From 6538d0a8cdd8499a9a723763eec75f3eae5394f6 Mon Sep 17 00:00:00 2001
From: Bertrand Zuchuat <bertrand.zuchuat@rero.ch>
Date: Tue, 9 Apr 2024 15:01:48 +0200
Subject: [PATCH] chore(permissions): item and holdings

Access to the resource was limited to the current organisation.
This protects sensitive data on professional view.

Co-Authored-by: Bertrand Zuchuat <bertrand.zuchuat@rero.ch>
---
 projects/admin/src/app/routes/base-route.ts     | 15 +++++++++++++++
 projects/admin/src/app/routes/holdings-route.ts |  1 +
 projects/admin/src/app/routes/items-route.ts    |  1 +
 3 files changed, 17 insertions(+)

diff --git a/projects/admin/src/app/routes/base-route.ts b/projects/admin/src/app/routes/base-route.ts
index 214efa1b2..810ae5511 100644
--- a/projects/admin/src/app/routes/base-route.ts
+++ b/projects/admin/src/app/routes/base-route.ts
@@ -137,6 +137,20 @@ export class BaseRoute {
     };
   }
 
+  /**
+   * Can read record
+   * @param record - the record
+   * @returns Observable boolean
+   */
+  protected canRead(record: any) {
+    const organisationPid = this._routeToolService.userService.user
+      .currentOrganisation;
+    const recordOrganisationPid = ('organisation' in record.metadata)
+      ? record.metadata.organisation.pid
+      : false;
+    return of({ can: organisationPid === recordOrganisationPid, message: '' });
+  }
+
   /**
    * Expert search link
    * @return string, link of help page
@@ -153,3 +167,4 @@ export class BaseRoute {
       : defaultPath;
     }
  }
+
diff --git a/projects/admin/src/app/routes/holdings-route.ts b/projects/admin/src/app/routes/holdings-route.ts
index e2d6fc91f..44e4a2462 100644
--- a/projects/admin/src/app/routes/holdings-route.ts
+++ b/projects/admin/src/app/routes/holdings-route.ts
@@ -61,6 +61,7 @@ export class HoldingsRoute extends BaseRoute implements RouteInterface {
               }
             },
             detailComponent: HoldingDetailViewComponent,
+            canRead: (record: any) => this.canRead(record),
             canAdd: () => of({ can: this._routeToolService.permissionsService.canAccess(PERMISSIONS.HOLD_CREATE) }),
             permissions: (record: any) => this._routeToolService.permissions(record, this.recordType, true),
             preCreateRecord: (data: any) => {
diff --git a/projects/admin/src/app/routes/items-route.ts b/projects/admin/src/app/routes/items-route.ts
index 1908ff97e..32562edd1 100644
--- a/projects/admin/src/app/routes/items-route.ts
+++ b/projects/admin/src/app/routes/items-route.ts
@@ -74,6 +74,7 @@ export class ItemsRoute extends BaseRoute implements RouteInterface {
             preFilters: {
               organisation: null
             },
+            canRead: (record: any) => this.canRead(record),
             canAdd: () => of({can: false}),
             permissions: (record: any) => this._routeToolService.permissions(record, this.recordType, false),
             preprocessRecordEditor: (record: any) => {