Skip to content

Commit

Permalink
Renomme des éléments liés aux droits
Browse files Browse the repository at this point in the history
  • Loading branch information
@amandinejacquelin
amandinejacquelin committed Dec 19, 2024
1 parent e9a83d9 commit 72fef25
Show file tree
Hide file tree
Showing 37 changed files with 233 additions and 233 deletions.
4 changes: 2 additions & 2 deletions backend/src/auth/auth.module.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,8 @@ import { CollectivitesModule } from '../collectivites/collectivites.module';
import { CommonModule } from '../common/common.module';
import { ConfigurationModule } from '../config/configuration.module';
import { AuthGuard } from './guards/auth.guard';
import { PermissionService } from '../auth/gestion-des-droits/permission.service';
import { RoleService } from '../auth/gestion-des-droits/roles/role.service';
import { PermissionService } from '@/backend/auth/authorizations/permission.service';
import { RoleService } from '@/backend/auth/authorizations/roles/role.service';

@Global()
@Module({
Expand Down
18 changes: 18 additions & 0 deletions backend/src/auth/authorizations/permission-operation.enum.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
export enum PermissionOperation {
// Collectivités
COLLECTIVITES_VISITE = 'collectivites.visite',
COLLECTIVITES_LECTURE = 'collectivites.lecture',
// Référentiels
REFERENTIELS_LECTURE = 'referentiels.lecture',
REFERENTIELS_EDITION = 'referentiels.edition',
// Fiches actions
PLANS_FICHES_EDITION = 'plans.fiches.edition',
PLANS_FICHES_LECTURE = 'plans.fiches.lecture',
PLANS_FICHES_VISITE = 'plans.fiches.visite',
// Indicateurs
INDICATEURS_LECTURE = 'indicateurs.lecture',
INDICATEURS_VISITE = 'indicateurs.visite',
INDICATEURS_EDITION = 'indicateurs.edition',
INDICATEURS_TRAJECTOIRES_LECTURE = 'indicateurs.trajectoires.lecture',
INDICATEURS_TRAJECTOIRES_EDITION = 'indicateurs.trajectoires.edition',
}
73 changes: 73 additions & 0 deletions backend/src/auth/authorizations/permission.models.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
import { Role } from '@/backend/auth/authorizations/roles/role.enum';
import { PermissionOperation } from '@/backend/auth/authorizations/permission-operation.enum';

