fix(recipe): Add security for Recipes

flo-ride · Dec 24, 2024 · 3a47453 · 3a47453
1 parent 0ea1687
commit 3a47453
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 2 deletions.
diff --git a/api/src/recipe/new.rs b/api/src/recipe/new.rs
@@ -48,12 +48,25 @@ pub async fn post_new_recipe(
     let recipe_model: ActiveModel = recipe.clone().try_into()?;
 
     // Verifiy that every product exist before mutating anything
-    service::Query::find_product_by_id(&conn, recipe.product)
+    let result_product = service::Query::find_product_by_id(&conn, recipe.product)
         .await?
         .ok_or(RecipeRequestError::ProductCannotBeFound(recipe.product))?;
 
+    if result_product.unit != entity::models::sea_orm_active_enums::Unit::Unit {
+        return Err(RecipeRequestError::ResultingProductIsNotUnit(
+            result_product.id,
+            result_product.unit.into(),
+        )
+        .into());
+    }
+
     for ingredient in recipe.ingredients.clone() {
         TryInto::<recipe_ingredients::ActiveModel>::try_into(ingredient.clone())?;
+        if ingredient.product == recipe.product {
+            return Err(
+                RecipeRequestError::IngredientCannotBeResultingProduct(ingredient.product).into(),
+            );
+        }
 
         service::Query::find_product_by_id(&conn, ingredient.product)
             .await?

diff --git a/entity/src/models/recipe.rs b/entity/src/models/recipe.rs
@@ -21,7 +21,6 @@ pub struct Model {
     #[sea_orm(primary_key, auto_increment = false, filter_single)]
     pub id: Uuid,
     /// Foreign key referencing the `product` table.
-    #[sea_orm(filter_single)]
     pub result_product_id: Uuid,
     /// Optional name of the recipe.
     pub name: Option<String>,

diff --git a/entity/src/request/recipe.rs b/entity/src/request/recipe.rs
@@ -32,6 +32,10 @@ pub enum RecipeRequestError {
     ProductCannotBeFound(uuid::Uuid),
     /// Error if the ingredient product can't be found in the database.
     IngredientCannotBeFound(uuid::Uuid),
+    /// Error if the ingredient product is the same as the resulting product.
+    IngredientCannotBeResultingProduct(uuid::Uuid),
+    /// Error if the resulting Product unit is not an Unit.
+    ResultingProductIsNotUnit(uuid::Uuid, crate::response::r#enum::UnitResponse),
     /// Error if the recipe can't be found in the database.
     RecipeCannotBeFound(uuid::Uuid),
 }
@@ -59,6 +63,15 @@ impl std::fmt::Display for RecipeRequestError {
             RecipeRequestError::IngredientCannotBeFound(product) => {
                 write!(f, "Ingredient \"{product}\" cannot be found")
             }
+            RecipeRequestError::IngredientCannotBeResultingProduct(product) => {
+                write!(
+                    f,
+                    "Ingredient \"{product}\" cannot be the same as the resulting product"
+                )
+            }
+            RecipeRequestError::ResultingProductIsNotUnit(product, unit) => {
+                write!(f, "Product \"{product}\" unit cannot be {unit:?}")
+            }
             RecipeRequestError::RecipeCannotBeFound(recipe) => {
                 write!(f, "Recipe \"{recipe}\" cannot be found")
             }