From 72332f98f4f7b1a8b0b8d390fca671caedd55607 Mon Sep 17 00:00:00 2001
From: Raphael Blum <raphael.blum@vivid-planet.com>
Date: Mon, 7 Oct 2024 11:24:50 +0200
Subject: [PATCH] add validation if targetGroup is in correct scope and is not
 a main list

---
 packages/api/package.json                     |  2 ++
 .../brevo-contact-import.console.ts           | 14 ++++++-------
 .../brevo-contact-import.controller.ts        | 12 +++--------
 .../brevo-contact-import.service.ts           | 21 ++++++++++++++++---
 pnpm-lock.yaml                                |  6 ++++++
 5 files changed, 35 insertions(+), 20 deletions(-)

diff --git a/packages/api/package.json b/packages/api/package.json
index 388dbf53..e038c0aa 100644
--- a/packages/api/package.json
+++ b/packages/api/package.json
@@ -51,6 +51,7 @@
         "@nestjs/graphql": "^10.0.0",
         "@nestjs/platform-express": "^9.0.0",
         "@types/jest": "^29.5.0",
+        "@types/lodash.isequal": "^4.0.0",
         "@types/mime-db": "^1.43.5",
         "@types/node-fetch": "^2.5.12",
         "@types/rimraf": "^3.0.0",
@@ -64,6 +65,7 @@
         "graphql": "^15.5.0",
         "jest": "^29.5.0",
         "jest-junit": "^15.0.0",
+        "lodash.isequal": "^4.5.0",
         "nestjs-console": "^8.0.0",
         "pg-error-constants": "^1.0.0",
         "prettier": "^2.0.0",
diff --git a/packages/api/src/brevo-contact/brevo-contact-import.console.ts b/packages/api/src/brevo-contact/brevo-contact-import.console.ts
index 89e80186..3b3829b5 100644
--- a/packages/api/src/brevo-contact/brevo-contact-import.console.ts
+++ b/packages/api/src/brevo-contact/brevo-contact-import.console.ts
@@ -81,20 +81,18 @@ export function createBrevoContactImportConsole({ Scope }: { Scope: Type<EmailCa
             ],
         })
         @CreateRequestContext()
-        async execute(options: CommandOptions): Promise<void> {
-            const redirectUrl = this.config.brevo.resolveConfig(options.scope).redirectUrlForImport;
-            const fileStream = fs.createReadStream(options.path);
-            if (!this.validateRedirectUrl(redirectUrl, options.scope)) {
+        async execute({ scope, path, targetGroupIds }: CommandOptions): Promise<void> {
+            const redirectUrl = this.config.brevo.resolveConfig(scope).redirectUrlForImport;
+            const fileStream = fs.createReadStream(path);
+            if (!this.validateRedirectUrl(redirectUrl, scope)) {
                 throw new InvalidOptionArgumentError("Invalid scope. Scope is not allowed");
             }
 
-            const targetGroups = await this.targetGroupRepository.find({ id: { $in: options.targetGroupIds } });
-
             const result = await this.brevoContactImportService.importContactsFromCsv({
                 fileStream,
-                scope: options.scope,
+                scope,
                 redirectUrl,
-                targetGroups,
+                targetGroupIds,
             });
 
             this.logger.log(result);
diff --git a/packages/api/src/brevo-contact/brevo-contact-import.controller.ts b/packages/api/src/brevo-contact/brevo-contact-import.controller.ts
index b4df8d01..729894f5 100644
--- a/packages/api/src/brevo-contact/brevo-contact-import.controller.ts
+++ b/packages/api/src/brevo-contact/brevo-contact-import.controller.ts
@@ -1,9 +1,6 @@
 import { CometValidationException, RequiredPermission } from "@comet/cms-api";
-import { EntityRepository } from "@mikro-orm/core";
-import { InjectRepository } from "@mikro-orm/nestjs";
 import { Body, Controller, Inject, Post, Type, UploadedFile, UseInterceptors } from "@nestjs/common";
 import { FileInterceptor } from "@nestjs/platform-express";
-import { TargetGroupInterface } from "src/target-group/entity/target-group-entity.factory";
 import { Readable } from "stream";
 
 import { BrevoContactImportService } from "../brevo-contact/brevo-contact-import.service";
@@ -18,7 +15,6 @@ export function createBrevoContactImportController({ Scope }: { Scope: Type<Emai
         constructor(
             @Inject(BREVO_MODULE_CONFIG) private readonly config: BrevoModuleConfig,
             @Inject(BrevoContactImportService) private readonly brevoContactImportService: BrevoContactImportService,
-            @InjectRepository("TargetGroup") private readonly targetGroupRepository: EntityRepository<TargetGroupInterface>,
         ) {}
 