export const Permission: Record<Role, PermissionOperation[]> = {
[Role.CONNECTE]: [],
[Role.VERIFIE]: [PermissionOperation.COLLECTIVITES_VISITE, PermissionOperation.PLANS_FICHES_VISITE, PermissionOperation.INDICATEURS_VISITE],
[Role.SUPPORT]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.COLLECTIVITES_LECTURE,
PermissionOperation.REFERENTIELS_LECTURE,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.PLANS_FICHES_LECTURE,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
],
[Role.ADEME]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
],
[Role.LECTURE]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.COLLECTIVITES_LECTURE,
PermissionOperation.REFERENTIELS_LECTURE,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.PLANS_FICHES_LECTURE,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
],
[Role.EDITION]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.COLLECTIVITES_LECTURE,
PermissionOperation.REFERENTIELS_LECTURE,
PermissionOperation.REFERENTIELS_EDITION,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.PLANS_FICHES_LECTURE,
PermissionOperation.PLANS_FICHES_EDITION,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_LECTURE,
PermissionOperation.INDICATEURS_EDITION,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_EDITION,
],
[Role.ADMIN]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.COLLECTIVITES_LECTURE,
PermissionOperation.REFERENTIELS_LECTURE,
PermissionOperation.REFERENTIELS_EDITION,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.PLANS_FICHES_LECTURE,
PermissionOperation.PLANS_FICHES_EDITION,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_LECTURE,
PermissionOperation.INDICATEURS_EDITION,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_EDITION,
],
[Role.AUDITEUR]: [
PermissionOperation.COLLECTIVITES_VISITE,
PermissionOperation.COLLECTIVITES_LECTURE,
PermissionOperation.REFERENTIELS_LECTURE,
PermissionOperation.REFERENTIELS_EDITION,
PermissionOperation.PLANS_FICHES_VISITE,
PermissionOperation.PLANS_FICHES_LECTURE,
PermissionOperation.INDICATEURS_VISITE,
PermissionOperation.INDICATEURS_LECTURE,
PermissionOperation.INDICATEURS_EDITION,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
],
};
62 changes: 31 additions & 31 deletions ...des-droits/permission.service.e2e-spec.ts → ...orizations/permission.service.e2e-spec.ts
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
import { getAuthUser, getTestApp, getTestDatabase, YOULOU_DOUDOU } from '@/backend/test';
import { INestApplication } from '@nestjs/common';
import { PermissionService } from '@/backend/auth/gestion-des-droits/permission.service';
import { PermissionService } from '@/backend/auth/authorizations/permission.service';
import { AuthenticatedUser } from '@/backend/auth/models/auth.models';
import { Authorization } from '@/backend/auth/gestion-des-droits/authorization.enum';
import { ResourceType } from '@/backend/auth/gestion-des-droits/resource-type.enum';
import { PermissionOperation } from '@/backend/auth/authorizations/permission-operation.enum';
import { ResourceType } from '@/backend/auth/authorizations/resource-type.enum';
import DatabaseService from '../../common/services/database.service';
import { eq } from 'drizzle-orm';
import { utilisateurSupportTable } from '@/backend/auth/gestion-des-droits/roles/utilisateur-support.table';
import { utilisateurVerifieTable } from '@/backend/auth/gestion-des-droits/roles/utilisateur-verifie.table';
import { utilisateurSupportTable } from '@/backend/auth/authorizations/roles/utilisateur-support.table';
import { utilisateurVerifieTable } from '@/backend/auth/authorizations/roles/utilisateur-verifie.table';
import { dcpTable } from '@/backend/auth';
import { collectiviteTable } from '@/backend/collectivites/models/collectivite.table';

Expand All @@ -29,9 +29,9 @@ describe('Gestion des droits', () => {
describe('Droit en visite sur une collectivité -> NOK', async () => {
test('Utilisateur vérifié -> OK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_VISITE,
PermissionOperation.COLLECTIVITES_VISITE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -44,9 +44,9 @@ describe('Gestion des droits', () => {
.set({ verifie: false })
.where(eq(utilisateurVerifieTable.userId, yoloDodoUser.id));
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_VISITE,
PermissionOperation.COLLECTIVITES_VISITE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -70,9 +70,9 @@ describe('Gestion des droits', () => {
.set({ accessRestreint: true })
.where(eq(collectiviteTable.id, 20));
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_VISITE,
PermissionOperation.COLLECTIVITES_VISITE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -94,9 +94,9 @@ describe('Gestion des droits', () => {
describe('Droit en lecture sur une collectivité -> NOK', async () => {
test('Utilisateur vérifié sur sa collectivité -> OK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_LECTURE,
PermissionOperation.COLLECTIVITES_LECTURE,
ResourceType.COLLECTIVITE,
1,
true
Expand All @@ -110,9 +110,9 @@ describe('Gestion des droits', () => {
.set({ verifie: false })
.where(eq(utilisateurVerifieTable.userId, yoloDodoUser.id));
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_LECTURE,
PermissionOperation.COLLECTIVITES_LECTURE,
ResourceType.COLLECTIVITE,
1,
true
Expand All @@ -133,9 +133,9 @@ describe('Gestion des droits', () => {

