From 80229bb92e410dc6586bd886a489900d1a2cd7a6 Mon Sep 17 00:00:00 2001
From: pierre-maraval <pierre.maraval@gmail.com>
Date: Wed, 12 Jun 2024 14:53:56 +0200
Subject: [PATCH] =?UTF-8?q?Fix=20:=20Ajout=20controle=20sur=20les=20droits?=
 =?UTF-8?q?=20=C3=A0=20l'authentification=20et=20envoie=20d'une=20exceptio?=
 =?UTF-8?q?n=20si=20acc=C3=A8s=20interdit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../fr/abes/item/security/CustomAuthenticationManager.java  | 2 +-
 .../java/fr/abes/item/web/AuthenticationController.java     | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/web/src/main/java/fr/abes/item/security/CustomAuthenticationManager.java b/web/src/main/java/fr/abes/item/security/CustomAuthenticationManager.java
index 7c614a4c..1eaf153c 100644
--- a/web/src/main/java/fr/abes/item/security/CustomAuthenticationManager.java
+++ b/web/src/main/java/fr/abes/item/security/CustomAuthenticationManager.java
@@ -59,7 +59,7 @@ public Authentication authenticate(Authentication authentication)
 
             u.setMail(this.getEmail(Integer.parseInt(u.getUserNum())));
             List<GrantedAuthority> authorities;
-            if (u.getRole() != null) {
+            if (u.getRole() != null && (u.getRole().equals("USER") || u.getRole().equals("ADMIN"))) {
                 authorities = new ArrayList<>();
                 authorities.add(new SimpleGrantedAuthority(u.getRole()));
             } else {
diff --git a/web/src/main/java/fr/abes/item/web/AuthenticationController.java b/web/src/main/java/fr/abes/item/web/AuthenticationController.java
index 11320e90..5747fe42 100644
--- a/web/src/main/java/fr/abes/item/web/AuthenticationController.java
+++ b/web/src/main/java/fr/abes/item/web/AuthenticationController.java
@@ -1,5 +1,6 @@
 package fr.abes.item.web;
 
+import fr.abes.item.core.exception.ForbiddenException;
 import fr.abes.item.security.JwtAuthenticationResponse;
 import fr.abes.item.security.JwtTokenProvider;
 import fr.abes.item.security.LoginRequest;
@@ -32,10 +33,13 @@ public AuthenticationController(AuthenticationManager authenticationManager, Jwt
 	@Operation(summary = "permet de s'authentifier et de récupérer un token.",
 			description = "le token doit être utilisé pour accéder aux ressources protegées.")
 	@PostMapping("/signin")
-	public ResponseEntity<JwtAuthenticationResponse> authenticateUser(@RequestBody LoginRequest loginRequest) {
+	public ResponseEntity<JwtAuthenticationResponse> authenticateUser(@RequestBody LoginRequest loginRequest) throws ForbiddenException {
 		Authentication authentication = authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));
 		SecurityContextHolder.getContext().setAuthentication(authentication);
 		User user = (User)authentication.getPrincipal();
+		if (user.getAuthorities().isEmpty()) {
+			throw new ForbiddenException("Ce login ne dispose pas des droits nécessaires pour accéder à Item");
+		}
 		String jwt = tokenProvider.generateToken(user);
 
 		return ResponseEntity.ok(new JwtAuthenticationResponse(jwt, user.getUserNum(), user.getShortName(), user.getIln(), user.getRole(), user.getMail()));