fix(graphql): annotationDescriptors should not be exposed as opendata

2022-11-25 13:33:10 +01:00 · 2022-11-25 13:33:10 +01:00 · c04e39a74d
commit c04e39a74d
parent cdb3ce65cb
3 changed files with 11 additions and 3 deletions
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@ -22,11 +22,15 @@ class API::V2::Context < GraphQL::Query::Context
    Administrateur.find(self[:administrateur_id])
  end

-  def authorized_demarche?(demarche)
+  def authorized_demarche?(demarche, opendata: false)
    if internal_use?
      return true
    end

+    if opendata && demarche.opendata?
+      return true
+    end
+
    # We are caching authorization logic because it is called for each node
    # of the requested graph and can be expensive. Context is reset per request so it is safe.
    self[:authorized] ||= Hash.new do |hash, demarche_id|
--- a/app/graphql/types/demarche_descriptor_type.rb
+++ b/app/graphql/types/demarche_descriptor_type.rb
@ -138,7 +138,7 @@ Cela évite l’accès récursif aux dossiers."

    def self.authorized?(object, context)
      procedure = object.is_a?(ProcedureRevision) ? object.procedure : object
-      procedure.opendata? || context.authorized_demarche?(procedure)
+      context.authorized_demarche?(procedure, opendata: true)
    end
  end
 end
--- a/app/graphql/types/revision_type.rb
+++ b/app/graphql/types/revision_type.rb
@ -12,7 +12,11 @@ module Types
    end

    def annotation_descriptors
-      Loaders::Association.for(object.class, revision_types_de_champ_private: :type_de_champ).load(object)
+      if context.authorized_demarche?(object.procedure, opendata: true)
+        Loaders::Association.for(object.class, revision_types_de_champ_private: :type_de_champ).load(object)
+      else
+        []
+      end
    end
  end
 end