test('Utilisateur vérifié sur une autre collectivité -> NOK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_LECTURE,
PermissionOperation.COLLECTIVITES_LECTURE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -148,9 +148,9 @@ describe('Gestion des droits', () => {
.set({ support: true })
.where(eq(utilisateurSupportTable.userId, yoloDodoUser.id));
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.COLLECTIVITES_CONTENT_LECTURE,
PermissionOperation.COLLECTIVITES_LECTURE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -170,9 +170,9 @@ describe('Gestion des droits', () => {
});
test('Auditeur sur sa collectivité audité -> OK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
youlouDoudouUser,
Authorization.COLLECTIVITES_CONTENT_LECTURE,
PermissionOperation.COLLECTIVITES_LECTURE,
ResourceType.COLLECTIVITE,
10,
true
Expand All @@ -184,9 +184,9 @@ describe('Gestion des droits', () => {
describe('Droit en edition sur une collectivité -> NOK', async () => {
test('Sur sa collectivité -> OK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.FICHES_EDITION,
PermissionOperation.PLANS_FICHES_EDITION,
ResourceType.COLLECTIVITE,
1,
true
Expand All @@ -195,9 +195,9 @@ describe('Gestion des droits', () => {
});
test('Sur une autre collectivité -> NOK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.FICHES_EDITION,
PermissionOperation.PLANS_FICHES_EDITION,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -209,9 +209,9 @@ describe('Gestion des droits', () => {
describe("Droit en lecture sur la trajectoire d'une collectivité -> NOK", async () => {
test('Sur sa collectivité -> OK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.INDICATEURS_TRAJECTOIRE_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
ResourceType.COLLECTIVITE,
1,
true
Expand All @@ -221,9 +221,9 @@ describe('Gestion des droits', () => {

test('Sur une autre collectivité -> NOK', async () => {
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.INDICATEURS_TRAJECTOIRE_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
ResourceType.COLLECTIVITE,
20,
true
Expand All @@ -237,9 +237,9 @@ describe('Gestion des droits', () => {
.set({ email: '[email protected]' })
.where(eq(dcpTable.userId, yoloDodoUser.id));
expect(
await permissionService.hasTheRightTo(
await permissionService.isAllowed(
yoloDodoUser,
Authorization.INDICATEURS_TRAJECTOIRE_LECTURE,
PermissionOperation.INDICATEURS_TRAJECTOIRES_LECTURE,
ResourceType.COLLECTIVITE,
20,
true
Expand Down
34 changes: 17 additions & 17 deletions .../gestion-des-droits/permission.service.ts → ...auth/authorizations/permission.service.ts
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
import { Injectable, Logger, UnauthorizedException } from '@nestjs/common';
import { AuthRole, AuthUser } from '../models/auth.models';
import { RoleService } from './roles/role.service';
import { Authorization } from '@/backend/auth/gestion-des-droits/authorization.enum';
import { ResourceType } from '@/backend/auth/gestion-des-droits/resource-type.enum';
import { Permission } from '@/backend/auth/gestion-des-droits/permission.models';
import { Role } from '@/backend/auth/gestion-des-droits/roles/role.enum';
import { PermissionOperation } from '@/backend/auth/authorizations/permission-operation.enum';
import { ResourceType } from '@/backend/auth/authorizations/resource-type.enum';
import { Permission } from '@/backend/auth/authorizations/permission.models';
import { Role } from '@/backend/auth/authorizations/roles/role.enum';

@Injectable()
export class PermissionService {
Expand All @@ -15,28 +15,28 @@ export class PermissionService {
/**
* Vérifie l'autorisation de l'utilisateur sur une ressource
* @param user
* @param authorization
* @param operation
* @param resourceType type de la ressource
* @param resourceId identifiant de la ressource, null si resourceType = PLATEFORME
* @param doNotThrow vrai pour ne pas générer une erreur si l'utilisateur n'a pas l'autorisation
*/
async hasTheRightTo(
async isAllowed(
user: AuthUser,
authorization: Authorization,
operation: PermissionOperation,
resourceType: ResourceType,
resourceId: number | null,
doNotThrow?: boolean
): Promise<boolean> {
this.logger.log(
`Vérification que l'utilisateur ${user.id} possède l'autorisation ${authorization} sur la ressource ${resourceType} ${resourceId}`
`Vérification que l'utilisateur ${user.id} possède l'autorisation ${operation} sur la ressource ${resourceType} ${resourceId}`
);
if (user.role === AuthRole.SERVICE_ROLE) {
// Le service rôle à tous les droits
return true;
}

