Merge pull request #3735 from MTES-MCT/TRA-15142/admin-mods

[TRA-15142] Amélioration admin

Changelog.md

@@ -4,6 +4,11 @@ Les changements importants de Trackdéchets sont documentés dans ce fichier.
 
 Le format est basé sur [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 et le projet suit un schéma de versionning inspiré de [Calendar Versioning](https://calver.org/).
+[2024.11.1] 19/11/2024
+
+#### :house: Interne
+
+- Amélioration de l'interface d'admin [PR 3735](https://github.com/MTES-MCT/trackdechets/pull/3735)
 
 # [2024.11.1] 19/11/2024
 

back/src/bsda/permissions.ts

@@ -190,6 +190,9 @@ async function creators(input: BsdaInput) {
 }
 
 export async function checkCanRead(user: User, bsda: BsdaWithTransporters) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = readers(bsda);
 
   return checkUserPermissions(

back/src/bsda/resolvers/queries/__tests__/bsda.integration.ts

@@ -9,6 +9,7 @@ import {
 import makeClient from "../../../../__tests__/testClient";
 import { fullBsda } from "../../../fragments";
 import { bsdaFactory } from "../../../__tests__/factories";
+import { ErrorCode } from "../../../../common/errors";
 
 const GET_BSDA = gql`
   query GetBsda($id: ID!) {
@@ -22,6 +23,79 @@ const GET_BSDA = gql`
 describe("Query.Bsda", () => {
   afterEach(resetDatabase);
 
+  it("should disallow unauthenticated user", async () => {
+    const { query } = makeClient();
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsda = await bsdaFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+
+    const { errors } = await query<Pick<Query, "bsda">>(GET_BSDA, {
+      variables: { id: bsda.id }
+    });
+
+    expect(errors).toEqual([
+      expect.objectContaining({
+        message: "Vous n'êtes pas connecté.",
+        extensions: expect.objectContaining({
+          code: ErrorCode.UNAUTHENTICATED
+        })
+      })
+    ]);
+  });
+
+  it("should forbid access to user not on the bsd", async () => {
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsda = await bsdaFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+    const { user: otherUser } = await userWithCompanyFactory("MEMBER");
+
+    const { query } = makeClient(otherUser);
+
+    const { errors } = await query<Pick<Query, "bsda">>(GET_BSDA, {
+      variables: { id: bsda.id }
+    });
+
+    expect(errors).toEqual([
+      expect.objectContaining({
+        message: "Vous n'êtes pas autorisé à accéder à ce bordereau",
+        extensions: expect.objectContaining({
+          code: ErrorCode.FORBIDDEN
+        })
+      })
+    ]);
+  });
+
+  it("should allow access to admin user not on the bsd", async () => {
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsda = await bsdaFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+    const { user: otherUser } = await userWithCompanyFactory(
+      "MEMBER",
+      {},
+      { isAdmin: true }
+    );
+
+    const { query } = makeClient(otherUser);
+
+    const { data } = await query<Pick<Query, "bsda">>(GET_BSDA, {
+      variables: { id: bsda.id }
+    });
+
+    expect(data.bsda.id).toBe(bsda.id);
+  });
+
   it("should get a bsda by id", async () => {
     const { user, company } = await userWithCompanyFactory(UserRole.ADMIN);
     const form = await bsdaFactory({

back/src/bsdasris/permissions.ts

@@ -80,6 +80,9 @@ function creators(input: BsdasriInput) {
 }
 
 export function checkCanRead(user: User, bsdasri: Bsdasri) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = readers(bsdasri);
   return checkUserPermissions(
     user,

back/src/bsdasris/resolvers/queries/__tests__/bsdasri.integration.ts

@@ -75,6 +75,28 @@ describe("Query.Bsdasri", () => {
     ]);
   });
 
