From 684e3030bafcbbed20b4eff482b5a8a5d37266cb Mon Sep 17 00:00:00 2001 From: eletallbetagouv <107104509+eletallbetagouv@users.noreply.github.com> Date: Wed, 12 Feb 2025 16:56:12 +0200 Subject: [PATCH] Securize 3 more endpoints (#1886) * securize GET /api/companies/:id/response-rate * securize GET /api/companies/:companyId * securize GET /api/companies/:siret/events --- app/controllers/BaseController.scala | 4 ++-- app/controllers/CompanyAccessController.scala | 6 +++--- app/controllers/CompanyController.scala | 8 ++++---- app/controllers/EventsController.scala | 8 ++++++-- app/controllers/StatisticController.scala | 2 +- app/loader/SignalConsoApplicationLoader.scala | 8 +++++++- 6 files changed, 23 insertions(+), 13 deletions(-) diff --git a/app/controllers/BaseController.scala b/app/controllers/BaseController.scala index 9aac30b8..a99e5bd2 100644 --- a/app/controllers/BaseController.scala +++ b/app/controllers/BaseController.scala @@ -172,7 +172,7 @@ abstract class BaseCompanyController( override val controllerComponents: ControllerComponents ) extends BaseController(authenticator, controllerComponents) { def companyOrchestrator: CompanyOrchestrator - def companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator + def companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator class CompanyRequest[A](val company: Company, val accessLevel: AccessLevel, request: UserRequest[A]) extends WrappedRequest[A](request) { @@ -199,7 +199,7 @@ abstract class BaseCompanyController( case UserRole.DGAL | UserRole.Professionnel => company .map(c => - companyVisibilityOrchestrator + companiesVisibilityOrchestrator .fetchVisibleCompanies(request.identity) .map(_.find(_.company.id == c.id).map(_.level)) ) diff --git a/app/controllers/CompanyAccessController.scala b/app/controllers/CompanyAccessController.scala index f899ca85..84b0762d 100644 --- a/app/controllers/CompanyAccessController.scala +++ b/app/controllers/CompanyAccessController.scala @@ -37,7 +37,7 @@ class CompanyAccessController( accessTokenRepository: AccessTokenRepositoryInterface, val companyOrchestrator: CompanyOrchestrator, accessesOrchestrator: ProAccessTokenOrchestrator, - val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator, + val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator, companyAccessOrchestrator: CompanyAccessOrchestrator, eventRepository: EventRepositoryInterface, authenticator: Authenticator[User], @@ -68,7 +68,7 @@ class CompanyAccessController( def visibleUsersToPro = Act.secured.pros.allowImpersonation.async { implicit request => for { - companiesWithAccesses <- companyVisibilityOrchestrator.fetchVisibleCompanies(request.identity) + companiesWithAccesses <- companiesVisibilityOrchestrator.fetchVisibleCompanies(request.identity) onlyAdminCompanies = companiesWithAccesses.filter(_.level == AccessLevel.ADMIN) usersAccessesPerCompanyMap <- companyAccessRepository.fetchUsersByCompanyIds(onlyAdminCompanies.map(_.company.id)) } yield { @@ -100,7 +100,7 @@ class CompanyAccessController( for { maybeUser <- userRepository.get(userId) user <- maybeUser.liftTo[Future](UserNotFoundById(userId)) - companiesWithAccesses <- companyVisibilityOrchestrator.fetchVisibleCompanies(request.identity) + companiesWithAccesses <- companiesVisibilityOrchestrator.fetchVisibleCompanies(request.identity) onlyAdminCompanies = companiesWithAccesses.filter(_.level == AccessLevel.ADMIN) usersAccesses <- companyAccessRepository.getUserAccesses(onlyAdminCompanies.map(_.company.id), userId) _ <- usersAccesses.traverse(c => removeAccessFor(c.companyId, user, request.identity)) diff --git a/app/controllers/CompanyController.scala b/app/controllers/CompanyController.scala index 566b245b..656b83f4 100644 --- a/app/controllers/CompanyController.scala +++ b/app/controllers/CompanyController.scala @@ -21,7 +21,7 @@ import scala.concurrent.Future class CompanyController( val companyOrchestrator: CompanyOrchestrator, - val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator, + val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator, albertOrchestrator: AlbertOrchestrator, authenticator: