fix: add security around application list

housingbayarea · Mar 4, 2024 · 716e9ba · 716e9ba
1 parent e2962a1
commit 716e9ba
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/api/src/controllers/application.controller.ts b/api/src/controllers/application.controller.ts
@@ -73,8 +73,11 @@ export class ApplicationController {
     operationId: 'list',
   })
   @ApiOkResponse({ type: PaginatedApplicationDto })
-  async list(@Query() queryParams: ApplicationQueryParams) {
-    return await this.applicationService.list(queryParams);
+  async list(
+    @Request() req: ExpressRequest,
+    @Query() queryParams: ApplicationQueryParams,
+  ) {
+    return await this.applicationService.list(queryParams, req);
   }
 
   @Get(`mostRecentlyCreated`)

diff --git a/api/src/services/application.service.ts b/api/src/services/application.service.ts
@@ -2,8 +2,10 @@ import {
   BadRequestException,
   Injectable,
   NotFoundException,
+  ForbiddenException,
 } from '@nestjs/common';
 import crypto from 'crypto';
+import { Request as ExpressRequest } from 'express';
 import { Prisma, YesNoEnum } from '@prisma/client';
 import { PrismaService } from './prisma.service';
 import { Application } from '../dtos/applications/application.dto';
@@ -84,7 +86,14 @@ export class ApplicationService {
     this set can either be paginated or not depending on the params
     it will return both the set of applications, and some meta information to help with pagination
   */
-  async list(params: ApplicationQueryParams): Promise<PaginatedApplicationDto> {
+  async list(
+    params: ApplicationQueryParams,
+    req: ExpressRequest,
+  ): Promise<PaginatedApplicationDto> {
+    const user = mapTo(User, req['user']);
+    if (!user) {
+      throw new ForbiddenException();
+    }
     const whereClause = this.buildWhereClause(params);
 
     const count = await this.prisma.applications.count({

diff --git a/api/test/integration/permission-tests/permission-as-no-user.e2e-spec.ts b/api/test/integration/permission-tests/permission-as-no-user.e2e-spec.ts
@@ -185,11 +185,11 @@ describe('Testing Permissioning of endpoints as logged out user', () => {
       });
     });
 
-    it('should succeed for list endpoint', async () => {
+    it('should be forbidden for list endpoint', async () => {
       await request(app.getHttpServer())
         .get(`/applications?`)
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(403);
     });
 
     it('should succeed for retrieve endpoint', async () => {