fix: authorisation pour les opcos (#808)

* fix: authorisation pour les opcos * fix: tests
mission-apprentissage · Nov 13, 2023 · 9ff2417 · 9ff2417
1 parent a0fb6d8
commit 9ff2417
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 13 deletions.
diff --git a/server/src/http/routes/user.controller.ts b/server/src/http/routes/user.controller.ts
@@ -29,7 +29,7 @@ export default (server: Server) => {
     "/user/opco",
     {
       schema: zRoutes.get["/user/opco"],
-      // onRequest: [server.auth(zRoutes.get["/user/opco"])],
+      onRequest: [server.auth(zRoutes.get["/user/opco"])],
     },
     async (req, res) => {
       const { opco } = req.query

diff --git a/server/src/security/authorisationService.ts b/server/src/security/authorisationService.ts
@@ -286,7 +286,7 @@ function canAccessUser<S extends Pick<IRouteSchema, "method" | "path"> & WithSec
     case "CFA":
       return resource._id.toString() === user._id.toString()
     case "OPCO":
-      return resource.type === "OPCO" && resource.scope === user.opco
+      return (resource.type === "OPCO" && resource._id === user._id) || (resource.type === "ENTREPRISE" && resource.opco === user.scope)
     default:
       assertUnreachable(user.type)
   }

diff --git a/server/tests/unit/security/authorisationService.test.ts b/server/tests/unit/security/authorisationService.test.ts
@@ -454,6 +454,27 @@ describe("authorisationService", () => {
           ).resolves.toBe(undefined)
         })
       })
+      describe.each<[Permission]>([["user:manage"]])("I have %s permission", (permission) => {
+        it("on user recruiter from my Opco", async () => {
+          const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurUserO1E1R1], location)
+          await expect(
+            authorizationnMiddleware(
+              {
+                method: "get",
+                path: "/path",
+                securityScheme,
+              },
+              {
+                user: {
+                  type: "IUserRecruteur",
+                  value: opcoUserO1U1,
+                },
+                ...req,
+              }
+            )
+          ).resolves.toBe(undefined)
+        })
+      })
 
       describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
         it("on recruiter from other Opco", async () => {
@@ -542,7 +563,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["user:manage"], ["admin"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["admin"]])("I do not have %s permission", (permission) => {
         it("on user recruiter from my Opco", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurUserO1E1R1], location)
           await expect(

diff --git a/shared/routes/user.routes.ts b/shared/routes/user.routes.ts
@@ -23,16 +23,14 @@ export const zUserRecruteurRoutes = {
           })
           .strict(),
       },
-      securityScheme: null,
-      // KBA hotfix: not working
-      // securityScheme: {
-      //   auth: "cookie-session",
-      //   access: "user:manage",
-      //   ressources: {
-      //     user: [{ opco: { type: "query", key: "opco" } }],
-      //     recruiter: [{ opco: { type: "query", key: "opco" } }],
-      //   },
-      // },
+      securityScheme: {
+        auth: "cookie-session",
+        access: { every: ["user:manage", "recruiter:manage"] },
+        ressources: {
+          user: [{ opco: { type: "query", key: "opco" } }],
+          recruiter: [{ opco: { type: "query", key: "opco" } }],
+        },
+      },
     },
     "/user": {
       method: "get",