fix: partners seeing all listings in list (#1015)

api/src/controllers/listing.controller.ts

@@ -76,15 +76,16 @@ export class ListingController {
     private readonly listingCsvExportService: ListingCsvExporterService,
   ) {}
 
-  @Get()
+  @Post('list')
   @ApiOperation({
     summary: 'Get a paginated set of listings',
     operationId: 'list',
   })
+  @PermissionAction(permissionActions.read)
   @UsePipes(new ValidationPipe(defaultValidationPipeOptions))
   @UseInterceptors(ClassSerializerInterceptor)
   @ApiOkResponse({ type: PaginatedListingDto })
-  public async getPaginatedSet(@Query() queryParams: ListingsQueryParams) {
+  public async getPaginatedSet(@Body() queryParams: ListingsQueryParams) {
     return await this.listingService.list(queryParams);
   }
 

api/test/integration/listing.e2e-spec.ts

@@ -427,9 +427,10 @@ describe('Listing Controller Tests', () => {
       const query = stringify(queryParams as any);
 
       const res = await request(app.getHttpServer())
-        .get(`/listings?${query}`)
+        .post(`/listings/list`)
+        .send(query)
         .set({ passkey: process.env.API_PASS_KEY || '' })
-        .expect(200);
+        .expect(201);
 
       expect(res.body).toEqual({
         items: [],
@@ -478,9 +479,10 @@ describe('Listing Controller Tests', () => {
       let query = stringify(queryParams as any);
 
       let res = await request(app.getHttpServer())
-        .get(`/listings?${query}`)
+        .post(`/listings/list`)
+        .send(query)
         .set({ passkey: process.env.API_PASS_KEY || '' })
-        .expect(200);
+        .expect(201);
 
       expect(res.body.meta).toEqual({
         currentPage: 1,
@@ -509,9 +511,10 @@ describe('Listing Controller Tests', () => {
       query = stringify(queryParams as any);
 
       res = await request(app.getHttpServer())
-        .get(`/listings?${query}`)
+        .post(`/listings/list`)
+        .send(query)
         .set({ passkey: process.env.API_PASS_KEY || '' })
-        .expect(200);
+        .expect(201);
 
       expect(res.body.meta).toEqual({
         currentPage: 2,

api/test/integration/permission-tests/permission-as-admin.e2e-spec.ts

@@ -1069,10 +1069,10 @@ describe('Testing Permissioning of endpoints as Admin User', () => {
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-juris-admin-correct-juris.e2e-spec.ts

@@ -1044,10 +1044,10 @@ describe('Testing Permissioning of endpoints as Jurisdictional Admin in the corr
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-juris-admin-wrong-juris.e2e-spec.ts

@@ -1014,10 +1014,10 @@ describe('Testing Permissioning of endpoints as Jurisdictional Admin in the wron
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-limited-juris-admin-correct-juris.e2e-spec.ts

@@ -987,10 +987,10 @@ describe('Testing Permissioning of endpoints as Limited Jurisdictional Admin in
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-limited-juris-admin-wrong-juris.e2e-spec.ts

@@ -989,10 +989,10 @@ describe('Testing Permissioning of endpoints as Limited Jurisdictional Admin in
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-no-user.e2e-spec.ts

@@ -931,10 +931,10 @@ describe('Testing Permissioning of endpoints as logged out user', () => {
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-partner-correct-listing.e2e-spec.ts

@@ -67,6 +67,8 @@ import {
   createSimpleApplication,
 } from './helpers';
 import { ApplicationFlaggedSetService } from '../../../src/services/application-flagged-set.service';
+import { ListingsQueryParams } from '../../../src/dtos/listings/listings-query-params.dto';
+import { Compare } from '../../../src/dtos/shared/base-filter.dto';
 
 const testEmailService = {
   confirmation: jest.fn(),
@@ -87,6 +89,7 @@ describe('Testing Permissioning of endpoints as partner with correct listing', (
   let applicationFlaggedSetService: ApplicationFlaggedSetService;
   let cookies = '';
   let jurisId = '';
+  let jurisId2 = '';
   let userListingId = '';
   let closedUserListingId = '';
   let closedUserListingId2 = '';
@@ -115,6 +118,11 @@ describe('Testing Permissioning of endpoints as partner with correct listing', (
       prisma,
       'correct partner permission juris',
     );
+
+    jurisId2 = await generateJurisdiction(
+      prisma,
+      'correct partner permission juris 2',
+    );
     await reservedCommunityTypeFactoryAll(jurisId, prisma);
     await unitAccessibilityPriorityTypeFactoryAll(prisma);
 
