From c04e39a74d57db9f4f85639c268a9e6659cd0c66 Mon Sep 17 00:00:00 2001
From: Paul Chavard <pro@paul.chavard.net>
Date: Fri, 25 Nov 2022 13:33:10 +0100
Subject: [PATCH] fix(graphql): annotationDescriptors should not be exposed as
 opendata

---
 app/graphql/api/v2/context.rb                 | 6 +++++-
 app/graphql/types/demarche_descriptor_type.rb | 2 +-
 app/graphql/types/revision_type.rb            | 6 +++++-
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/graphql/api/v2/context.rb b/app/graphql/api/v2/context.rb
index b8ebb2c30..b555453ab 100644
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@@ -22,11 +22,15 @@ class API::V2::Context < GraphQL::Query::Context
     Administrateur.find(self[:administrateur_id])
   end
 
-  def authorized_demarche?(demarche)
+  def authorized_demarche?(demarche, opendata: false)
     if internal_use?
       return true
     end
 
+    if opendata && demarche.opendata?
+      return true
+    end
+
     # We are caching authorization logic because it is called for each node
     # of the requested graph and can be expensive. Context is reset per request so it is safe.
     self[:authorized] ||= Hash.new do |hash, demarche_id|
diff --git a/app/graphql/types/demarche_descriptor_type.rb b/app/graphql/types/demarche_descriptor_type.rb
index 8c8776406..847ce7e6a 100644
--- a/app/graphql/types/demarche_descriptor_type.rb
+++ b/app/graphql/types/demarche_descriptor_type.rb
@@ -138,7 +138,7 @@ Cela évite l’accès récursif aux dossiers."
 
     def self.authorized?(object, context)
       procedure = object.is_a?(ProcedureRevision) ? object.procedure : object
-      procedure.opendata? || context.authorized_demarche?(procedure)
+      context.authorized_demarche?(procedure, opendata: true)
     end
   end
 end
diff --git a/app/graphql/types/revision_type.rb b/app/graphql/types/revision_type.rb
index 01189351c..8998c383b 100644
--- a/app/graphql/types/revision_type.rb
+++ b/app/graphql/types/revision_type.rb
@@ -12,7 +12,11 @@ module Types
     end
 
     def annotation_descriptors
-      Loaders::Association.for(object.class, revision_types_de_champ_private: :type_de_champ).load(object)
+      if context.authorized_demarche?(object.procedure, opendata: true)
+        Loaders::Association.for(object.class, revision_types_de_champ_private: :type_de_champ).load(object)
+      else
+        []
+      end
     end
   end
 end