From 16cca07e127b72545bbca8fd50ef4335b37bd800 Mon Sep 17 00:00:00 2001
From: Julie Lenaerts <julielenaerts@gmail.com>
Date: Fri, 25 Feb 2022 13:11:30 +0100
Subject: [PATCH] throw 403 error instead of 422 and display toast message

---
 .../Resources/public/lib/api/apiMethods.js        | 12 ++++--------
 .../AccompanyingCourseApiController.php           |  6 +-----
 .../components/Banner/ToggleFlags.vue             | 15 +++++----------
 .../public/vuejs/AccompanyingCourse/js/i18n.js    |  3 ++-
 .../Authorization/AccompanyingPeriodVoter.php     |  8 +++++---
 .../AccompanyingPeriodValidity.php                |  3 ---
 .../AccompanyingPeriodValidityValidator.php       | 14 --------------
 7 files changed, 17 insertions(+), 44 deletions(-)

diff --git a/src/Bundle/ChillMainBundle/Resources/public/lib/api/apiMethods.js b/src/Bundle/ChillMainBundle/Resources/public/lib/api/apiMethods.js
index 787befe0b..67f3e2f42 100644
--- a/src/Bundle/ChillMainBundle/Resources/public/lib/api/apiMethods.js
+++ b/src/Bundle/ChillMainBundle/Resources/public/lib/api/apiMethods.js
@@ -11,16 +11,19 @@ const makeFetch = (method, url, body) => {
     })
     .then(response => {
         if (response.ok) {
+            console.log('200 error')
             return response.json();
         }
 
         if (response.status === 422) {
+            console.log('422 error')
             return response.json().then(response => {
                 throw ValidationException(response)
             });
         }
 
         if (response.status === 403) {
+            console.log('403 error')
             throw AccessException(response);
         }
 
@@ -92,15 +95,8 @@ const ValidationException = (response) => {
 const AccessException = (response) => {
     const error = {};
     error.name = 'AccessException';
+    error.violations = ['You are not allowed to perform this action'];
 
-    switch (response.url) {
-        case 'http://localhost:8001/api/1.0/person/accompanying-course/5183/intensity.json':
-            error.violations = ['Only the referrer is allowed to change the intensity of a parcours'];
-            break;
-        default:
-            error.violations = ['You are not allowed to perform this action'];
-            break;
-    }
     return error;
 }
 
diff --git a/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php b/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
index eafb330d5..6bbdb64e2 100644
--- a/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
+++ b/src/Bundle/ChillPersonBundle/Controller/AccompanyingCourseApiController.php
@@ -332,11 +332,6 @@ final class AccompanyingCourseApiController extends ApiController
 
             $accompanyingCourse->setConfidential(!$accompanyingCourse->isConfidential());
 
-            $errors = $this->validator->validate($accompanyingCourse);
-
-            if ($errors->count() > 0) {
-                return $this->json($errors, 422);
-            }
             $this->getDoctrine()->getManager()->flush();
         }
 
@@ -349,6 +344,7 @@ final class AccompanyingCourseApiController extends ApiController
      */
     public function toggleIntensityApi(AccompanyingPeriod $accompanyingCourse, Request $request)
     {
+
         if ($request->getMethod() === 'POST') {
             $this->denyAccessUnlessGranted(AccompanyingPeriodVoter::TOGGLE_INTENSITY, $accompanyingCourse);
 