         @Post("upload")
@@ -43,17 +39,15 @@ export function createBrevoContactImportController({ Scope }: { Scope: Type<Emai
             const parsedScope = JSON.parse(scope) as EmailCampaignScopeInterface;
             const redirectUrl = this.config.brevo.resolveConfig(parsedScope).redirectUrlForImport;
 
-            let parsedListIds = undefined;
-            if (listIds) parsedListIds = JSON.parse(listIds) as string[];
-
-            const targetGroups = await this.targetGroupRepository.find({ id: { $in: parsedListIds } });
+            let targetGroupIds = undefined;
+            if (listIds) targetGroupIds = JSON.parse(listIds) as string[];
 
             const stream = Readable.from(file.buffer);
             return this.brevoContactImportService.importContactsFromCsv({
                 fileStream: stream,
                 scope: parsedScope,
                 redirectUrl,
-                targetGroups,
+                targetGroupIds,
                 isAdminImport: true,
             });
         }
diff --git a/packages/api/src/brevo-contact/brevo-contact-import.service.ts b/packages/api/src/brevo-contact/brevo-contact-import.service.ts
index 17bebdd1..1a3fcf0b 100644
--- a/packages/api/src/brevo-contact/brevo-contact-import.service.ts
+++ b/packages/api/src/brevo-contact/brevo-contact-import.service.ts
@@ -1,6 +1,10 @@
 import * as csv from "@fast-csv/parse";
+import { EntityRepository } from "@mikro-orm/core";
+import { InjectRepository } from "@mikro-orm/nestjs";
 import { Inject, Injectable } from "@nestjs/common";
 import { IsEmail, IsNotEmpty, validateSync } from "class-validator";
+import isEqual from "lodash.isequal";
+import { TargetGroupInterface } from "src/target-group/entity/target-group-entity.factory";
 import { Readable } from "stream";
 
 import { isErrorFromBrevo } from "../brevo-api/brevo-api.utils";
@@ -8,7 +12,6 @@ import { BrevoApiContactsService, CreateDoubleOptInContactData } from "../brevo-
 import { BrevoContactsService } from "../brevo-contact/brevo-contacts.service";
 import { BrevoModuleConfig } from "../config/brevo-module.config";
 import { BREVO_MODULE_CONFIG } from "../config/brevo-module.constants";
-import { TargetGroupInterface } from "../target-group/entity/target-group-entity.factory";
 import { TargetGroupsService } from "../target-group/target-groups.service";
 import { EmailCampaignScopeInterface } from "../types";
 
@@ -33,7 +36,7 @@ interface ImportContactsFromCsvParams {
     fileStream: Readable;
     scope: EmailCampaignScopeInterface;
     redirectUrl: string;
-    targetGroups?: TargetGroupInterface[];
+    targetGroupIds?: string[];
     isAdminImport?: boolean;
 }
 
@@ -44,16 +47,28 @@ export class BrevoContactImportService {
         private readonly brevoApiContactsService: BrevoApiContactsService,
         private readonly brevoContactsService: BrevoContactsService,
         private readonly targetGroupsService: TargetGroupsService,
+        @InjectRepository("TargetGroup") private readonly targetGroupRepository: EntityRepository<TargetGroupInterface>,
     ) {}
 
     async importContactsFromCsv({
         fileStream,
         scope,
         redirectUrl,
-        targetGroups = [],
+        targetGroupIds = [],
         isAdminImport = false,
     }: ImportContactsFromCsvParams): Promise<CsvImportInformation> {
         const failedColumns: unknown[] = [];
+        const targetGroups = await this.targetGroupRepository.find({ id: { $in: targetGroupIds } });
+
+        for (const targetGroup of targetGroups) {
+            if (targetGroup.isMainList) {
+                throw new Error("Main lists are not allowed as target groups for import");
+            }
+
+            if (!isEqual({ ...targetGroup.scope }, scope)) {
+                throw new Error("Target group scope does not match the scope of the import file");
+            }
+        }
 
         const manuallyAssignedBrevoContacts = await Promise.all(
             targetGroups.map((targetGroup) => {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dc1d22fa..f939c916 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1010,6 +1010,9 @@ importers:
       '@types/jest':
         specifier: ^29.5.0
         version: 29.5.11
+      '@types/lodash.isequal':
+        specifier: ^4.0.0
+        version: 4.5.8
       '@types/mime-db':
         specifier: ^1.43.5
         version: 1.43.5
@@ -1049,6 +1052,9 @@ importers:
       jest-junit:
         specifier: ^15.0.0
         version: 15.0.0
+      lodash.isequal:
+        specifier: ^4.5.0
+        version: 4.5.0
       nestjs-console:
         specifier: ^8.0.0
         version: 8.0.0(@nestjs/common@9.4.3)(@nestjs/core@9.4.3)