fix: failles securité yeswehack

mission-apprentissage · Dec 14, 2023 · eb1fd5b · eb1fd5b
1 parent 6820de9
commit eb1fd5b
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 17 deletions.
diff --git a/server/src/security/authorisationService.ts b/server/src/security/authorisationService.ts
@@ -313,7 +313,6 @@ export function isAuthorized(access: AccessPermission, userWithType: NonTokenUse
 
   switch (access) {
     case "recruiter:manage":
-    case "recruiter:validate":
     case "recruiter:add_job":
       return resources.recruiters.every((recruiter) => canAccessRecruiter(userWithType, recruiter))
 
@@ -325,6 +324,7 @@ export function isAuthorized(access: AccessPermission, userWithType: NonTokenUse
       return resources.users.every((user) => canAccessUser(userWithType, user))
     case "application:manage":
       return resources.applications.every((application) => canAccessApplication(userWithType, application))
+    case "user:validate":
     case "user:manage":
       return resources.users.every((user) => canAccessUser(userWithType, user))
     case "admin":

diff --git a/server/tests/unit/security/authorisationService.test.ts b/server/tests/unit/security/authorisationService.test.ts
@@ -334,7 +334,7 @@ describe("authorisationService", () => {
     describe("as an admin user", () => {
       describe.each<[Permission]>([
         ["recruiter:manage"],
-        ["recruiter:validate"],
+        ["user:validate"],
         ["recruiter:add_job"],
         ["job:manage"],
         ["school:manage"],
@@ -391,7 +391,7 @@ describe("authorisationService", () => {
     })
 
     describe("as an opco user", () => {
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"]])("I have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"]])("I have %s permission", (permission) => {
         it("on all recruiters from my opco", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R1, recruteurO1E1R2, recruteurO1E2R1], location)
           await expect(
@@ -476,7 +476,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
         it("on recruiter from other Opco", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO2E1R1], location)
           await expect(
@@ -653,7 +653,7 @@ describe("authorisationService", () => {
     })
 
     describe("as an opco credential", () => {
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"]])("I have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"]])("I have %s permission", (permission) => {
         it("on all recruiters from my opco", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R1, recruteurO1E1R2, recruteurO1E2R1], location)
           await expect(
@@ -717,7 +717,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
         it("on recruiter from other Opco", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO2E1R1], location)
           await expect(
@@ -980,7 +980,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:validate"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["user:validate"]])("I do not have %s permission", (permission) => {
         it("on all my delegated recruiters", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R1], location)
           await expect(
@@ -1002,7 +1002,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
         it("on non delegated recruiters", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R2], location)
           await expect(
@@ -1242,7 +1242,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:validate"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["user:validate"]])("I do not have %s permission", (permission) => {
         it("on me", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R1], location)
           await expect(
@@ -1264,7 +1264,7 @@ describe("authorisationService", () => {
         })
       })
 
-      describe.each<[Permission]>([["recruiter:manage"], ["recruiter:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
+      describe.each<[Permission]>([["recruiter:manage"], ["user:validate"], ["recruiter:add_job"], ["admin"]])("I do not have %s permission", (permission) => {
         it("on other recruiters from my company", async () => {
           const [securityScheme, req] = generateSecuritySchemeFixture(permission, [recruteurO1E1R2], location)
           await expect(
@@ -1479,7 +1479,7 @@ describe("authorisationService", () => {
   it("should support some operator permission", async () => {
     const securityScheme: SecurityScheme = {
       auth: "cookie-session",
-      access: { some: ["recruiter:manage", "recruiter:validate"] },
+      access: { some: ["recruiter:manage", "user:validate"] },
       resources: {
         recruiter: [
           {
@@ -1535,7 +1535,7 @@ describe("authorisationService", () => {
   it("should support every operator permission", async () => {
     const securityScheme: SecurityScheme = {
       auth: "cookie-session",
-      access: { every: ["recruiter:manage", "recruiter:validate"] },
+      access: { every: ["recruiter:manage", "user:validate"] },
       resources: {
         recruiter: [
           {

diff --git a/shared/routes/recruiters.routes.ts b/shared/routes/recruiters.routes.ts
@@ -230,7 +230,7 @@ export const zRecruiterRoutes = {
       },
       securityScheme: {
         auth: "cookie-session",
-        access: null,
+        access: "user:manage",
         resources: {
           user: [{ _id: { type: "params", key: "id" } }],
         },

diff --git a/shared/routes/user.routes.ts b/shared/routes/user.routes.ts
@@ -210,7 +210,7 @@ export const zUserRecruteurRoutes = {
       },
       securityScheme: {
         auth: "cookie-session",
-        access: "user:manage",
+        access: "user:validate",
         resources: {
           user: [{ _id: { type: "params", key: "userId" } }],
         },

diff --git a/shared/routes/v1Jobs.routes.ts b/shared/routes/v1Jobs.routes.ts
@@ -355,7 +355,7 @@ export const zV1JobsRoutes = {
       },
       securityScheme: {
         auth: "api-key",
-        access: { every: ["recruiter:validate", "recruiter:manage"] },
+        access: { every: ["user:validate", "recruiter:manage", "user:manage"] },
         resources: {},
       },
       openapi: {

diff --git a/shared/security/permissions.ts b/shared/security/permissions.ts
@@ -1,4 +1,4 @@
-export type Permission = "recruiter:manage" | "recruiter:validate" | "recruiter:add_job" | "job:manage" | "school:manage" | "application:manage" | "user:manage" | "admin"
+export type Permission = "recruiter:manage" | "user:validate" | "recruiter:add_job" | "job:manage" | "school:manage" | "application:manage" | "user:manage" | "admin"
 
 export type RoleNames = "opco" | "recruiter" | "cfa" | "admin"
 
@@ -9,7 +9,7 @@ export interface Role {
 
 export const OpcoRole = {
   name: "opco",
-  permissions: ["recruiter:manage", "recruiter:validate", "recruiter:add_job", "job:manage", "user:manage"],
+  permissions: ["recruiter:manage", "user:validate", "recruiter:add_job", "job:manage", "user:manage"],
 } satisfies Role
 
 export const RecruiterRole = {