+  it("should allow access to admin user not on the bsd", async () => {
+    const { company } = await userWithCompanyFactory("MEMBER");
+    const { company: destination } = await userWithCompanyFactory("MEMBER");
+    const dasri = await bsdasriFactory({
+      opt: {
+        ...initialData(company),
+        ...readyToPublishData(destination)
+      }
+    });
+    const { user: otherUser } = await userWithCompanyFactory(
+      "MEMBER",
+      {},
+      { isAdmin: true }
+    );
+
+    const { query } = makeClient(otherUser);
+    const { data } = await query<Pick<Query, "bsdasri">>(GET_BSDASRI, {
+      variables: { id: dasri.id }
+    });
+    expect(data.bsdasri.id).toBe(dasri.id);
+  });
+
   it("should get a dasri by id", async () => {
     const { user, company } = await userWithCompanyFactory("MEMBER");
     const { company: destination } = await userWithCompanyFactory("MEMBER");

back/src/bsffs/database.ts

@@ -160,7 +160,7 @@ export async function getFicheInterventions({
     expandFicheInterventionBsffFromDB
   );
 
-  if (isBsffReader) {
+  if (isBsffReader || user.isAdmin) {
     return expandedFicheInterventions;
   }
 

back/src/bsffs/permissions.ts

@@ -119,6 +119,9 @@ function creators(input: BsffInput) {
 }
 
 export async function checkCanRead(user: User, bsff: BsffWithTransporters) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = readers(bsff);
 
   return checkUserPermissions(

back/src/bsffs/resolvers/queries/__tests__/bsff.integration.ts

@@ -13,6 +13,7 @@ import {
 } from "../../../__tests__/factories";
 import { gql } from "graphql-tag";
 import { fullBsff } from "../../../fragments";
+import { ErrorCode } from "../../../../common/errors";
 
 const GET_BSFF = gql`
   query GetBsff($id: ID!) {
@@ -25,6 +26,29 @@ const GET_BSFF = gql`
 
 describe("Query.bsff", () => {
   afterEach(resetDatabase);
+  it("should disallow unauthenticated user", async () => {
+    const emitter = await userWithCompanyFactory(UserRole.ADMIN);
+    const bsff = await createBsff({ emitter });
+
+    const { query } = makeClient();
+    const { errors } = await query<Pick<Query, "bsff">, QueryBsffArgs>(
+      GET_BSFF,
+      {
+        variables: {
+          id: bsff.id
+        }
+      }
+    );
+
+    expect(errors).toEqual([
+      expect.objectContaining({
+        message: "Vous n'êtes pas connecté.",
+        extensions: expect.objectContaining({
+          code: ErrorCode.UNAUTHENTICATED
+        })
+      })
+    ]);
+  });
 
   it("should allow the emitter to read their bsff", async () => {
     const emitter = await userWithCompanyFactory(UserRole.ADMIN);
@@ -90,6 +114,30 @@ describe("Query.bsff", () => {
     ]);
   });
 
+  it("should allow admin user even if the user is not a contributor of the bsff", async () => {
+    const { user } = await userWithCompanyFactory(
+      UserRole.ADMIN,
+      {},
+      { isAdmin: true }
+    );
+
+    const otherEmitter = await userWithCompanyFactory(UserRole.ADMIN);
+    const bsff = await createBsff({ emitter: otherEmitter });
+
+    const { query } = makeClient(user);
+    const { data } = await query<Pick<Query, "bsff">, QueryBsffArgs>(GET_BSFF, {
+      variables: {
+        id: bsff.id
+      }
+    });
+
+    expect(data.bsff).toEqual(
+      expect.objectContaining({
+        id: bsff.id
+      })
+    );
+  });
+
   it("should throw an error not found if the user is not a contributor of the bsff", async () => {
     const emitter = await userWithCompanyFactory(UserRole.ADMIN);
 

back/src/bspaoh/permissions.ts

@@ -60,6 +60,9 @@ function readers(bspaoh: PrismaBspaoh): string[] {
 }
 
 export function checkCanRead(user: User, bspaoh: PrismaBspaoh) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = readers(bspaoh);
 
   return checkUserPermissions(

back/src/bspaoh/resolvers/queries/__tests__/bspaoh.integration.ts

@@ -62,6 +62,21 @@ describe("Query.Bspaoh", () => {
     ]);
   });
 
