feat: Securisation du Backend

Back-End/GestionMessagerie/views.py

@@ -2,6 +2,7 @@ from rest_framework.views import APIView
 from rest_framework.response import Response
 from rest_framework import status
 from rest_framework.parsers import MultiPartParser, FormParser
+from rest_framework.permissions import IsAuthenticated
 from django.db import models
 from .models import  Conversation, ConversationParticipant, Message, UserPresence
 from Auth.models import Profile, ProfileRole
@@ -25,6 +26,8 @@ logger = logging.getLogger(__name__)
 # ====================== MESSAGERIE INSTANTANÉE ======================
 
 class InstantConversationListView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour lister les conversations instantanées d'un utilisateur
     """
@@ -34,7 +37,8 @@ class InstantConversationListView(APIView):
     )
     def get(self, request, user_id=None):
         try:
-            user = Profile.objects.get(id=user_id)
+            # Utiliser l'utilisateur authentifié — ignorer user_id de l'URL (protection IDOR)
+            user = request.user
 
             conversations = Conversation.objects.filter(
                 participants__participant=user,
@@ -50,6 +54,8 @@ class InstantConversationListView(APIView):
             return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class InstantConversationCreateView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour créer une nouvelle conversation instantanée
     """
@@ -67,6 +73,8 @@ class InstantConversationCreateView(APIView):
         return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
 class InstantMessageListView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour lister les messages d'une conversation
     """
@@ -79,23 +87,19 @@ class InstantMessageListView(APIView):
             conversation = Conversation.objects.get(id=conversation_id)
             messages = conversation.messages.filter(is_deleted=False).order_by('created_at')
 
-            # Récupérer l'utilisateur actuel depuis les paramètres de requête
-            user_id = request.GET.get('user_id')
-            user = None
-            if user_id:
-                try:
-                    user = Profile.objects.get(id=user_id)
-                except Profile.DoesNotExist:
-                    pass
+            # Utiliser l'utilisateur authentifié — ignorer user_id du paramètre (protection IDOR)
+            user = request.user
 
             serializer = MessageSerializer(messages, many=True, context={'user': user})
             return Response(serializer.data, status=status.HTTP_200_OK)
         except Conversation.DoesNotExist:
             return Response({'error': 'Conversation not found'}, status=status.HTTP_404_NOT_FOUND)
-        except Exception as e:
-            return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': 'Erreur interne du serveur'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class InstantMessageCreateView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour envoyer un nouveau message instantané
     """
@@ -116,21 +120,20 @@ class InstantMessageCreateView(APIView):
     def post(self, request):
         try:
             conversation_id = request.data.get('conversation_id')
-            sender_id = request.data.get('sender_id')
             content = request.data.get('content', '').strip()
             message_type = request.data.get('message_type', 'text')
 
-            if not all([conversation_id, sender_id, content]):
+            if not all([conversation_id, content]):
                 return Response(
-                    {'error': 'conversation_id, sender_id, and content are required'},
+                    {'error': 'conversation_id and content are required'},
                     status=status.HTTP_400_BAD_REQUEST
                 )
 
