diff --git a/src/app/api/common/UserNotificationController.ts b/src/app/api/notary/UserNotificationController.ts similarity index 79% rename from src/app/api/common/UserNotificationController.ts rename to src/app/api/notary/UserNotificationController.ts index eec01d06..1654df3b 100644 --- a/src/app/api/common/UserNotificationController.ts +++ b/src/app/api/notary/UserNotificationController.ts @@ -5,6 +5,7 @@ import { Service } from "typedi"; import UserNotification from "le-coffre-resources/dist/Notary/UserNotification"; import UserNotificationService from "@Services/common/UserNotificationService/UserNotificationService"; import authHandler from "@App/middlewares/AuthHandler"; +import { Prisma } from "@prisma/client"; @Controller() @Service() @@ -16,7 +17,7 @@ export default class UserNotificationController extends ApiController { /** * @description Get all customers */ - @Get("/api/v1/notifications", [authHandler]) + @Get("/api/v1/notary/notifications", [authHandler]) protected async get(req: Request, response: Response) { try { //get query @@ -25,11 +26,13 @@ export default class UserNotificationController extends ApiController { query = JSON.parse(req.query["q"] as string); } - if (query.where) { - query.where = { ...query.where, user: { uid: req.body.user.uid } }; - } else { - query.where = { user: { uid: req.body.user.uid } }; - } + + const userId: string = req.body.user.userId; + if(query.where?.user_uid) delete query.where.user_uid; + if(query.where?.user?.uid) delete query.where.user.uid; + const notificationWhereInput: Prisma.UserNotificationsWhereInput = { ...query.where, user_uid: userId }; + query.where = notificationWhereInput; + query.include = { notification: true }; //call service to get prisma entity const userNotificationEntities = await this.userNotificationService.get(query); @@ -48,7 +51,7 @@ export default class UserNotificationController extends ApiController { /** * @description Modify a specific customer by uid */ - @Put("/api/v1/notifications/:uid") + @Put("/api/v1/notary/notifications/:uid", [authHandler]) protected async put(req: Request, response: Response) { try { const uid = req.params["uid"]; @@ -64,6 +67,11 @@ export default class UserNotificationController extends ApiController { return; } + if(userNotificationFound.user_uid !== req.body.user.userId) { + this.httpForbidden(response, "You are not allowed to update this user notification"); + return; + } + //init IUser resource with request body values const userNotificationEntity = UserNotification.hydrate(req.body); @@ -86,7 +94,7 @@ export default class UserNotificationController extends ApiController { /** * @description Get a specific customer by uid */ - @Get("/api/v1/notifications/:uid") + @Get("/api/v1/notary/notifications/:uid", [authHandler]) protected async getOneByUid(req: Request, response: Response) { try { const uid = req.params["uid"]; @@ -108,6 +116,11 @@ export default class UserNotificationController extends ApiController { return; } + if(userNotificationEntity.user_uid !== req.body.userId) { + this.httpForbidden(response, "You are allowed to get this user notification"); + return; + } + //Hydrate ressource with prisma entity const userNotification = UserNotification.hydrate(userNotificationEntity, { strategy: "excludeAll" }); diff --git a/src/app/index.ts b/src/app/index.ts index 92065837..092417a4 100644 --- a/src/app/index.ts +++ b/src/app/index.ts @@ -47,8 +47,7 @@ import VotesController from "./api/super-admin/VotesController"; import LiveVoteController from "./api/super-admin/LiveVoteController"; import DocumentControllerId360 from "./api/id360/DocumentController"; import CustomerControllerId360 from "./api/id360/CustomerController"; - -import UserNotificationController from "./api/common/UserNotificationController"; +import UserNotificationController from "./api/notary/UserNotificationController"; /** diff --git a/src/common/system/controller-pattern/BaseController.ts b/src/common/system/controller-pattern/BaseController.ts index 39bd4be7..7baa9c02 100644 --- a/src/common/system/controller-pattern/BaseController.ts +++ b/src/common/system/controller-pattern/BaseController.ts @@ -40,6 +40,10 @@ export default abstract class BaseController { return this.httpResponse(response, HttpCodes.NOT_IMPLEMENTED, responseData); } + protected httpForbidden(response: Response, responseData: IResponseData = "Forbidden") { + return this.httpResponse(response, HttpCodes.FORBIDDEN, responseData); + } + protected httpResponse(response: Response, httpCode: HttpCodes, responseData: IResponseData = {}) { if (responseData instanceof Error) { throw responseData; diff --git a/src/common/system/controller-pattern/HttpCodes.ts b/src/common/system/controller-pattern/HttpCodes.ts index 648c30b1..95c4a67d 100644 --- a/src/common/system/controller-pattern/HttpCodes.ts +++ b/src/common/system/controller-pattern/HttpCodes.ts @@ -8,5 +8,6 @@ enum HttpCodes { NOT_IMPLEMENTED = 501, NOT_FOUND = 404, UNAUTHORIZED = 401, + FORBIDDEN = 403, } export default HttpCodes;