From d08801862b6d366ec0930334afc19fbd8e98775e Mon Sep 17 00:00:00 2001
From: Claudemir Todo Bom <claudemir@todobom.com>
Date: Thu, 14 Nov 2024 11:18:02 -0300
Subject: [PATCH] add endpoint to safely get company individual settings for
 non-admin

---
 backend/src/controllers/SettingController.ts  | 12 ++++++
 backend/src/routes/settingRoutes.ts           |  6 +++
 .../GetCompanySettingService.ts               | 39 +++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 backend/src/services/SettingServices/GetCompanySettingService.ts

diff --git a/backend/src/controllers/SettingController.ts b/backend/src/controllers/SettingController.ts
index 8f8c6ede..b1935540 100644
--- a/backend/src/controllers/SettingController.ts
+++ b/backend/src/controllers/SettingController.ts
@@ -6,6 +6,7 @@ import AppError from "../errors/AppError";
 import UpdateSettingService from "../services/SettingServices/UpdateSettingService";
 import ListSettingsService from "../services/SettingServices/ListSettingsService";
 import GetPublicSettingService from "../services/SettingServices/GetPublicSettingService";
+import { GetCompanySettingService } from "../services/SettingServices/GetCompanySettingService";
 
 type LogoRequest = {
   mode: string;
@@ -59,6 +60,17 @@ export const publicShow = async (
   return res.status(200).json(settingValue);
 };
 
+export const companyShow = async (
+  req: Request,
+  res: Response
+): Promise<Response> => {
+  const { settingKey: key } = req.params;
+
+  const settingValue = await GetCompanySettingService({ key, user: req.user });
+
+  return res.status(200).json(settingValue);
+};
+
 export const storeLogo = async (
   req: Request,
   res: Response
diff --git a/backend/src/routes/settingRoutes.ts b/backend/src/routes/settingRoutes.ts
index 97660def..74705142 100644
--- a/backend/src/routes/settingRoutes.ts
+++ b/backend/src/routes/settingRoutes.ts
@@ -19,6 +19,12 @@ settingRoutes.get(
   SettingController.publicShow
 );
 
+settingRoutes.get(
+  "/company-settings/:settingKey",
+  isAuth,
+  SettingController.companyShow
+);
+
 // change setting key to key in future
 settingRoutes.put(
   "/settings/:settingKey",
diff --git a/backend/src/services/SettingServices/GetCompanySettingService.ts b/backend/src/services/SettingServices/GetCompanySettingService.ts
new file mode 100644
index 00000000..cadaeadc
--- /dev/null
+++ b/backend/src/services/SettingServices/GetCompanySettingService.ts
@@ -0,0 +1,39 @@
+import AppError from "../../errors/AppError";
+import Setting from "../../models/Setting";
+
+interface Request {
+  key: string;
+  user: {
+    profile: string;
+    companyId: number;
+  };
+}
+
+// keys that can be accessed by non-admin users
+// with respective default values
+const safeSettingsKeys = {
+  groupsTab: "disabled",
+  CheckMsgIsGroup: "disabled"
+};
+
+export const GetCompanySettingService = async ({
+  key,
+  user
+}: Request): Promise<string> => {
+  if (user.profile !== "admin" && !(key in safeSettingsKeys)) {
+    throw new AppError("ERR_NO_PERMISSION", 403);
+  }
+
+  const setting = await Setting.findOne({
+    where: {
+      companyId: user.companyId,
+      key
+    }
+  });
+
+  if (!setting && key in safeSettingsKeys) {
+    return safeSettingsKeys[key];
+  }
+
+  return setting?.value || "";
+};