             # Vérifier que la conversation existe
             conversation = Conversation.objects.get(id=conversation_id)
 
-            # Vérifier que l'expéditeur existe et peut envoyer dans cette conversation
-            sender = Profile.objects.get(id=sender_id)
+            # L'expéditeur est toujours l'utilisateur authentifié (protection IDOR)
+            sender = request.user
             participant = ConversationParticipant.objects.filter(
                 conversation=conversation,
                 participant=sender,
@@ -172,10 +175,12 @@ class InstantMessageCreateView(APIView):
             return Response({'error': 'Conversation not found'}, status=status.HTTP_404_NOT_FOUND)
         except Profile.DoesNotExist:
             return Response({'error': 'Sender not found'}, status=status.HTTP_404_NOT_FOUND)
-        except Exception as e:
-            return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': 'Erreur interne du serveur'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class InstantMarkAsReadView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour marquer une conversation comme lue
     """
@@ -190,15 +195,16 @@ class InstantMarkAsReadView(APIView):
         ),
         responses={200: openapi.Response('Success')}
     )
-    def post(self, request, conversation_id):
+    def post(self, request):
         try:
-            user_id = request.data.get('user_id')
-            if not user_id:
-                return Response({'error': 'user_id is required'}, status=status.HTTP_400_BAD_REQUEST)
-
+            # Utiliser l'utilisateur authentifié — ignorer user_id du body (protection IDOR)
+            # conversation_id est lu depuis le body (pas depuis l'URL)
+            conversation_id = request.data.get('conversation_id')
+            if not conversation_id:
+                return Response({'error': 'conversation_id requis'}, status=status.HTTP_400_BAD_REQUEST)
             participant = ConversationParticipant.objects.get(
                 conversation_id=conversation_id,
-                participant_id=user_id,
+                participant=request.user,
                 is_active=True
             )
 
@@ -209,10 +215,12 @@ class InstantMarkAsReadView(APIView):
 
         except ConversationParticipant.DoesNotExist:
             return Response({'error': 'Participant not found'}, status=status.HTTP_404_NOT_FOUND)
-        except Exception as e:
-            return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': 'Erreur interne du serveur'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class UserPresenceView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour gérer la présence des utilisateurs
     """
@@ -245,8 +253,8 @@ class UserPresenceView(APIView):
 
         except Profile.DoesNotExist:
             return Response({'error': 'User not found'}, status=status.HTTP_404_NOT_FOUND)
-        except Exception as e:
-            return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': 'Erreur interne du serveur'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
     @swagger_auto_schema(
         operation_description="Récupère le statut de présence d'un utilisateur",
@@ -266,10 +274,12 @@ class UserPresenceView(APIView):
 
         except Profile.DoesNotExist:
             return Response({'error': 'User not found'}, status=status.HTTP_404_NOT_FOUND)
-        except Exception as e:
-            return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': 'Erreur interne du serveur'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class FileUploadView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour l'upload de fichiers dans la messagerie instantanée
     """
@@ -301,18 +311,17 @@ class FileUploadView(APIView):
         try:
             file = request.FILES.get('file')
             conversation_id = request.data.get('conversation_id')
-            sender_id = request.data.get('sender_id')
 
             if not file:
                 return Response({'error': 'Aucun fichier fourni'}, status=status.HTTP_400_BAD_REQUEST)
 
-            if not conversation_id or not sender_id:
-                return Response({'error': 'conversation_id et sender_id requis'}, status=status.HTTP_400_BAD_REQUEST)
+            if not conversation_id:
+                return Response({'error': 'conversation_id requis'}, status=status.HTTP_400_BAD_REQUEST)
 
-            # Vérifier que la conversation existe et que l'utilisateur y participe
+            # Vérifier que la conversation existe et que l'utilisateur authentifié y participe (protection IDOR)
             try:
                 conversation = Conversation.objects.get(id=conversation_id)
-                sender = Profile.objects.get(id=sender_id)
+                sender = request.user
 
                 # Vérifier que l'expéditeur participe à la conversation
                 if not ConversationParticipant.objects.filter(
@@ -368,10 +377,12 @@ class FileUploadView(APIView):
                 'filePath': file_path
             }, status=status.HTTP_200_OK)
 
-        except Exception as e:
-            return Response({'error': f'Erreur lors de l\'upload: {str(e)}'}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
+        except Exception:
+            return Response({'error': "Erreur lors de l'upload"}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class InstantRecipientSearchView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour rechercher des destinataires pour la messagerie instantanée
     """
@@ -419,6 +430,8 @@ class InstantRecipientSearchView(APIView):
             return Response({'error': str(e)}, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
 
 class InstantConversationDeleteView(APIView):
+    permission_classes = [IsAuthenticated]
+
     """
     API pour supprimer (désactiver) une conversation instantanée
     """