Bug member security

Bence KOLONICS · Bence KOLONICS · commit e920cc54e5bc · 2023-01-06T23:19:44.000Z
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -175,7 +175,7 @@ build:frontend:
     - generation:frontend_assets
   script:
     - export NODE_OPTIONS=--openssl-legacy-provider
-    - yarn build --configuration production
+    - yarn build
   artifacts:
     paths:
     - frontend_angular/dist/
diff --git a/api_server/adh6/member/subscription_manager.py b/api_server/adh6/member/subscription_manager.py
@@ -227,7 +227,7 @@ def validate(self, member_id: int, free: bool) -> None:
         self.membership_repository.validate(subscription.uuid)
         self.add_payment_record(subscription, free)
         self.member_repository.add_duration(subscription.member, subscription.duration)
-        self.notification_manager.send(template_title="Nouvelle cotisation / New subscription", member_email=member.email, subscription_duration=subscription.duration.value, subscription_end=member.departure_date)
+        #self.notification_manager.send(template_title="Nouvelle cotisation / New subscription", member_email=member.email, subscription_duration=subscription.duration.value, subscription_end=member.departure_date)
 
     @log_call
     def add_payment_record(self, membership: Membership, free: bool) -> None:
diff --git a/api_server/openapi/swagger.yaml b/api_server/openapi/swagger.yaml
@@ -588,8 +588,6 @@ paths:
           $ref: '#/components/responses/Unexpected'
       summary: Retrieve a member
       security: 
-        - OAuth2:
-          - user
         - OAuth2:
           - admin:read
         - ApiKeyAdminAuth: []
diff --git a/api_server/test/integration/test_member.py b/api_server/test/integration/test_member.py
@@ -244,6 +244,12 @@ def test_member_get_unauthorized(client):
     )
     assert r.status_code == 403
 
+def test_member_get_another_user(client, sample_member):
+    r = client.get(
+        f'{base_url}{sample_member.id}',
+        headers=TEST_HEADERS_SAMPLE,
+    )
+    assert r.status_code == 403
 
 def test_member_delete_existant(client, sample_member):
     r = client.delete(
diff --git a/frontend_angular/angular.json b/frontend_angular/angular.json
@@ -122,7 +122,7 @@
               "aot": true,
               "extractLicenses": true,
               "vendorChunk": false,
-              "buildOptimizer": true,
+              "buildOptimizer": true
             }
           },
           "defaultConfiguration": "production"
diff --git a/frontend_angular/package.json b/frontend_angular/package.json
@@ -8,7 +8,7 @@
     "start:en": "ng serve --configuration=development",
     "build:stats": "ng build --stats-json",
     "analyze": "webpack-bundle-analyzer dist/adh6/fr/stats.json",
-    "build": "ng build --prod",
+    "build": "ng build --configuration production",
     "build:fr": "ng build --configuration=fr",
     "build:en": "ng build --configuration=en",
     "test": "ng test",
diff --git a/openapi/spec.yaml b/openapi/spec.yaml
@@ -588,8 +588,6 @@ paths:
           $ref: '#/components/responses/Unexpected'
       summary: Retrieve a member
       security: 
-        - OAuth2:
-          - user
         - OAuth2:
           - admin:read
         - ApiKeyAdminAuth: []

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,7 @@`
`122`	`122`	`"aot": true,`
`123`	`123`	`"extractLicenses": true,`
`124`	`124`	`"vendorChunk": false,`
`125`		`- "buildOptimizer": true,`
	`125`	`+ "buildOptimizer": true`
`126`	`126`	`}`
`127`	`127`	`},`
`128`	`128`	`"defaultConfiguration": "production"`