fix(mrf): webhook be validation (#7247)

* fix: add check to block webhooks updates on mrf fix: switch form to original form test: add test cases for mrf webhook blocks chore: update comments for clarity * chore: bump version to 6.115.1
opengovsg · Apr 5, 2024 · 5a631f5 · 5a631f5
1 parent 16484da
commit 5a631f5
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,8 +4,15 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [v6.115.1](https://github.com/opengovsg/FormSG/compare/v6.115.0...v6.115.1)
+
+- * chore(deps-dev): bump @types/express from 4.17.17 to 4.17.21 (#7233) [`#7241`](https://github.com/opengovsg/FormSG/pull/7241)
+- fix: add check to block webhooks updates on mrf [`71ab0c5`](https://github.com/opengovsg/FormSG/commit/71ab0c592c15de5fddbffc9970a424af7a31d4ab)
+
 #### [v6.115.0](https://github.com/opengovsg/FormSG/compare/v6.114.1...v6.115.0)
 
+> 3 April 2024
+
 - fix: correct date validation for disabled fields [`#7240`](https://github.com/opengovsg/FormSG/pull/7240)
 - build: merge release v6.114.1 back to develop [`#7228`](https://github.com/opengovsg/FormSG/pull/7228)
 - chore(mrf): add announcement content [`#7229`](https://github.com/opengovsg/FormSG/pull/7229)
@@ -17,6 +24,7 @@ Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 - chore(deps-dev): bump @types/json-stringify-safe from 5.0.0 to 5.0.3 [`#7235`](https://github.com/opengovsg/FormSG/pull/7235)
 - fix(deps): bump nan from 2.17.0 to 2.19.0 [`#7212`](https://github.com/opengovsg/FormSG/pull/7212)
 - chore(deps-dev): bump @types/express from 4.17.17 to 4.17.21 [`#7233`](https://github.com/opengovsg/FormSG/pull/7233)
+- chore: bump version to v6.115.0 [`8f02ef7`](https://github.com/opengovsg/FormSG/commit/8f02ef7e50f709ecb1b7ab55f1dfc867e41c6662)
 
 #### [v6.114.1](https://github.com/opengovsg/FormSG/compare/v6.114.0...v6.114.1)
 

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
diff --git a/frontend/package.json b/frontend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "form-frontend",
-  "version": "6.115.0",
+  "version": "6.115.1",
   "homepage": ".",
   "private": true,
   "dependencies": {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "FormSG",
   "description": "Form Manager for Government",
-  "version": "6.115.0",
+  "version": "6.115.1",
   "homepage": "https://form.gov.sg",
   "authors": [
     "FormSG <formsg@data.gov.sg>"

diff --git a/src/app/modules/form/admin-form/__tests__/admin-form.service.spec.ts b/src/app/modules/form/admin-form/__tests__/admin-form.service.spec.ts
@@ -20,6 +20,7 @@ import {
   DatabaseError,
   DatabasePayloadSizeError,
   DatabaseValidationError,
+  MalformedParametersError,
 } from 'src/app/modules/core/core.errors'
 import { MissingUserError } from 'src/app/modules/user/user.errors'
 import * as UserService from 'src/app/modules/user/user.service'
@@ -1419,6 +1420,47 @@ describe('admin-form.service', () => {
       )
       expect(MOCK_UPDATED_FORM.getSettings).toHaveBeenCalledTimes(0)
     })
+
+    it('should not allow webhooks updates for MRF', async () => {
+      const MOCK_MULTIRESPONDENT_FORM = jest.mocked({
+        _id: new ObjectId(),
+        status: FormStatus.Public,
+        responseMode: FormResponseMode.Multirespondent,
+      } as unknown as IPopulatedForm)
+      const settingsToUpdate: SettingsUpdateDto = {
+        webhook: {
+          url: 'does not matter',
+        },
+      }
+
+      // Act
+      const actualResult = await AdminFormService.updateFormSettings(
+        MOCK_MULTIRESPONDENT_FORM,
+        settingsToUpdate,
+      )
+
+      // Assert
+      expect(actualResult._unsafeUnwrapErr()).toBeInstanceOf(
+        MalformedParametersError,
+      )
+    })
+
+    it('should allow webhooks updates for encrypt form', async () => {
+      const settingsToUpdate: SettingsUpdateDto = {
+        webhook: {
+          url: 'does not matter',
+        },
+      }
+
+      // Act
+      const actualResult = await AdminFormService.updateFormSettings(
+        MOCK_ENCRYPT_FORM,
+        settingsToUpdate,
+      )
+
+      // Assert
+      expect(actualResult.isOk()).toBeTrue()
+    })
   })
 
   describe('updateFormField', () => {

diff --git a/src/app/modules/form/admin-form/admin-form.service.ts b/src/app/modules/form/admin-form/admin-form.service.ts
@@ -1041,6 +1041,7 @@ export const updateFormCollaborators = (
  * @param body the subset of form settings to update
  * @returns ok(updated form settings) on success
  * @returns err(MalformedParametersError) if auth type update is attempted for a multi-respondent form
+ * @returns err(MalformedParametersError) if webhook update is attempted for a multi-respondent form
  * @returns err(database errors) if db error is thrown during form setting update
  */
 export const updateFormSettings = (
@@ -1063,6 +1064,15 @@ export const updateFormSettings = (
     return errAsync(new MalformedParametersError('Invalid authentication type'))
   }
 
+  if (
+    originalForm.responseMode === FormResponseMode.Multirespondent &&
+    Boolean(body.webhook?.url)
+  ) {
+    return errAsync(
+      new MalformedParametersError('Webhooks not supported on MRF'),
+    )
+  }
+
   const dotifiedSettingsToUpdate = dotifyObject(body)
   const ModelToUse = getFormModelByResponseMode(originalForm.responseMode)