diff --git a/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/components/Banner/ToggleFlags.vue b/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/components/Banner/ToggleFlags.vue
index d76762372..a24277fa0 100644
--- a/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/components/Banner/ToggleFlags.vue
+++ b/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/components/Banner/ToggleFlags.vue
@@ -58,7 +58,7 @@ export default {
          this.$store.dispatch('toggleIntensity', value)
             .catch(({name, violations}) => {
                if (name === 'ValidationException' || name === 'AccessException') {
-                  violations.forEach((violation) => this.$toast.open({message: this.$t(violation)}));
+                  this.$toast.open({message: this.$t('Only the referrer can toggle the intensity of an accompanying course')})
                } else {
                   this.$toast.open({message: 'An error occurred'})
                }
@@ -75,16 +75,11 @@ export default {
             });
       },
       toggleConfidential() {
-         this.$store.dispatch('fetchPermissions').then(() => {
-            if (!this.$store.getters.canTogglePermission) {
-               this.$toast.open({message: "Seul le référent peut modifier la confidentialité"});
-               return Promise.resolve();
-            } else {
-               return this.$store.dispatch('toggleConfidential', (!this.isConfidential));
-            }
-            }).catch(({name, violations}) => {
+         this.$store.dispatch('toggleConfidential')
+            .catch(({name, violations}) => {
+               console.log(name);
                if (name === 'ValidationException' || name === 'AccessException') {
-                  violations.forEach((violation) => this.$toast.open({message: violation}));
+                  this.$toast.open({message: this.$t('Only the referrer can toggle the confidentiality of an accompanying course')})
                } else {
                   this.$toast.open({message: 'An error occurred'})
                }
diff --git a/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/js/i18n.js b/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/js/i18n.js
index e9d0c7fc8..5f0321c70 100644
--- a/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/js/i18n.js
+++ b/src/Bundle/ChillPersonBundle/Resources/public/vuejs/AccompanyingCourse/js/i18n.js
@@ -167,7 +167,8 @@ const appMessages = {
       'Error while retriving users.': "Erreur du serveur lors du chargement de la liste des travailleurs.",
       'Error while getting whoami.': "Erreur du serveur lors de la requête 'qui suis-je ?'",
       'Error while retriving origin\'s list.': "Erreur du serveur lors du chargement de la liste des origines de la demande.",
-      'Only the referrer is allowed to change the intensity of a parcours': "Seul le référent peut modifier l'intensité d'un parcours."
+      'Only the referrer can toggle the intensity of an accompanying course': "Seul le référent peut modifier l'intensité d'un parcours.",
+      'Only the referrer can toggle the confidentiality of an accompanying course': "Seul le référent peut modifier la confidentialité d'un parcours."
    }
 };
 
diff --git a/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php b/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php
index c04062cc4..08a116225 100644
--- a/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php
+++ b/src/Bundle/ChillPersonBundle/Security/Authorization/AccompanyingPeriodVoter.php
@@ -131,15 +131,17 @@ class AccompanyingPeriodVoter extends AbstractChillVoter implements ProvideRoleH
             }
 
             if (self::TOGGLE_CONFIDENTIAL === $attribute) {
-                if ($subject->getUser() === $token->getUser()) {
+                if (null != $subject->getUser() && ($subject->getUser() === $token->getUser())) {
                     return true;
                 }
 
-                return $this->voterHelper->voteOnAttribute(self::TOGGLE_CONFIDENTIAL_ALL, $subject, $token);
+                return false;
+
+                // return $this->voterHelper->voteOnAttribute(self::TOGGLE_CONFIDENTIAL_ALL, $subject, $token);
             }
 
             if (self::TOGGLE_INTENSITY === $attribute) {
-                if ($subject->getUser() === $token->getUser()) {
+                if (null != $subject->getUser() && ($subject->getUser() === $token->getUser())) {
                     return true;
                 }
 
diff --git a/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidity.php b/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidity.php
index ee0df2b99..a6eb92935 100644
--- a/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidity.php
+++ b/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidity.php
@@ -18,9 +18,6 @@ use Symfony\Component\Validator\Constraint;
  */
 class AccompanyingPeriodValidity extends Constraint
 {
-    public $messageReferrerIsCurrentUser = 'Only the referrer can change the confidentiality of a parcours';
-
-    public $messageReferrerIsNull = 'A confidential parcours must have a referrer';
 
     public $messageSocialIssueCannotBeDeleted = 'The social %name% issue cannot be deleted because it is associated with an activity or an action';
 
diff --git a/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidityValidator.php b/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidityValidator.php
index 62e0320e5..940290315 100644
--- a/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidityValidator.php
+++ b/src/Bundle/ChillPersonBundle/Validator/Constraints/AccompanyingPeriod/AccompanyingPeriodValidityValidator.php
@@ -92,19 +92,5 @@ class AccompanyingPeriodValidityValidator extends ConstraintValidator
                     ->addViolation();
             }
         }
-
-        /** Check if confidentiality can be toggled */
-        $user = $period->getUser();
-        $currentUser = $this->token->getToken()->getUser();
-
-        if ($user && ($user !== $currentUser) && $period->isConfidential() === true) {
-            $this->context->buildViolation($constraint->messageReferrerIsCurrentUser)
-                ->addViolation();
-        }
-
-        if (null === $user && $period->isConfidential() === true) {
-            $this->context->buildViolation($constraint->messageReferrerIsNull)
-                ->addViolation();
-        }
     }
 }