fix(lbac-2274): changement opco par un compte entreprise (#1709)

* fix(lbac-2274): changement opco par un compte entreprise * fix: throw a la place de set opco a undefined --------- Co-authored-by: Kevin Barnoin <[email protected]>
mission-apprentissage · Jan 6, 2025 · 504ed25 · 504ed25
1 parent de66d7e
commit 504ed25
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 4 deletions.
diff --git a/server/src/http/controllers/user.controller.ts b/server/src/http/controllers/user.controller.ts
@@ -126,8 +126,14 @@ export default (server: Server) => {
       onRequest: [server.auth(zRoutes.put["/admin/users/:userId/organization/:siret"])],
     },
     async (req, res) => {
+      const { userAccess } = req
       const { userId, siret } = req.params
-      const { opco, ...userFields } = req.body
+      // eslint-disable-next-line prefer-const
+      let { opco, ...userFields } = req.body
+      // restreint la modification de l opco aux opcos et admin
+      if (!(userAccess?.admin || userAccess?.opcos.length)) {
+        throw forbidden()
+      }
 
       const entreprise = await getDbCollection("entreprises").findOne({ siret })
 
@@ -158,7 +164,7 @@ export default (server: Server) => {
 
       const result = await updateUserWithAccountFields(userId, userFields)
       if ("error" in result) {
-        throw badRequest("L'email est déjà utilisé", { error: BusinessErrorCodes.EMAIL_ALREADY_EXISTS })
+        throw badRequest(result.error === BusinessErrorCodes.EMAIL_ALREADY_EXISTS ? "L'email est déjà utilisé" : "Erreur business", { error: result.error })
       }
 
       if (opco && entreprise) {

diff --git a/server/src/security/authenticationService.ts b/server/src/security/authenticationService.ts
@@ -3,7 +3,7 @@ import { captureException } from "@sentry/node"
 import { parseApiAlternanceToken, type IApiAlternanceTokenData } from "api-alternance-sdk"
 import { FastifyRequest } from "fastify"
 import { JwtPayload } from "jsonwebtoken"
-import { ICredential, assertUnreachable } from "shared"
+import { ComputedUserAccess, ICredential, assertUnreachable } from "shared"
 import { PathParam, QueryString } from "shared/helpers/generateUri"
 import { IUserWithAccount } from "shared/models/userWithAccount.model"
 import { ISecuredRouteSchema, WithSecurityScheme } from "shared/routes/common.routes"
@@ -28,6 +28,7 @@ export type IUserWithType = AccessUser2 | AccessUserCredential | AccessUserToken
 
 declare module "fastify" {
   interface FastifyRequest {
+    userAccess?: ComputedUserAccess
     user?: null | undefined | IUserWithType
     authorizationContext?: null | undefined | { role: Role | null; resources?: any }
   }

diff --git a/server/src/security/authorisationService.ts b/server/src/security/authorisationService.ts
@@ -45,7 +45,7 @@ export type ResourceIds = {
 }
 
 // Specify what we need to simplify mocking in tests
-type IRequest = Pick<FastifyRequest, "user" | "params" | "query" | "authorizationContext">
+type IRequest = Pick<FastifyRequest, "user" | "params" | "query" | "authorizationContext" | "userAccess">
 
 // TODO: Unit test access control
 // TODO: job.delegations
@@ -419,6 +419,14 @@ export async function authorizationMiddleware<S extends Pick<IRouteSchema, "meth
     grantedRoles = await getGrantedRoles(_id.toString())
     const isAdmin = grantedRoles.some((role) => role.authorized_type === AccessEntityType.ADMIN)
     if (isAdmin) {
+      req.userAccess = {
+        admin: true,
+        users: [],
+        cfas: [],
+        entreprises: [],
+        opcos: [],
+        partner_label: [],
+      }
       return
     }
     if (!grantedRoles.length) {
@@ -449,12 +457,14 @@ export async function authorizationMiddleware<S extends Pick<IRouteSchema, "meth
     if (!isAuthorized(requestedAccess, userAccess, resources)) {
       throw forbidden("non autorisé")
     }
+    req.userAccess = userAccess
   } else if (userType === "IUser2") {
     const { _id } = userWithType.value
     const userAccess: ComputedUserAccess = getComputedUserAccess(_id.toString(), grantedRoles)
     if (!isAuthorized(requestedAccess, userAccess, resources)) {
       throw forbidden("non autorisé")
     }
+    req.userAccess = userAccess
   } else if (userType === "IApiApprentissage") {
     const { organisation, habilitations } = userWithType.value
     if (!organisation) {
@@ -474,6 +484,7 @@ export async function authorizationMiddleware<S extends Pick<IRouteSchema, "meth
     if (!isAuthorized(requestedAccess, userAccess, resources)) {
       throw forbidden("Unauthorized")
     }
+    req.userAccess = userAccess
   } else {
     assertUnreachable(userType)
   }