+  it("should allow access to admin user not on the bsd", async () => {
+    const paoh = await bspaohFactory({});
+    const { user: otherUser } = await userWithCompanyFactory(
+      "MEMBER",
+      {},
+      { isAdmin: true }
+    );
+
+    const { query } = makeClient(otherUser);
+    const { data } = await query<Pick<Query, "bspaoh">>(GET_BSPAOH, {
+      variables: { id: paoh.id }
+    });
+    expect(data.bspaoh.id).toBe(paoh.id);
+  });
+
   it("should get a draft bspaoh if user siret belongs to allowed draft sirets", async () => {
     const { user, company } = await userWithCompanyFactory(UserRole.ADMIN);
     const bsd = await bspaohFactory({

back/src/bsvhu/permissions.ts

@@ -112,6 +112,9 @@ function creators(input: BsvhuInput) {
 }
 
 export async function checkCanRead(user: User, bsvhu: Bsvhu) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = readers(bsvhu);
 
   return checkUserPermissions(

back/src/bsvhu/resolvers/queries/__tests__/bsvhu.integration.ts

@@ -9,6 +9,7 @@ import {
   bsvhuFactory,
   toIntermediaryCompany
 } from "../../../__tests__/factories.vhu";
+import { ErrorCode } from "../../../../common/errors";
 
 const GET_BSVHU = `
 query GetBsvhu($id: ID!) {
@@ -70,9 +71,32 @@ query GetBsvhu($id: ID!) {
 describe("Query.Bsvhu", () => {
   afterEach(resetDatabase);
 
+  it("should disallow unauthenticated user", async () => {
+    const { query } = makeClient();
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsvhu = await bsvhuFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+
+    const { errors } = await query<Pick<Query, "bsvhu">>(GET_BSVHU, {
+      variables: { id: bsvhu.id }
+    });
+    expect(errors).toEqual([
+      expect.objectContaining({
+        message: "Vous n'êtes pas connecté.",
+        extensions: expect.objectContaining({
+          code: ErrorCode.UNAUTHENTICATED
+        })
+      })
+    ]);
+  });
+
   it("should get a bsvhu by id", async () => {
     const { user, company } = await userWithCompanyFactory("MEMBER");
-    const form = await bsvhuFactory({
+    const bsvhu = await bsvhuFactory({
       opt: {
         emitterCompanySiret: company.siret
       }
@@ -81,10 +105,59 @@ describe("Query.Bsvhu", () => {
     const { query } = makeClient(user);
 
     const { data } = await query<Pick<Query, "bsvhu">>(GET_BSVHU, {
-      variables: { id: form.id }
+      variables: { id: bsvhu.id }
+    });
+
+    expect(data.bsvhu.id).toBe(bsvhu.id);
+  });
+
+  it("should forbid access to user not on the bsd", async () => {
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsvhu = await bsvhuFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+    const { user: otherUser } = await userWithCompanyFactory("MEMBER");
+
+    const { query } = makeClient(otherUser);
+
+    const { errors } = await query<Pick<Query, "bsvhu">>(GET_BSVHU, {
+      variables: { id: bsvhu.id }
+    });
+
+    expect(errors).toEqual([
+      expect.objectContaining({
+        message: "Vous n'êtes pas autorisé à accéder à ce bordereau",
+        extensions: expect.objectContaining({
+          code: ErrorCode.FORBIDDEN
+        })
+      })
+    ]);
+  });
+
+  it("should allow access to admin user not on the bsd", async () => {
+    const { company } = await userWithCompanyFactory("MEMBER");
+
+    const bsvhu = await bsvhuFactory({
+      opt: {
+        emitterCompanySiret: company.siret
+      }
+    });
+    const { user: otherUser } = await userWithCompanyFactory(
+      "MEMBER",
+      {},
+      { isAdmin: true }
+    );
+
+    const { query } = makeClient(otherUser);
+
+    const { data } = await query<Pick<Query, "bsvhu">>(GET_BSVHU, {
+      variables: { id: bsvhu.id }
     });
 
-    expect(data.bsvhu.id).toBe(form.id);
+    expect(data.bsvhu.id).toBe(bsvhu.id);
   });
 
   it("should get a bsvhu by id if current user is an intermediary", async () => {

back/src/forms/permissions.ts

@@ -220,6 +220,9 @@ export function isFormReader(
 }
 
 export async function checkCanRead(user: User, form: FormForReadCheck) {
+  if (user.isAdmin && user.isActive) {
+    return true;
+  }
   const authorizedOrgIds = formReaders(form);
 
   return checkUserPermissions(