fix: securisation de /formulaire/offre/f/:jobId/cancel

shared/constants/recruteur.ts

@@ -1,10 +1,3 @@
-export enum JOB_STATUS {
-  ACTIVE = "Active",
-  POURVUE = "Pourvue",
-  ANNULEE = "Annulée",
-  EN_ATTENTE = "En attente",
-}
-
 export enum RECRUITER_STATUS {
   ACTIF = "Actif",
   ARCHIVE = "Archivé",

shared/routes/formulaire.route.ts

@@ -1,6 +1,6 @@
 import { z } from "../helpers/zodWithOpenApi"
 import { zObjectId } from "../models/common"
-import { ZJob, ZJobWrite } from "../models/job.model"
+import { JOB_STATUS, ZJob, ZJobWrite } from "../models/job.model"
 import { ZRecruiter, ZRecruiterWritable } from "../models/recruiter.model"
 
 import { IRoutesDef } from "./common.routes"
@@ -177,20 +177,24 @@ export const zFormulaireRoute = {
     "/formulaire/offre/f/:jobId/cancel": {
       method: "put",
       path: "/formulaire/offre/f/:jobId/cancel",
-      // TODO_SECURITY_FIX gestion des permissions
-      // TODO_SECURITY_FIX session gérée par cookie server
       // TODO_SECURITY_FIX Scinder les routes pour cancel depuis admin OU cancel depuis CTA dans un email (avec jwt)
       params: z.object({ jobId: zObjectId }).strict(),
       body: z
         .object({
-          job_status: z.string(),
+          job_status: z.enum([JOB_STATUS.POURVUE, JOB_STATUS.ANNULEE]),
           job_status_comment: z.string(),
         })
         .strict(),
       response: {
-        "2xx": z.object({}).strict(),
+        "200": z.object({}).strict(),
+      },
+      securityScheme: {
+        auth: "cookie-session",
+        access: "job:manage",
+        ressources: {
+          job: [{ _id: { type: "params", key: "jobId" } }],
+        },
       },
-      securityScheme: null,
     },
     "/formulaire/offre/:jobId/provided": {
       method: "put",

ui/components/espace_pro/ConfirmationSuppressionOffre.tsx

@@ -18,6 +18,7 @@ import {
 } from "@chakra-ui/react"
 import { useState } from "react"
 import { useQueryClient } from "react-query"
+import { JOB_STATUS } from "shared"
 
 import { ArrowRightLine, Close } from "../../theme/components/icons"
 import { cancelOffreFromAdmin } from "../../utils/api"
@@ -47,7 +48,7 @@ export default function ConfirmationSuppressionOffre(props) {
     }
   }
 
-  const updateOffer = (job_status) => {
+  const cancelOffer = (job_status: JOB_STATUS.POURVUE | JOB_STATUS.ANNULEE) => {
     cancelOffreFromAdmin(offre._id, { job_status, job_status_comment: job_status_comment ?? undefined })
       .then(() => {
         toast({
@@ -91,7 +92,7 @@ export default function ConfirmationSuppressionOffre(props) {
             <Button variant="secondary" mr={3} onClick={() => reason.onOpen()}>
               Non
             </Button>
-            <Button variant="primary" onClick={() => updateOffer("Pourvue")}>
+            <Button variant="primary" onClick={() => cancelOffer(JOB_STATUS.POURVUE)}>
               Oui
             </Button>
           </ModalFooter>
@@ -107,7 +108,7 @@ export default function ConfirmationSuppressionOffre(props) {
                 <option value="Autre">Autre</option>
               </Select>
             </FormControl>
-            <Button variant="secondary" ml={3} onClick={() => updateOffer("Annulée")} isDisabled={job_status_comment.length < 3}>
+            <Button variant="secondary" ml={3} onClick={() => cancelOffer(JOB_STATUS.ANNULEE)} isDisabled={job_status_comment.length < 3}>
               Enregistrer
             </Button>
           </ModalFooter>
@@ -120,7 +121,7 @@ export default function ConfirmationSuppressionOffre(props) {
               <Input onChange={(e) => SetjobStatusComment(e.target.value)} isRequired minLength={3} />
             </FormControl>
             <Flex justify="flex-end">
-              <Button variant="secondary" mt={3} onClick={() => updateOffer("Annulée")} isDisabled={job_status_comment.length < 3}>
+              <Button variant="secondary" mt={3} onClick={() => cancelOffer(JOB_STATUS.ANNULEE)} isDisabled={job_status_comment.length < 3}>
                 Enregistrer
               </Button>
             </Flex>

ui/utils/api.ts

@@ -1,6 +1,6 @@
 import { captureException } from "@sentry/nextjs"
 import Axios from "axios"
-import { IJobWritable, INewDelegations } from "shared"
+import { IJobWritable, INewDelegations, IRoutes } from "shared"
 
 import { publicConfig } from "../config.public"
 
@@ -34,8 +34,9 @@ export const getOffre = (jobId) => API.get(`/formulaire/offre/f/${jobId}`)
 export const createOffre = (establishment_id: string, newOffre: IJobWritable) => apiPost("/formulaire/:establishment_id/offre", { params: { establishment_id }, body: newOffre })
 export const patchOffre = (jobId, data, config) => API.patch(`/formulaire/offre/${jobId}`, data, config).catch(errorHandler)
 export const cancelOffre = (jobId) => API.put(`/formulaire/offre/${jobId}/cancel`)
-export const cancelOffreFromAdmin = (jobId, data) => API.put(`/formulaire/offre/f/${jobId}/cancel`, data)
-export const extendOffre = (jobId) => apiPut(`/formulaire/offre/:jobId/extend`, { params: { jobId } })
+export const cancelOffreFromAdmin = (jobId: string, data: IRoutes["put"]["/formulaire/offre/f/:jobId/cancel"]["body"]["_input"]) =>
+  apiPut("/formulaire/offre/f/:jobId/cancel", { params: { jobId }, body: data })
+export const extendOffre = (jobId: string) => apiPut(`/formulaire/offre/:jobId/extend`, { params: { jobId } })
 export const fillOffre = (jobId) => API.put(`/formulaire/offre/${jobId}/provided`)
 export const createEtablissementDelegation = ({ data, jobId }: { jobId: string; data: INewDelegations }) =>
   apiPost(`/formulaire/offre/:jobId/delegation`, { params: { jobId }, body: data })