// Récupère les rôles de l'utilisateur pour la ressource donnée
const roles = await this.roleService.getUserRolesForAResource(
const roles = await this.roleService.getUserRoles(
user,
resourceType,
resourceId
Expand All @@ -53,33 +53,33 @@ export class PermissionService {
}

// Récupère les autorisations des rôles de l'utilisateur
const authorizations: Set<Authorization> = new Set();
const operations: Set<PermissionOperation> = new Set();
for (const role of roles) {
Permission[role as Role].forEach((permission) =>
authorizations.add(permission)
operations.add(permission)
);
}

this.logger.log(
`L'utilisateur ${user.id} possède les autorisations ${JSON.stringify([
...authorizations,
...operations,
])} sur la ressource ${resourceType} ${resourceId}`
);

// Vérifie si l'autorisation demandée est dans la liste des autorisations de l'utilisateur
const hasTheRight = authorizations.has(authorization);
// Vérifie si l'opération demandée est dans la liste des autorisations de l'utilisateur
const hasTheRight = operations.has(operation);
if (!hasTheRight) {
this.logger.log(
`L'utilisateur ${user.id} ne possède pas l'autorisation ${authorization} sur la ressource ${resourceType} ${resourceId}`
`L'utilisateur ${user.id} ne possède pas l'autorisation ${operation} sur la ressource ${resourceType} ${resourceId}`
);
if(!doNotThrow){
throw new UnauthorizedException(
`Droits insuffisants, l'utilisateur ${user.id} n'a pas l'autorisation ${authorization} sur la ressource ${resourceType} ${resourceId}`
`Droits insuffisants, l'utilisateur ${user.id} n'a pas l'autorisation ${operation} sur la ressource ${resourceType} ${resourceId}`
);
}
}else{
this.logger.log(
`L'utilisateur ${user.id} possède l'autorisation ${authorization} sur la ressource ${resourceType} ${resourceId}`
`L'utilisateur ${user.id} possède l'autorisation ${operation} sur la ressource ${resourceType} ${resourceId}`
);
}

Expand Down
0 .../gestion-des-droits/resource-type.enum.ts → ...auth/authorizations/resource-type.enum.ts
View file
File renamed without changes.
0 ...ion-des-droits/roles/niveau-acces.enum.ts → ...authorizations/roles/niveau-acces.enum.ts
View file
File renamed without changes.
0 .../roles/private-utilisateur-droit.table.ts → .../roles/private-utilisateur-droit.table.ts
View file
File renamed without changes.
0 ...uth/gestion-des-droits/roles/role.enum.ts → ...rc/auth/authorizations/roles/role.enum.ts
View file
File renamed without changes.
6 changes: 3 additions & 3 deletions .../gestion-des-droits/roles/role.service.ts → ...auth/authorizations/roles/role.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@ import {
import { NiveauAcces } from './niveau-acces.enum';
import { utilisateurSupportTable } from './utilisateur-support.table';
import { utilisateurVerifieTable } from './utilisateur-verifie.table';
import { ResourceType } from '@/backend/auth/gestion-des-droits/resource-type.enum';
import { Role } from '@/backend/auth/gestion-des-droits/roles/role.enum';
import { ResourceType } from '@/backend/auth/authorizations/resource-type.enum';
import { Role } from '@/backend/auth/authorizations/roles/role.enum';
import { dcpTable } from '@/backend/auth';


Expand All @@ -20,7 +20,7 @@ export class RoleService {

constructor(private readonly databaseService: DatabaseService) {}

async getUserRolesForAResource(
async getUserRoles(
user: AuthUser,
resourceType: ResourceType,
resourceId: number | null
Expand Down
0 ...droits/roles/utilisateur-support.table.ts → ...ations/roles/utilisateur-support.table.ts
View file
File renamed without changes.
0 ...droits/roles/utilisateur-verifie.table.ts → ...ations/roles/utilisateur-verifie.table.ts
View file
File renamed without changes.
Loading

0 comments on commit 72fef25

Please sign in to comment.