@@ -135,6 +143,7 @@ describe('Testing Permissioning of endpoints as partner with correct listing', (
       multiselectQuestions: [msq],
       digitalApp: true,
     });
+
     const listing = await prisma.listings.create({
       data: listingData,
     });
@@ -149,7 +158,7 @@ describe('Testing Permissioning of endpoints as partner with correct listing', (
     });
     closedUserListingId = closedListing.id;
 
-    const listingData2 = await listingFactory(jurisId, prisma, {
+    const listingData2 = await listingFactory(jurisId2, prisma, {
       multiselectQuestions: [msq],
     });
     const listing2 = await prisma.listings.create({
@@ -1042,10 +1051,38 @@ describe('Testing Permissioning of endpoints as partner with correct listing', (
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .send({} as ListingsQueryParams)
+        .expect(201);
+    });
+
+    it('should succeed for list endpoint filtered by jurisdiction', async () => {
+      const totalListings = await request(app.getHttpServer())
+        .post(`/listings/list`)
+        .set({ passkey: process.env.API_PASS_KEY || '' })
+        .set('Cookie', cookies)
+        .send({})
+        .expect(201);
+      const jurisdiction2Listings = await request(app.getHttpServer())
+        .post(`/listings/list`)
+        .set({ passkey: process.env.API_PASS_KEY || '' })
+        .set('Cookie', cookies)
+        .send({
+          filter: [
+            {
+              $comparison: Compare.IN,
+              jurisdiction: jurisId2,
+            },
+          ],
+        } as ListingsQueryParams)
+        .expect(201);
+
+      expect(totalListings.body.items.length).toBeGreaterThan(
+        jurisdiction2Listings.body.items.length,
+      );
+      expect(jurisdiction2Listings.body.items.length).toBeGreaterThan(0);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-partner-wrong-listing.e2e-spec.ts

@@ -1009,10 +1009,10 @@ describe('Testing Permissioning of endpoints as partner with wrong listing', ()
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/integration/permission-tests/permission-as-public.e2e-spec.ts

@@ -1002,10 +1002,10 @@ describe('Testing Permissioning of endpoints as public user', () => {
   describe('Testing listing endpoints', () => {
     it('should succeed for list endpoint', async () => {
       await request(app.getHttpServer())
-        .get(`/listings?`)
+        .post(`/listings/list`)
         .set({ passkey: process.env.API_PASS_KEY || '' })
         .set('Cookie', cookies)
-        .expect(200);
+        .expect(201);
     });
 
     it('should succeed for retrieveListings endpoint', async () => {

api/test/unit/services/listing.service.spec.ts

@@ -539,6 +539,10 @@ describe('Testing listing service', () => {
             [ListingFilterKeys.bedrooms]: 2,
             $comparison: Compare['>='],
           },
+          {
+            [ListingFilterKeys.jurisdiction]: 'Jurisdiction',
+            $comparison: Compare.IN,
+          },
         ],
       };
 
@@ -578,6 +582,15 @@ describe('Testing listing service', () => {
                 },
               ],
             },
+            {
+              OR: [
+                {
+                  jurisdictionId: {
+                    in: ['jurisdiction'],
+                  },
+                },
+              ],
+            },
             {
               name: {
                 contains: 'simple search',
@@ -638,6 +651,15 @@ describe('Testing listing service', () => {
                 },
               ],
             },
+            {
+              OR: [
+                {
+                  jurisdictionId: {
+                    in: ['jurisdiction'],
+                  },
+                },
+              ],
+            },
             {
               name: {
                 contains: 'simple search',