From e57952f87a163d8a383dfcf64330cfad4a139108 Mon Sep 17 00:00:00 2001 From: GregoireDucharme Date: Fri, 10 Jan 2025 11:35:24 +0100 Subject: [PATCH] feat: interdit la modification de statut de parcelle au autre OC --- lib/errors.js | 2 ++ lib/providers/cartobio.js | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/errors.js b/lib/errors.js index d37eee3..a9ccce6 100644 --- a/lib/errors.js +++ b/lib/errors.js @@ -9,6 +9,7 @@ const InvalidCredentialsApiError = createError('INVALID_CREDENTIALS', 'Accès re const InvalidRequestApiError = createError('INVALID_API_REQUEST', '%s', 400) const NotFoundApiError = createError('NOT_FOUND', '%s', 404) const UnauthorizedApiError = createError('UNAUTHORIZED', 'Accès refusé : %s', 401) +const ForbiddenApiError = createError('FORBIDDEN', 'Accès refusé : %s', 403) const BadGatewayApiError = createError('BAD_GATEWAY', 'Erreur serveur : %s', 502) const PreconditionFailedApiError = createError('PRECONDITION_FAILED', 'La ressource a été modifiée depuis la dernière requête.', 412) @@ -59,6 +60,7 @@ module.exports = { InvalidRequestApiError, NotFoundApiError, UnauthorizedApiError, + ForbiddenApiError, BadGatewayApiError, PreconditionFailedApiError, isHandledError, diff --git a/lib/providers/cartobio.js b/lib/providers/cartobio.js index aa391dc..457e6e5 100644 --- a/lib/providers/cartobio.js +++ b/lib/providers/cartobio.js @@ -19,7 +19,7 @@ const { randomUUID } = require('crypto') const { fromCodePacStrict } = require('@agencebio/rosetta-cultures') const { fromCepageCode } = require('@agencebio/rosetta-cultures/cepages') const { createNewEvent } = require('../outputs/history.js') -const { InvalidRequestApiError, BadGatewayApiError, NotFoundApiError } = require('../errors.js') +const { InvalidRequestApiError, BadGatewayApiError, NotFoundApiError, ForbiddenApiError } = require('../errors.js') const { getRandomFeatureId, populateWithMultipleCultures } = require('../outputs/features.js') const Cursor = require('pg-cursor') @@ -1233,6 +1233,10 @@ async function updateAuditRecordState ({ user, record }, patch) { }) if (state) { + // @ts-ignore + if (user.organismeCertificateur && record.oc_id !== user.organismeCertificateur.id) { + throw new ForbiddenApiError("vous n'êtes pas autorisé·e à modifier le statut de ce parcellaire.") + } columns.push('audit_history') placeholders.push(`audit_history || $${columns.length + 1}::jsonb`) values.push(createNewEvent(