Securize 3 more endpoints (#1886)

* securize GET /api/companies/:id/response-rate * securize GET /api/companies/:companyId * securize GET /api/companies/:siret/events
betagouv · Feb 12, 2025 · 684e303 · 684e303
1 parent 76f133d
commit 684e303
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 13 deletions.
diff --git a/app/controllers/BaseController.scala b/app/controllers/BaseController.scala
@@ -172,7 +172,7 @@ abstract class BaseCompanyController(
     override val controllerComponents: ControllerComponents
 ) extends BaseController(authenticator, controllerComponents) {
   def companyOrchestrator: CompanyOrchestrator
-  def companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator
+  def companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator
 
   class CompanyRequest[A](val company: Company, val accessLevel: AccessLevel, request: UserRequest[A])
       extends WrappedRequest[A](request) {
@@ -199,7 +199,7 @@ abstract class BaseCompanyController(
               case UserRole.DGAL | UserRole.Professionnel =>
                 company
                   .map(c =>
-                    companyVisibilityOrchestrator
+                    companiesVisibilityOrchestrator
                       .fetchVisibleCompanies(request.identity)
                       .map(_.find(_.company.id == c.id).map(_.level))
                   )

diff --git a/app/controllers/CompanyAccessController.scala b/app/controllers/CompanyAccessController.scala
@@ -37,7 +37,7 @@ class CompanyAccessController(
     accessTokenRepository: AccessTokenRepositoryInterface,
     val companyOrchestrator: CompanyOrchestrator,
     accessesOrchestrator: ProAccessTokenOrchestrator,
-    val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
+    val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
     companyAccessOrchestrator: CompanyAccessOrchestrator,
     eventRepository: EventRepositoryInterface,
     authenticator: Authenticator[User],
@@ -68,7 +68,7 @@ class CompanyAccessController(
 
   def visibleUsersToPro = Act.secured.pros.allowImpersonation.async { implicit request =>
     for {
-      companiesWithAccesses <- companyVisibilityOrchestrator.fetchVisibleCompanies(request.identity)
+      companiesWithAccesses <- companiesVisibilityOrchestrator.fetchVisibleCompanies(request.identity)
       onlyAdminCompanies = companiesWithAccesses.filter(_.level == AccessLevel.ADMIN)
       usersAccessesPerCompanyMap <- companyAccessRepository.fetchUsersByCompanyIds(onlyAdminCompanies.map(_.company.id))
     } yield {
@@ -100,7 +100,7 @@ class CompanyAccessController(
       for {
         maybeUser             <- userRepository.get(userId)
         user                  <- maybeUser.liftTo[Future](UserNotFoundById(userId))
-        companiesWithAccesses <- companyVisibilityOrchestrator.fetchVisibleCompanies(request.identity)
+        companiesWithAccesses <- companiesVisibilityOrchestrator.fetchVisibleCompanies(request.identity)
         onlyAdminCompanies = companiesWithAccesses.filter(_.level == AccessLevel.ADMIN)
         usersAccesses <- companyAccessRepository.getUserAccesses(onlyAdminCompanies.map(_.company.id), userId)
         _             <- usersAccesses.traverse(c => removeAccessFor(c.companyId, user, request.identity))

diff --git a/app/controllers/CompanyController.scala b/app/controllers/CompanyController.scala
@@ -21,7 +21,7 @@ import scala.concurrent.Future
 
 class CompanyController(
     val companyOrchestrator: CompanyOrchestrator,
-    val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
+    val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
     albertOrchestrator: AlbertOrchestrator,
     authenticator: Authenticator[User],
     controllerComponents: ControllerComponents
@@ -68,7 +68,7 @@ class CompanyController(
       )
   }
 
-  def getCompany(companyId: UUID) = Act.secured.all.allowImpersonation.async { request =>
+  def getCompany(companyId: UUID) = Act.securedWithCompanyAccessById(companyId).async { request =>
     implicit val userRole: Option[UserRole] = Some(request.identity.userRole)
     companyOrchestrator
       .searchRegisteredById(companyId, request.identity)
@@ -82,7 +82,7 @@ class CompanyController(
       .map(results => Ok(Json.toJson(results)))
   }
 
-  def getResponseRate(companyId: UUID) = Act.secured.all.allowImpersonation.async { request =>
+  def getResponseRate(companyId: UUID) = Act.securedWithCompanyAccessById(companyId).async { request =>
     companyOrchestrator
       .getCompanyResponseRate(companyId, request.identity)
       .map(results => Ok(Json.toJson(results)))
@@ -101,7 +101,7 @@ class CompanyController(
   }
 
   def getCompaniesOfPro() = Act.secured.pros.allowImpersonation.async { implicit request =>
-    companyVisibilityOrchestrator
+    companiesVisibilityOrchestrator
       .fetchVisibleCompanies(request.identity)
       .map(x => Ok(Json.toJson(x)))
   }

diff --git a/app/controllers/EventsController.scala b/app/controllers/EventsController.scala
@@ -2,6 +2,8 @@ package controllers
 
 import authentication.Authenticator
 import models.User
+import orchestrators.CompaniesVisibilityOrchestrator
+import orchestrators.CompanyOrchestrator
 import orchestrators.EventsOrchestratorInterface
 import play.api.libs.json.Json
 import play.api.mvc.Action
@@ -13,15 +15,17 @@ import java.util.UUID
 import scala.concurrent.ExecutionContext
 
 class EventsController(
+    val companyOrchestrator: CompanyOrchestrator,
+    val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
     eventsOrchestrator: EventsOrchestratorInterface,
     authenticator: Authenticator[User],
     controllerComponents: ControllerComponents
 )(implicit
     val ec: ExecutionContext
-) extends BaseController(authenticator, controllerComponents) {
+) extends BaseCompanyController(authenticator, controllerComponents) {
 
   def getCompanyEvents(siret: SIRET, eventType: Option[String]): Action[AnyContent] =
-    Act.secured.all.allowImpersonation.async { implicit request =>
+    Act.securedWithCompanyAccessBySiret(siret.toString).async { implicit request =>
       logger.info(s"Fetching events for company $siret with eventType $eventType")
       eventsOrchestrator
         .getCompanyEvents(siret = siret, eventType = eventType, userRole = request.identity.userRole)

diff --git a/app/controllers/StatisticController.scala b/app/controllers/StatisticController.scala
@@ -30,7 +30,7 @@ import scala.util.Success
 class StatisticController(
     val companyOrchestrator: CompanyOrchestrator,
     statsOrchestrator: StatsOrchestrator,
-    val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
+    val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator,
     authenticator: Authenticator[User],
     controllerComponents: ControllerComponents
 )(implicit val ec: ExecutionContext)

diff --git a/app/loader/SignalConsoApplicationLoader.scala b/app/loader/SignalConsoApplicationLoader.scala
@@ -835,7 +835,13 @@ class SignalConsoComponents(
   val emailValidationController =
     new EmailValidationController(cookieAuthenticator, emailValidationOrchestrator, controllerComponents)
 
-  val eventsController = new EventsController(eventsOrchestrator, cookieAuthenticator, controllerComponents)
+  val eventsController = new EventsController(
+    companyOrchestrator,
+    companiesVisibilityOrchestrator,
+    eventsOrchestrator,
+    cookieAuthenticator,
+    controllerComponents
+  )
   val ratingController = new RatingController(ratingRepository, cookieAuthenticator, controllerComponents)
   val reportBlockedNotificationController =
     new ReportBlockedNotificationController(