From bda47fd88bd0730e007d9c518b32ce325bc55015 Mon Sep 17 00:00:00 2001
From: Anys <anys.rafai@etu.univ-amu.fr>
Date: Wed, 7 Jan 2026 22:56:06 +0100
Subject: [PATCH] Update role enum and access control Remove
 isRouteAnAPI(route: string): boolean

Refactor role determination logic to use `eduPersonPrimaryAffiliation`
and `amuComposante`. This simplifies checking for Polytech affiliation
and identifies roles like professor, administration, and student more
accurately. The API access control is updated to reflect the new role
names.
---
 defaults/interfaces.ts |  2 +-
 routes/_middleware.ts  | 36 +++++++++---------------------------
 2 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/defaults/interfaces.ts b/defaults/interfaces.ts
index 145b975..8b47919 100644
--- a/defaults/interfaces.ts
+++ b/defaults/interfaces.ts
@@ -4,7 +4,7 @@ import { AsyncRoute } from "$fresh/src/server/types.ts";
 export interface AuthenticatedState {
   isAuthenticated: true;
   isFromPolytech: boolean;
-  role: "etudiants" | "personnels" | "autres";
+  role: "etudiant" | "professeur" | "administration" | "autre";
   session: CasContent;
   availablePages: Record<string, string>;
 }
diff --git a/routes/_middleware.ts b/routes/_middleware.ts
index 1a02e0b..56a9a64 100644
--- a/routes/_middleware.ts
+++ b/routes/_middleware.ts
@@ -25,14 +25,6 @@ function isRoutePublic(route: string): boolean {
     !!(route.match(/\..+$/)?.[0] ?? false);
 }
 
-/**
- * Checks if the given route is an API route.
- * @param route The route to check.
- * @returns `true` if the route is an API route, `false` otherwise.
- */
-function isRouteAnAPI(route: string): boolean {
-  return route.includes("/api/");
-}
 /**
  * Get the given user's key, creating it if not already existing.
  * @param user The key's user.
@@ -77,28 +69,24 @@ export const handler: MiddlewareHandler<State>[] = [
     );
 
     if (context.state.isAuthenticated) {
+
       const session: CasContent =
         (getJwtPayload(cookies["sessionToken"]) as LoginJWT).user;
-      const isFromPolytech = Object.values(session.memberOf).some(
-        (value) =>
-          typeof value === "string" && value.includes("cn=amu:ufr:polytech"),
-      );
 
+      const isFromPolytech = session.amuComposante.includes("polytech");
       context.state.isFromPolytech = isFromPolytech;
 
       if (isFromPolytech) {
         context.state.session = session;
 
-        if (Object.values(session.memberOf).some(
-          (value) => typeof value === "string" && value.includes("cn=amu:ufr:polytech:personnels")
-        )) {
-          context.state.role = "personnels";
-        } else if (Object.values(session.memberOf).some(
-          (value) => typeof value === "string" && value.includes("cn=amu:ufr:polytech:etudiants")
-        )) {
-          context.state.role = "etudiants";
+        if (session.eduPersonPrimaryAffiliation.includes("faculty")) {
+          context.state.role = "professeur"
+        } else if (session.eduPersonPrimaryAffiliation.includes("employee")) {
+          context.state.role = "administration"
+        } else if (session.eduPersonPrimaryAffiliation.includes("student")) {
+          context.state.role = "etudiant";
         } else {
-          context.state.role = "autres";
+          context.state.role = "autre";
         }
       }
     }
@@ -136,12 +124,6 @@ export const handler: MiddlewareHandler<State>[] = [
           },
         });
       }
-
-      if (isRouteAnAPI(url.pathname) && !(context.state.role == "personnels")) {
-        return new Response(null, {
-          status: 403,
-        });
-      }
     }
 
     return await context.next();