From 71661dfe79f9cc6fd7e345e92fb7be4668861cca Mon Sep 17 00:00:00 2001
From: monsieurswag <mael.joumier@intuitem.com>
Date: Thu, 11 Apr 2024 08:52:29 +0200
Subject: [PATCH] Display a 403 error page when a non-admin user try to access
 the user list view or the user-groups list view

---
 frontend/src/lib/components/SideBar/navData.ts   |  7 +++++++
 .../(app)/[model=urlmodel]/+layout.server.ts     | 16 ++++++++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/frontend/src/lib/components/SideBar/navData.ts b/frontend/src/lib/components/SideBar/navData.ts
index ad804d0e6..59bb8510c 100644
--- a/frontend/src/lib/components/SideBar/navData.ts
+++ b/frontend/src/lib/components/SideBar/navData.ts
@@ -190,3 +190,10 @@ export const navData = {
 		}
 	]
 };
+
+export const modelNavData = navData.items.reduce((acc, navMenu) => {
+	return [...acc,...navMenu.items];
+}, []).reduce((acc, item) => {
+	acc[item.href.substring(1)] = item;
+	return acc;
+}, {});
diff --git a/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts b/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts
index 7cd8313c2..998bc9829 100644
--- a/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts
+++ b/frontend/src/routes/(app)/[model=urlmodel]/+layout.server.ts
@@ -1,12 +1,24 @@
 import { BASE_API_URL } from '$lib/utils/constants';
 import { listViewFields } from '$lib/utils/table';
 import { tableSourceMapper, type TableSource } from '@skeletonlabs/skeleton';
-
+import { modelNavData } from '$lib/components/SideBar/navData';
+import { error } from '@sveltejs/kit';
 import { CUSTOM_MODEL_FETCH_MAP } from '$lib/utils/crud';
 import type { urlModel } from '$lib/utils/types';
 import type { LayoutServerLoad } from './$types';
 
-export const load = (async ({ fetch, params }) => {
+export const load = (async ({ fetch, params, locals }) => {
+	const modelData = modelNavData[params.model];
+
+	if (locals.user && modelData.user_groups) {
+		const user_groups = new Set(locals.user.user_groups.map(user_group => user_group[0]));
+		if (!modelData.user_groups.some(
+			user_group => user_groups.has(user_group)
+		)) {
+			return error(403, "You are not allowed to access this page.");
+		}
+	}
+
 	let data = null;
 	if (Object.prototype.hasOwnProperty.call(CUSTOM_MODEL_FETCH_MAP, params.model)) {
 		const fetch_function = CUSTOM_MODEL_FETCH_MAP[params.model];