANGUAGE_LEVEL, REGIONS, REGIONS_FULL, AVG_DAYS_IN_MONTH,LANGUAGE_LEVEL_ADVANCED,
+  VERBS, VERB_GET, VERB_POST, VERB_PUT, VERB_DELETE,
 }