Authenticator[User], controllerComponents: ControllerComponents @@ -68,7 +68,7 @@ class CompanyController( ) } - def getCompany(companyId: UUID) = Act.secured.all.allowImpersonation.async { request => + def getCompany(companyId: UUID) = Act.securedWithCompanyAccessById(companyId).async { request => implicit val userRole: Option[UserRole] = Some(request.identity.userRole) companyOrchestrator .searchRegisteredById(companyId, request.identity) @@ -82,7 +82,7 @@ class CompanyController( .map(results => Ok(Json.toJson(results))) } - def getResponseRate(companyId: UUID) = Act.secured.all.allowImpersonation.async { request => + def getResponseRate(companyId: UUID) = Act.securedWithCompanyAccessById(companyId).async { request => companyOrchestrator .getCompanyResponseRate(companyId, request.identity) .map(results => Ok(Json.toJson(results))) @@ -101,7 +101,7 @@ class CompanyController( } def getCompaniesOfPro() = Act.secured.pros.allowImpersonation.async { implicit request => - companyVisibilityOrchestrator + companiesVisibilityOrchestrator .fetchVisibleCompanies(request.identity) .map(x => Ok(Json.toJson(x))) } diff --git a/app/controllers/EventsController.scala b/app/controllers/EventsController.scala index e24d3f77..18a5b958 100644 --- a/app/controllers/EventsController.scala +++ b/app/controllers/EventsController.scala @@ -2,6 +2,8 @@ package controllers import authentication.Authenticator import models.User +import orchestrators.CompaniesVisibilityOrchestrator +import orchestrators.CompanyOrchestrator import orchestrators.EventsOrchestratorInterface import play.api.libs.json.Json import play.api.mvc.Action @@ -13,15 +15,17 @@ import java.util.UUID import scala.concurrent.ExecutionContext class EventsController( + val companyOrchestrator: CompanyOrchestrator, + val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator, eventsOrchestrator: EventsOrchestratorInterface, authenticator: Authenticator[User], controllerComponents: ControllerComponents )(implicit val ec: ExecutionContext -) extends BaseController(authenticator, controllerComponents) { +) extends BaseCompanyController(authenticator, controllerComponents) { def getCompanyEvents(siret: SIRET, eventType: Option[String]): Action[AnyContent] = - Act.secured.all.allowImpersonation.async { implicit request => + Act.securedWithCompanyAccessBySiret(siret.toString).async { implicit request => logger.info(s"Fetching events for company $siret with eventType $eventType") eventsOrchestrator .getCompanyEvents(siret = siret, eventType = eventType, userRole = request.identity.userRole) diff --git a/app/controllers/StatisticController.scala b/app/controllers/StatisticController.scala index 3187539e..0f5e6225 100644 --- a/app/controllers/StatisticController.scala +++ b/app/controllers/StatisticController.scala @@ -30,7 +30,7 @@ import scala.util.Success class StatisticController( val companyOrchestrator: CompanyOrchestrator, statsOrchestrator: StatsOrchestrator, - val companyVisibilityOrchestrator: CompaniesVisibilityOrchestrator, + val companiesVisibilityOrchestrator: CompaniesVisibilityOrchestrator, authenticator: Authenticator[User], controllerComponents: ControllerComponents )(implicit val ec: ExecutionContext) diff --git a/app/loader/SignalConsoApplicationLoader.scala b/app/loader/SignalConsoApplicationLoader.scala index cc8a2bf8..fe9a3956 100644 --- a/app/loader/SignalConsoApplicationLoader.scala +++ b/app/loader/SignalConsoApplicationLoader.scala @@ -835,7 +835,13 @@ class SignalConsoComponents( val emailValidationController = new EmailValidationController(cookieAuthenticator, emailValidationOrchestrator, controllerComponents) - val eventsController = new EventsController(eventsOrchestrator, cookieAuthenticator, controllerComponents) + val eventsController = new EventsController( + companyOrchestrator, + companiesVisibilityOrchestrator, + eventsOrchestrator, + cookieAuthenticator, + controllerComponents + ) val ratingController = new RatingController(ratingRepository, cookieAuthenticator, controllerComponents) val reportBlockedNotificationController = new ReportBlockedNotificationController(