Commit 16d1600b authored by FORESTIER Fabien's avatar FORESTIER Fabien
Browse files

Only admin can access to ONE unpublished data produceror to its links

parent 3753297b
Pipeline #2366 passed with stages
in 47 seconds
......@@ -32,14 +32,20 @@ export class OrganizationsController {
@ApiOperation({ title: 'Get one organization' })
@ApiResponse({ status: 200, description: 'Return one organization.', type: Organization })
@Get(':id')
findOne(@Param('id') id: number): Promise<Organization> {
return this.organizationsService.findOne(id);
findOne(@Param('id') id: number, @Req() req): Promise<Organization> {
const userGroups = req.headers[this._configService.config.groupHeader] ?
req.headers[this._configService.config.groupHeader].split(',').map(e => e.trim()) :
[];
return this.organizationsService.findOne(userGroups, id);
}
@ApiResponse({ status: 200, description: 'Return the links of an organization.', type: LinkEntity, isArray: true })
@Get(':id/links')
findLinks(@Param('id') id: number): Promise<LinkEntity[]> {
return this.organizationsService.findLinks(id);
findLinks(@Param('id') id: number, @Req() req): Promise<LinkEntity[]> {
const userGroups = req.headers[this._configService.config.groupHeader] ?
req.headers[this._configService.config.groupHeader].split(',').map(e => e.trim()) :
[];
return this.organizationsService.findLinks(userGroups, id);
}
@ApiOperation({ title: 'Create one organization' })
......
import { Injectable, Logger, InternalServerErrorException, NotFoundException } from '@nestjs/common';
import { Injectable, Logger, InternalServerErrorException, NotFoundException, ForbiddenException } from '@nestjs/common';
import { Organization } from './organization.entity';
import { InjectRepository } from '@nestjs/typeorm';
import { LinksService } from '../links/links.service';
......@@ -31,7 +31,7 @@ export class OrganizationsService {
const [key, value] = query.q ? query.q.split(':') : [null, null];
// Only admin can drafts
// Only admin can see drafts
if (!userGroups || !userGroups.includes(this._configService.config.groupNames.admin)) {
qb.where(`organization.published = true`);
key && value ? qb.andWhere(`organization.${key} = :value`, { value }) : null;
......@@ -70,7 +70,7 @@ export class OrganizationsService {
}
}
async findOne(id) {
async findOne(userGroups, id) {
try {
this.logger.log('Entering function', `${OrganizationsService.name} - ${this.findOne.name}`);
......@@ -79,13 +79,22 @@ export class OrganizationsService {
throw new InternalServerErrorException({ error, message: 'Error while looking the organization with id ${id}.' });
});
if (!organization) {
throw new NotFoundException({ message: 'No organization with such id have been found' });
}
// Only admin can see an unpublished data producer
if ((!userGroups || !userGroups.includes(this._configService.config.groupNames.admin)) && organization.published === false) {
throw new ForbiddenException({ message: 'You don\'t have access to this data producer' });
}
return organization;
} catch (error) {
throw error;
}
}
async findLinks(id) {
async findLinks(userGroups, id) {
try {
this.logger.log('Entering function', `${OrganizationsService.name} - ${this.findLinks.name}`);
......@@ -99,6 +108,12 @@ export class OrganizationsService {
if (!organization) {
throw new NotFoundException({ message: 'No organization with such id have been found' });
}
// Only admin can see an unpublished data producer
if ((!userGroups || !userGroups.includes(this._configService.config.groupNames.admin)) && organization.published === false) {
throw new ForbiddenException({ message: 'You don\'t have access to this data producer' });
}
return organization.links;
} catch (error) {
throw error;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment