From 831729b4fffef3cf85c4d963b64ec150c95bae29 Mon Sep 17 00:00:00 2001
From: ElysaSrc <101974839+ElysaSrc@users.noreply.github.com>
Date: Mon, 1 Jul 2024 23:41:15 +0200
Subject: [PATCH 1/9] backend: extend access token

---
 .../20240701212445_extend_permissions.sql     |  2 +
 backend/src/api/map.rs                        | 55 ++++++++++++++++---
 backend/src/models/access_token.rs            |  5 ++
 frontend/openapi.json                         | 38 ++++++++++---
 4 files changed, 84 insertions(+), 16 deletions(-)
 create mode 100644 backend/migrations/20240701212445_extend_permissions.sql

diff --git a/backend/migrations/20240701212445_extend_permissions.sql b/backend/migrations/20240701212445_extend_permissions.sql
new file mode 100644
index 0000000..c0d580a
--- /dev/null
+++ b/backend/migrations/20240701212445_extend_permissions.sql
@@ -0,0 +1,2 @@
+UPDATE access_tokens
+SET permissions = permissions || '{"can_list_entities": true, "can_access_entity": true, "can_add_entity": true, "can_add_comment": true}'::jsonb;
diff --git a/backend/src/api/map.rs b/backend/src/api/map.rs
index 2085a80..089415b 100644
--- a/backend/src/api/map.rs
+++ b/backend/src/api/map.rs
@@ -120,8 +120,12 @@ pub async fn viewer_view_request(
 ) -> Result<AppJson<EntitiesAndClusters>, AppError> {
     tracing::trace!("Received view request {}", request);
 
+    if !token.perms.can_list_entities {
+        return Err(AppError::Forbidden);
+    }
+
     if !is_token_allowed_for_family(&token, &request.family_id) {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     let dyn_config = app_state.dyn_config.read().await;
@@ -206,8 +210,12 @@ async fn viewer_search_request(
 ) -> Result<AppJson<ViewerCachedEntitiesWithPagination>, AppError> {
     tracing::trace!("Received search request {}", request);
 
+    if !token.perms.can_list_entities {
+        return Err(AppError::Forbidden);
+    }
+
     if !is_token_allowed_for_family(&token, &request.family_id) {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     // Check if some of the constraints are forbidden
@@ -245,14 +253,14 @@ async fn viewer_search_request(
 #[derive(Serialize, Deserialize, ToSchema, Debug)]
 pub struct PublicNewEntityRequest {
     entity: PublicNewEntity,
-    comment: PublicNewComment,
+    comment: Option<PublicNewComment>,
     hcaptcha_token: Option<String>,
 }
 
 #[derive(Serialize, Deserialize, ToSchema, Debug)]
 pub struct PublicNewEntityResponse {
     entity: PublicEntity,
-    comment: PublicComment,
+    comment: Option<PublicComment>,
 }
 
 async fn check_captcha(state: AppState, response: Option<String>) -> Result<(), AppError> {
@@ -299,16 +307,26 @@ async fn check_captcha(state: AppState, response: Option<String>) -> Result<(),
 async fn viewer_new_entity(
     DbConn(mut conn): DbConn,
     State(state): State<AppState>,
+    token: MapUserTokenClaims,
     Json(request): Json<PublicNewEntityRequest>,
 ) -> Result<AppJson<PublicNewEntityResponse>, AppError> {
+    if !token.perms.can_add_entity {
+        return Err(AppError::Forbidden);
+    }
+
+    if !token.perms.can_add_comment && request.comment.is_some() {
+        return Err(AppError::Forbidden);
+    }
+
     check_captcha(state, request.hcaptcha_token).await?;
 
     let db_entity = PublicEntity::new(request.entity, &mut conn).await?;
+    let mut db_comment = None;
 
-    let mut new_comment = request.comment;
-    new_comment.entity_id = db_entity.id;
-
-    let db_comment = PublicComment::new(new_comment, &mut conn).await?;
+    if let Some(mut comment) = request.comment {
+        comment.entity_id = db_entity.id;
+        db_comment = Some(PublicComment::new(comment, &mut conn).await?);
+    }
 
     Ok(AppJson(PublicNewEntityResponse {
         entity: db_entity,
@@ -334,8 +352,19 @@ pub struct NewCommentRequest {
 async fn viewer_new_comment(
     DbConn(mut conn): DbConn,
     State(state): State<AppState>,
+    token: MapUserTokenClaims,
     Json(request): Json<NewCommentRequest>,
 ) -> Result<AppJson<PublicComment>, AppError> {
+    if !token.perms.can_add_comment {
+        return Err(AppError::Forbidden);
+    }
+
+    let target_entity = PublicEntity::get(request.comment.entity_id, &mut conn).await?;
+
+    if !is_token_allowed_for_family(&token, &target_entity.family_id) {
+        return Err(AppError::Forbidden);
+    }
+
     check_captcha(state, request.hcaptcha_token).await?;
     let db_comment = PublicComment::new(request.comment, &mut conn).await?;
     Ok(AppJson(db_comment))
@@ -371,8 +400,16 @@ async fn viewer_fetch_entity(
     Path(id): Path<Uuid>,
     Json(request): Json<FetchEntityRequest>,
 ) -> Result<AppJson<FetchedEntity>, AppError> {
+    if !token.perms.can_access_entity {
+        return Err(AppError::Forbidden);
+    }
+
     let entity = PublicEntity::get(id, &mut conn).await?;
 
+    if !is_token_allowed_for_family(&token, &entity.family_id) {
+        return Err(AppError::Forbidden);
+    }
+
     let can_read_entity = (token.perms.families_policy.allow_all
         || token
             .perms
@@ -463,7 +500,7 @@ async fn viewer_fetch_entity(
         .collect();
 
     if !can_read_entity && filtered_children.is_empty() {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     let comments = match token.perms.can_access_comments {
diff --git a/backend/src/models/access_token.rs b/backend/src/models/access_token.rs
index 3c85877..93572d9 100644
--- a/backend/src/models/access_token.rs
+++ b/backend/src/models/access_token.rs
@@ -11,7 +11,12 @@ pub struct Permissions {
     pub categories_policy: PermissionPolicy,
     pub tags_policy: PermissionPolicy,
     pub geographic_restrictions: Option<MultiPolygon>,
+
+    pub can_list_entities: bool,
+    pub can_access_entity: bool,
     pub can_access_comments: bool,
+    pub can_add_entity: bool,
+    pub can_add_comment: bool,
 }
 
 #[derive(Serialize, Deserialize, ToSchema, Clone, Debug)]
diff --git a/frontend/openapi.json b/frontend/openapi.json
index 56eaa1d..8aeb6e5 100644
--- a/frontend/openapi.json
+++ b/frontend/openapi.json
@@ -4002,12 +4002,28 @@
           "families_policy",
           "categories_policy",
           "tags_policy",
-          "can_access_comments"
+          "can_list_entities",
+          "can_access_entity",
+          "can_access_comments",
+          "can_add_entity",
+          "can_add_comment"
         ],
         "properties": {
           "can_access_comments": {
             "type": "boolean"
           },
+          "can_access_entity": {
+            "type": "boolean"
+          },
+          "can_add_comment": {
+            "type": "boolean"
+          },
+          "can_add_entity": {
+            "type": "boolean"
+          },
+          "can_list_entities": {
+            "type": "boolean"
+          },
           "categories_policy": {
             "$ref": "#/components/schemas/PermissionPolicy"
           },
@@ -4201,12 +4217,16 @@
       "PublicNewEntityRequest": {
         "type": "object",
         "required": [
-          "entity",
-          "comment"
+          "entity"
         ],
         "properties": {
           "comment": {
-            "$ref": "#/components/schemas/PublicNewComment"
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/PublicNewComment"
+              }
+            ],
+            "nullable": true
           },
           "entity": {
             "$ref": "#/components/schemas/PublicNewEntity"
@@ -4220,12 +4240,16 @@
       "PublicNewEntityResponse": {
         "type": "object",
         "required": [
-          "entity",
-          "comment"
+          "entity"
         ],
         "properties": {
           "comment": {
-            "$ref": "#/components/schemas/PublicComment"
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/PublicComment"
+              }
+            ],
+            "nullable": true
           },
           "entity": {
             "$ref": "#/components/schemas/PublicEntity"

From a0e76afcbc4e34c3e9bba237bcba8af1b9c34039 Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 01:11:29 +0200
Subject: [PATCH 2/9] frontend: add new permissions editing to access tokens

---
 frontend/lib.d.ts                           |  2 +-
 frontend/pages/admin/access-tokens/[id].vue | 57 ++++++++++++++++++++-
 2 files changed, 56 insertions(+), 3 deletions(-)

diff --git a/frontend/lib.d.ts b/frontend/lib.d.ts
index 07dd9ff..79f8fd1 100644
--- a/frontend/lib.d.ts
+++ b/frontend/lib.d.ts
@@ -18,7 +18,7 @@ export type Category = api.components['schemas']['Category']
 export type Tag = api.components['schemas']['Tag']
 
 export type PublicEntity = api.components['schemas']['PublicEntity']
-export type PublicListedEntity = api.components['schemas']['ListedEntity']
+export type PublicListedEntity = api.components['schemas']['PublicListedEntity']
 export type PublicNewEntity = api.components['schemas']['PublicNewEntity']
 export type PublicNewEntityRequest = api.components['schemas']['PublicNewEntityRequest']
 export type PublicNewEntityResponse = api.components['schemas']['PublicNewEntityResponse']
diff --git a/frontend/pages/admin/access-tokens/[id].vue b/frontend/pages/admin/access-tokens/[id].vue
index 1e27565..3d5c30f 100644
--- a/frontend/pages/admin/access-tokens/[id].vue
+++ b/frontend/pages/admin/access-tokens/[id].vue
@@ -24,10 +24,40 @@
       label="Actif"
     />
 
+    <Divider class="!my-2" />
+
+    <AdminInputSwitchField
+      id="list_entities"
+      v-model="editedAccessToken.permissions.can_list_entities"
+      label="Permission de lister les entités"
+      helper-text="Comprend le nom, la catégorie, les tags et la date de création de chaque entité"
+    />
+
+    <AdminInputSwitchField
+      id="access_entities"
+      v-model="editedAccessToken.permissions.can_access_entity"
+      label="Permission de consulter les entités"
+      :disabled="!editedAccessToken.permissions.can_list_entities"
+    />
+
+    <AdminInputSwitchField
+      id="add_entity"
+      v-model="editedAccessToken.permissions.can_add_entity"
+      label="Permission d'ajouter une entité"
+    />
+
     <AdminInputSwitchField
-      id="comments"
+      id="access_comments"
       v-model="editedAccessToken.permissions.can_access_comments"
-      label="Permission d'accès aux commentaires"
+      label="Permission de lister et consulter les commentaires"
+      :disabled="!editedAccessToken.permissions.can_access_entity"
+    />
+
+    <AdminInputSwitchField
+      id="add_comment"
+      v-model="editedAccessToken.permissions.can_add_comment"
+      label="Permission d'ajouter un commentaire"
+      :disabled="!editedAccessToken.permissions.can_list_entities"
     />
 
     <Divider class="!my-2" />
@@ -117,7 +147,11 @@ const editedAccessToken: Ref<NewOrUpdateAccessToken> = ref(
     ? {
         active: true,
         permissions: {
+          can_list_entities: false,
+          can_access_entity: false,
+          can_add_entity: false,
           can_access_comments: false,
+          can_add_comment: false,
           categories_policy: {
             allow_all: true,
             allow_list: [],
@@ -157,6 +191,25 @@ watch(geographicRestrictionsOn, (newValue) => {
 const processingRequest = ref(false)
 const toast = useToast()
 
+watch(
+  () => editedAccessToken.value.permissions.can_list_entities,
+  (newVal) => {
+    if (!newVal) {
+      editedAccessToken.value.permissions.can_access_entity = false
+      editedAccessToken.value.permissions.can_add_comment = false
+    }
+  },
+)
+
+watch(
+  () => editedAccessToken.value.permissions.can_access_entity,
+  (newVal) => {
+    if (!newVal) {
+      editedAccessToken.value.permissions.can_access_comments = false
+    }
+  },
+)
+
 const initAdminLayout = inject<InitAdminLayout>('initAdminLayout')!
 initAdminLayout(
   isNew ? `Édition d'un nouveau jeton` : `Édition du jeton ${fetchedAccessToken!.title}`,

From 9ffc5fc38dd3ce89e5b24c693620520f3fa3dc17 Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 01:50:38 +0200
Subject: [PATCH 3/9] backend, frontend: expose new permissions to the viewer
 and restrict ui and redirect accordingly

---
 backend/src/api/root.rs               |  8 ++++++++
 frontend/components/viewer/Navbar.vue |  1 +
 frontend/lib.d.ts                     |  7 +++++++
 frontend/lib/viewer-state.ts          | 15 +++++++++------
 frontend/openapi.json                 | 16 ++++++++++++++++
 frontend/pages/map/[token].vue        |  3 +++
 frontend/pages/search/[token].vue     |  8 ++++++++
 7 files changed, 52 insertions(+), 6 deletions(-)

diff --git a/backend/src/api/root.rs b/backend/src/api/root.rs
index 8a0c14e..6246f35 100644
--- a/backend/src/api/root.rs
+++ b/backend/src/api/root.rs
@@ -70,7 +70,11 @@ pub struct BootstrapResponse {
     categories: Vec<Category>,
     allowed_categories: Vec<Uuid>,
     allowed_tags: Vec<Uuid>,
+    can_list_entities: bool,
+    can_access_entity: bool,
+    can_add_entity: bool,
     can_access_comments: bool,
+    can_add_comment: bool,
     tags: Vec<Tag>,
     cartography_init_config: CartographyInitConfig,
 }
@@ -177,7 +181,11 @@ async fn bootstrap(
         categories,
         allowed_categories,
         allowed_tags,
+        can_list_entities: perms.can_list_entities,
+        can_access_entity: perms.can_access_entity,
+        can_add_entity: perms.can_add_entity,
         can_access_comments: perms.can_access_comments,
+        can_add_comment: perms.can_add_comment,
         tags,
         cartography_init_config: dyn_config.cartography_init.clone(),
     };
diff --git a/frontend/components/viewer/Navbar.vue b/frontend/components/viewer/Navbar.vue
index 5ee4a9c..b9a24c3 100644
--- a/frontend/components/viewer/Navbar.vue
+++ b/frontend/components/viewer/Navbar.vue
@@ -353,6 +353,7 @@
   </Dialog>
 
   <ViewerEntityAddForm
+    v-if="state.permissions?.can_add_entity"
     ref="entityAddForm"
     :family="state.activeFamily"
     :categories="
diff --git a/frontend/lib.d.ts b/frontend/lib.d.ts
index 79f8fd1..3c589b2 100644
--- a/frontend/lib.d.ts
+++ b/frontend/lib.d.ts
@@ -71,6 +71,13 @@ export type AccessToken = api.components['schemas']['AccessToken']
     permissions: Permissions & { geographic_restrictions: null | [number, number][][] }
   }
 export type AccessTokenStats = api.components['schemas']['AccessTokenStats']
+export type PublicPermissions = {
+  can_list_entities: boolean
+  can_access_entity: boolean
+  can_add_entity: boolean
+  can_access_comments: boolean
+  can_add_comment: boolean
+}
 
 export type User = api.components['schemas']['User']
 export type NewOrUpdatedUser = api.components['schemas']['NewOrUpdatedUser']
diff --git a/frontend/lib/viewer-state.ts b/frontend/lib/viewer-state.ts
index 4136115..3b455c2 100644
--- a/frontend/lib/viewer-state.ts
+++ b/frontend/lib/viewer-state.ts
@@ -12,6 +12,7 @@ import type {
   FetchedEntity,
   InitConfig,
   EnumFilter,
+  PublicPermissions,
 } from '~/lib'
 
 type ViewData = {
@@ -32,11 +33,11 @@ export class AppState {
   }
 
   public initConfig: InitConfig | null = null
+  public permissions: PublicPermissions | null = null
 
   private familiesData: Family[] | null = null
   private categoriesData: AllowedCategory[] | null = null
   private tagsData: AllowedTag[] | null = null
-  private canAccessCommentsData = false
 
   private familiesLookupTable: Record<string, Family> = {}
   private categoriesLookupTable: Record<string, Category> = {}
@@ -85,10 +86,6 @@ export class AppState {
       )
   }
 
-  get canAccessComments() {
-    return this.canAccessCommentsData
-  }
-
   get activeHiddenTags() {
     return this.filteringTags.filter(t => t.active === false).map(t => t.id)
   }
@@ -279,7 +276,13 @@ export class AppState {
       this.tagsLookupTable[tag.id] = tag
     })
 
-    this.canAccessCommentsData = data.can_access_comments
+    this.permissions = {
+      can_list_entities: data.can_list_entities,
+      can_access_entity: data.can_access_entity,
+      can_add_entity: data.can_add_entity,
+      can_access_comments: data.can_access_comments,
+      can_add_comment: data.can_add_comment,
+    }
 
     if (this.familiesData.length === 0) {
       throw new Error('No families available')
diff --git a/frontend/openapi.json b/frontend/openapi.json
index 8aeb6e5..9b8d4c9 100644
--- a/frontend/openapi.json
+++ b/frontend/openapi.json
@@ -3194,7 +3194,11 @@
           "categories",
           "allowed_categories",
           "allowed_tags",
+          "can_list_entities",
+          "can_access_entity",
+          "can_add_entity",
           "can_access_comments",
+          "can_add_comment",
           "tags",
           "cartography_init_config"
         ],
@@ -3216,6 +3220,18 @@
           "can_access_comments": {
             "type": "boolean"
           },
+          "can_access_entity": {
+            "type": "boolean"
+          },
+          "can_add_comment": {
+            "type": "boolean"
+          },
+          "can_add_entity": {
+            "type": "boolean"
+          },
+          "can_list_entities": {
+            "type": "boolean"
+          },
           "cartography_init_config": {
             "$ref": "#/components/schemas/CartographyInitConfig"
           },
diff --git a/frontend/pages/map/[token].vue b/frontend/pages/map/[token].vue
index bfedff0..827a30a 100644
--- a/frontend/pages/map/[token].vue
+++ b/frontend/pages/map/[token].vue
@@ -47,6 +47,7 @@
         </div>
       </template>
       <ViewerCommentAddForm
+        v-if="state.permissions?.can_add_comment"
         :family="state.activeEntity!.family"
         :entity="state.activeEntity!.entity"
       />
@@ -77,6 +78,8 @@ const route = useRoute()
 const token = route.params.token as string
 try {
   await state.bootstrapWithToken(token)
+  if (!state.permissions?.can_access_entity)
+    throw 'Unauthorized'
 }
 catch {
   toast.add({
diff --git a/frontend/pages/search/[token].vue b/frontend/pages/search/[token].vue
index 95d1f74..ddd24a6 100644
--- a/frontend/pages/search/[token].vue
+++ b/frontend/pages/search/[token].vue
@@ -170,6 +170,12 @@
         </div>
       </template>
 
+      <ViewerCommentAddForm
+        v-if="state.permissions?.can_add_comment"
+        :family="state.activeEntity!.family"
+        :entity="state.activeEntity!.entity"
+      />
+
       <ViewerCommonEntityDisplayer
         v-if="state.activeEntity"
         :entity="state.activeEntity!"
@@ -210,6 +216,8 @@ const route = useRoute()
 const token = route.params.token as string
 try {
   await state.bootstrapWithToken(token)
+  if (!state.permissions?.can_access_entity)
+    throw 'Unauthorized'
 }
 catch {
   toast.add({

From 15b0b11481a9ab6634c3f5862902c184f33e2882 Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 03:42:12 +0200
Subject: [PATCH 4/9] frontend: search page now support pure addition modes

---
 frontend/components/viewer/CommentAddForm.vue |  4 ++--
 frontend/components/viewer/FullResult.vue     | 14 +++++++++-----
 frontend/components/viewer/Navbar.vue         |  2 ++
 frontend/pages/admin/access-tokens/[id].vue   |  2 +-
 frontend/pages/search/[token].vue             | 16 +++++++---------
 5 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/frontend/components/viewer/CommentAddForm.vue b/frontend/components/viewer/CommentAddForm.vue
index 26456b3..9231293 100644
--- a/frontend/components/viewer/CommentAddForm.vue
+++ b/frontend/components/viewer/CommentAddForm.vue
@@ -113,7 +113,7 @@
 </template>
 
 <script setup lang="ts">
-import type { EntityOrCommentData, Family, FormField, PublicEntity, PublicNewComment } from '~/lib'
+import type { EntityOrCommentData, Family, FormField, PublicEntity, PublicNewComment, ViewerSearchedCachedEntity } from '~/lib'
 import { isValidRichText, isValidText } from '~/lib/validation'
 import state from '~/lib/viewer-state'
 
@@ -121,7 +121,7 @@ const formVisible = ref(false)
 
 const props = defineProps<{
   family: Family
-  entity: PublicEntity
+  entity: PublicEntity | ViewerSearchedCachedEntity
 }>()
 
 const processingRequest = ref(false)
diff --git a/frontend/components/viewer/FullResult.vue b/frontend/components/viewer/FullResult.vue
index bc31689..53e56e7 100644
--- a/frontend/components/viewer/FullResult.vue
+++ b/frontend/components/viewer/FullResult.vue
@@ -54,6 +54,7 @@
           <div class="flex flex-col md:items-end gap-8">
             <div class="flex flex-row-reverse md:flex-row gap-2">
               <Button
+                v-if="state.permissions?.can_access_entity"
                 label="Voir en détail"
                 class="flex-auto md:flex-initial whitespace-nowrap"
                 @click="changeActiveEntity(props.entity)"
@@ -62,6 +63,11 @@
                   <AppIcon icon-name="eye" />
                 </template>
               </Button>
+              <ViewerCommentAddForm
+                v-if="state.permissions?.can_add_comment && !state.permissions.can_access_entity"
+                :family="state.activeFamily"
+                :entity="props.entity"
+              />
             </div>
           </div>
         </div>
@@ -71,18 +77,16 @@
 </template>
 
 <script setup lang="ts">
-import type { ViewerPaginatedCachedEntities } from '~/lib'
+import type { ViewerSearchedCachedEntity } from '~/lib'
 import state from '~/lib/viewer-state'
 
-type ReceivedEntity = ViewerPaginatedCachedEntities['entities'][0]
-
 const props = defineProps<{
-  entity: ReceivedEntity
+  entity: ViewerSearchedCachedEntity
 }>()
 
 const locations = computed(() => props.entity.locations.map(loc => [loc.x, loc.y]))
 
-function changeActiveEntity(entity: ReceivedEntity) {
+function changeActiveEntity(entity: ViewerSearchedCachedEntity) {
   state.selectEntity(entity.entity_id)
 }
 </script>
diff --git a/frontend/components/viewer/Navbar.vue b/frontend/components/viewer/Navbar.vue
index b9a24c3..4dc6f10 100644
--- a/frontend/components/viewer/Navbar.vue
+++ b/frontend/components/viewer/Navbar.vue
@@ -98,6 +98,7 @@
               </Button>
 
               <Button
+                v-if="state.permissions?.can_add_entity"
                 label="Ajouter"
                 severity="info"
                 @click="openAddModal()"
@@ -161,6 +162,7 @@
           </Button>
 
           <Button
+            v-if="state.permissions?.can_add_entity"
             label="Ajouter"
             severity="info"
             @click="openAddModal()"
diff --git a/frontend/pages/admin/access-tokens/[id].vue b/frontend/pages/admin/access-tokens/[id].vue
index 3d5c30f..c2c800e 100644
--- a/frontend/pages/admin/access-tokens/[id].vue
+++ b/frontend/pages/admin/access-tokens/[id].vue
@@ -30,7 +30,7 @@
       id="list_entities"
       v-model="editedAccessToken.permissions.can_list_entities"
       label="Permission de lister les entités"
-      helper-text="Comprend le nom, la catégorie, les tags et la date de création de chaque entité"
+      helper-text="Comprend le nom, la catégorie, les tags, les parents, les adresses et la date de création de chaque entité"
     />
 
     <AdminInputSwitchField
diff --git a/frontend/pages/search/[token].vue b/frontend/pages/search/[token].vue
index ddd24a6..f6de94e 100644
--- a/frontend/pages/search/[token].vue
+++ b/frontend/pages/search/[token].vue
@@ -9,7 +9,10 @@
       :show-search-button="false"
     />
 
-    <Card class="m-2 p-2">
+    <Card
+      v-if="state.permissions?.can_list_entities"
+      class="m-2 p-2"
+    >
       <template #header>
         <span class="text-2xl font-bold">
           Recherche
@@ -151,18 +154,16 @@
     </Card>
 
     <Dialog
+      v-if="state.hasActiveEntity"
       v-model:visible="state.hasActiveEntity"
       maximizable
       :style="{ width: '50rem' }"
       :breakpoints="{ '1199px': '75vw', '575px': '90vw' }"
       modal
+      dismissable-mask
     >
       <template #header>
-        <div
-          v-if="
-            state.activeEntity"
-          class="flex items-center gap-2"
-        >
+        <div class="flex items-center gap-2">
           <CategoryTag :category="state.activeEntity!.category" />
           <h3 class="grow font-bold text-lg m-0">
             {{ state.activeEntity!.entity.display_name }}
@@ -177,7 +178,6 @@
       />
 
       <ViewerCommonEntityDisplayer
-        v-if="state.activeEntity"
         :entity="state.activeEntity!"
         :categories="state.categories"
         @entity-selected="displayEntityId"
@@ -216,8 +216,6 @@ const route = useRoute()
 const token = route.params.token as string
 try {
   await state.bootstrapWithToken(token)
-  if (!state.permissions?.can_access_entity)
-    throw 'Unauthorized'
 }
 catch {
   toast.add({

From 7e16ad59e0413de0c67b4a3707f037b55f963dbd Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 04:13:02 +0200
Subject: [PATCH 5/9] frontend: add entity add page

---
 frontend/pages/add/[token].vue    | 89 +++++++++++++++++++++++++++++++
 frontend/pages/search/[token].vue |  3 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 frontend/pages/add/[token].vue

diff --git a/frontend/pages/add/[token].vue b/frontend/pages/add/[token].vue
new file mode 100644
index 0000000..11595a7
--- /dev/null
+++ b/frontend/pages/add/[token].vue
@@ -0,0 +1,89 @@
+<template>
+  <div class="flex flex-col justify-center items-center h-full gap-8 hot-pink-bg">
+    <StartPopup />
+
+    <Card class="p-3 m-2">
+      <template #title>
+        <div class="flex items-center">
+          <img
+            height="40"
+            width="40"
+            alt="icon"
+            :src="state.logo ?? defaultLogo"
+          >
+          <div class="pl-2 xl:pl-4">
+            <div class="my-0 text-lg font-extrabold">
+              {{ state.title }}
+            </div>
+            <div class="text-xs italic">
+              {{ state.subtitle }}
+            </div>
+          </div>
+        </div>
+      </template>
+      <template #content>
+        <div class="flex flex-col gap-6">
+          <Divider class="!mb-0" />
+          <ViewerFamilySwitcher />
+
+          <Button
+            label="Ajouter"
+            @click="entityAddForm!.open()"
+          >
+            <template #icon>
+              <AppIcon
+                icon-name="addEntity"
+              />
+            </template>
+          </Button>
+          <ViewerEntityAddForm
+            ref="entityAddForm"
+            :family="state.activeFamily"
+            :categories="
+              state.categories
+                .filter(category => category.family_id == state.activeFamily.id)
+            "
+          />
+        </div>
+      </template>
+    </Card>
+    <Toast />
+  </div>
+</template>
+
+<script setup lang="ts">
+import state from '~/lib/viewer-state'
+import defaultLogo from '~/assets/logo_square.svg'
+import type { ViewerEntityAddForm } from '#build/components'
+
+const toast = useToast()
+
+// Init state with url token
+const route = useRoute()
+const token = route.params.token as string
+try {
+  await state.bootstrapWithToken(token)
+  if (!state.permissions?.can_add_entity)
+    throw 'Unauthorized'
+}
+catch {
+  toast.add({
+    severity: 'error',
+    summary: 'Erreur',
+    detail: 'Impossible de charger la carte',
+    life: 3000,
+  })
+  if (state.redirectUrl) {
+    window.location.href = state.redirectUrl
+  }
+  else {
+    throw createError({
+      statusCode: 404,
+      statusMessage: 'Page Not Found',
+      fatal: true,
+    })
+  }
+}
+
+const entityAddForm = ref<InstanceType<typeof ViewerEntityAddForm>>()
+</script>
diff --git a/frontend/pages/search/[token].vue b/frontend/pages/search/[token].vue
index f6de94e..a0a43e5 100644
--- a/frontend/pages/search/[token].vue
+++ b/frontend/pages/search/[token].vue
@@ -10,7 +10,6 @@
     />
 
     <Card
-      v-if="state.permissions?.can_list_entities"
       class="m-2 p-2"
     >
       <template #header>
@@ -216,6 +215,8 @@ const route = useRoute()
 const token = route.params.token as string
 try {
   await state.bootstrapWithToken(token)
+  if (!state.permissions?.can_list_entities)
+    throw 'Unauthorized'
 }
 catch {
   toast.add({

From 97463f7d21ef238e2266073ea1e42d37c1049423 Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 17:12:26 +0200
Subject: [PATCH 6/9] frontend: decorrelate addition of entity and comment

---
 frontend/components/viewer/EntityAddForm.vue | 37 +++++++++++++-------
 frontend/pages/admin/access-tokens/[id].vue  | 13 +++++--
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/frontend/components/viewer/EntityAddForm.vue b/frontend/components/viewer/EntityAddForm.vue
index aeee7df..7c44c23 100644
--- a/frontend/components/viewer/EntityAddForm.vue
+++ b/frontend/components/viewer/EntityAddForm.vue
@@ -12,7 +12,7 @@
       v-for="page in Array.from({ length: entityPageCount+1 }, (_, i) => i)"
       :key="`EntityPage${page}`"
       class="flex grow flex-col gap-4"
-      @submit.prevent="curr_page += 1"
+      @submit.prevent="include_comment || curr_page < lastNonCaptchaPage ? curr_page += 1 : onSave()"
     >
       <div
         v-if="curr_page == page"
@@ -34,6 +34,13 @@
           <FormAdresses
             v-model:locations="editedEntity!.locations"
           />
+
+          <AdminInputSwitchField
+            v-if="state.permissions?.can_add_comment"
+            id="include_comment"
+            label="Ajouter un commentaire"
+            v-model:="include_comment"
+          />
         </template>
         <template v-else>
           <FormDynamicField
@@ -53,9 +60,9 @@
             @click="curr_page -= 1"
           />
           <Button
-            :label="curr_page == entityPageCount ? 'Suivant' : 'Suivant'"
+            :label="include_comment || curr_page < entityPageCount ? 'Suivant' : 'Sauvegarder'"
             type="submit"
-            outlined
+            :outlined="include_comment || curr_page < entityPageCount"
             :disabled="!isEntityPageValid(page)"
           />
         </span>
@@ -64,10 +71,10 @@
 
     <!-- Comment Form Pages -->
     <form
-      v-for="page in Array.from({ length: commentPageCount+2 }, (_, i) => i)"
+      v-for="page in Array.from({ length: commentPageCount + 2 }, (_, i) => i)"
       :key="`CommentPage${page}`"
       class="flex grow flex-col gap-4 max-w-[30rem]"
-      @submit.prevent="curr_page < (entityPageCount + commentPageCount + 1) ? curr_page += 1 : onSave()"
+      @submit.prevent="curr_page < lastNonCaptchaPage ? curr_page += 1 : onSave()"
     >
       <div
         v-if="curr_page == entityPageCount + 1 + page"
@@ -110,9 +117,9 @@
             @click="curr_page -= 1"
           />
           <Button
-            :label="curr_page == (entityPageCount + commentPageCount + 1) ? 'Sauvegarder' : 'Suivant'"
+            :label="curr_page == lastNonCaptchaPage ? 'Sauvegarder' : 'Suivant'"
             type="submit"
-            :outlined="curr_page != (entityPageCount + commentPageCount + 1)"
+            :outlined="curr_page != lastNonCaptchaPage"
             :loading="processingRequest"
             :disabled="processingRequest || !isCommentPageValid(page)"
           />
@@ -185,6 +192,10 @@ const curr_page = ref(0)
 const entityPageCount = ref(0)
 const commentPageCount = ref(0)
 
+const include_comment = ref(!!state.permissions?.can_add_comment)
+const lastNonCaptchaPage = computed(() => include_comment.value ? entityPageCount.value + commentPageCount.value + 1 : entityPageCount.value)
+const captchaPage = computed(() => entityPageCount.value + commentPageCount.value + 2)
+
 const entityFieldValid = ref(
   props.family.entity_form.fields
     .reduce((acc, field) => {
@@ -236,7 +247,7 @@ watch(
 watch(
   () => formVisible.value,
   (__, _) => {
-    curr_page.value = Math.min(curr_page.value, entityPageCount.value + commentPageCount.value + 1)
+    curr_page.value = Math.min(curr_page.value, lastNonCaptchaPage.value)
   },
 )
 
@@ -293,7 +304,7 @@ function hCaptchaError() {
 
 async function onSave() {
   if (state.hasSafeModeEnabled) {
-    curr_page.value += 1
+    curr_page.value = captchaPage.value
   }
   else {
     await realOnSave(null)
@@ -305,15 +316,17 @@ async function realOnSave(token: string | null) {
   try {
     await state.client.createEntity({
       entity: editedEntity.value,
-      comment: editedComment.value,
+      comment: include_comment.value ? editedComment.value : null,
       hcaptcha_token: token,
     })
     formVisible.value = false
-    toast.add({ severity: 'success', summary: 'Succès', detail: 'Entité et commentaire ajoutés avec succès', life: 3000 })
+    toast.add({ severity: 'success', summary: 'Succès',
+      detail: include_comment.value ? 'Entité et commentaire ajoutés avec succès' : 'Entité ajoutée avec succès', life: 3000 })
     reset_refs()
   }
   catch {
-    toast.add({ severity: 'error', summary: 'Erreur', detail: 'Erreur lors de l\'ajout de l\'entité ou du commentaire', life: 3000 })
+    toast.add({ severity: 'error', summary: 'Erreur',
+      detail: include_comment.value ? 'Erreur lors de l\'ajout de l\'entité ou du commentaire' : 'Erreur lors de l\'ajout de l\'entité', life: 3000 })
   }
   processingRequest.value = false
 }
diff --git a/frontend/pages/admin/access-tokens/[id].vue b/frontend/pages/admin/access-tokens/[id].vue
index c2c800e..170e9a0 100644
--- a/frontend/pages/admin/access-tokens/[id].vue
+++ b/frontend/pages/admin/access-tokens/[id].vue
@@ -57,7 +57,7 @@
       id="add_comment"
       v-model="editedAccessToken.permissions.can_add_comment"
       label="Permission d'ajouter un commentaire"
-      :disabled="!editedAccessToken.permissions.can_list_entities"
+      :disabled="!editedAccessToken.permissions.can_list_entities && !editedAccessToken.permissions.can_add_entity"
     />
 
     <Divider class="!my-2" />
@@ -191,12 +191,21 @@ watch(geographicRestrictionsOn, (newValue) => {
 const processingRequest = ref(false)
 const toast = useToast()
 
+watch(
+  () => editedAccessToken.value.permissions.can_add_entity,
+  (newVal) => {
+    if (!newVal) {
+      editedAccessToken.value.permissions.can_add_comment &&= editedAccessToken.value.permissions.can_list_entities
+    }
+  },
+)
+
 watch(
   () => editedAccessToken.value.permissions.can_list_entities,
   (newVal) => {
     if (!newVal) {
       editedAccessToken.value.permissions.can_access_entity = false
-      editedAccessToken.value.permissions.can_add_comment = false
+      editedAccessToken.value.permissions.can_add_comment &&= editedAccessToken.value.permissions.can_add_entity
     }
   },
 )

From bdb907edbf416a9638684ad0ed5ade4673072cfc Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Tue, 2 Jul 2024 18:11:28 +0200
Subject: [PATCH 7/9] frontend: remove map button if can't access entity and
 add helper text

---
 frontend/pages/search/[token].vue | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/frontend/pages/search/[token].vue b/frontend/pages/search/[token].vue
index a0a43e5..9051118 100644
--- a/frontend/pages/search/[token].vue
+++ b/frontend/pages/search/[token].vue
@@ -5,7 +5,7 @@
       :show-category-switcher="false"
       :show-search="false"
       :show-family-switcher="false"
-      :show-map-button="true"
+      :show-map-button="state.permissions?.can_access_entity"
       :show-search-button="false"
     />
 
@@ -13,9 +13,17 @@
       class="m-2 p-2"
     >
       <template #header>
-        <span class="text-2xl font-bold">
-          Recherche
-        </span>
+        <div class="flex flex-col gap-1">
+          <span class="text-2xl font-bold">
+            Recherche
+          </span>
+          <span
+            v-if="state.permissions?.can_add_comment && !state.permissions?.can_access_entity"
+            class="text-muted-color"
+          >
+            Pour ajouter un commentaire, veuillez d'abord rechercher l'entité à laquelle vous désirez l'ajouter
+          </span>
+        </div>
       </template>
 
       <template #content>

From 7f1b7e68bf87ba1e2786b46d888e5ce7c8c3e39b Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Wed, 3 Jul 2024 16:15:02 +0200
Subject: [PATCH 8/9] frontend: fix login redirect and user validation

---
 frontend/pages/admin/login.vue      |  3 ++-
 frontend/pages/admin/users/[id].vue | 12 +++++-------
 frontend/pages/admin/users/self.vue |  7 ++++---
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/frontend/pages/admin/login.vue b/frontend/pages/admin/login.vue
index b98afdb..a51baa2 100644
--- a/frontend/pages/admin/login.vue
+++ b/frontend/pages/admin/login.vue
@@ -90,10 +90,11 @@ const awaiting_auth_response: Ref<boolean> = ref(false)
 
 const redirect_query_param = useRoute().query.redirect
 let redirectUrl = '/admin/home'
+
 // type checking of the query parameter to correspond to the signature of navigateTo
 if (typeof redirect_query_param === 'string') {
   // matching to keep only internal urls
-  const match = redirect_query_param.match('/admin*')
+  const match = redirect_query_param.match(/\/admin\/.+/)
   if (match) {
     redirectUrl = match[0]
   }
diff --git a/frontend/pages/admin/users/[id].vue b/frontend/pages/admin/users/[id].vue
index 2a6da8d..2d41c2e 100644
--- a/frontend/pages/admin/users/[id].vue
+++ b/frontend/pages/admin/users/[id].vue
@@ -24,7 +24,7 @@
     />
 
     <div
-      :hidden="!editPassword && !isNew"
+      :hidden="!editPassword"
       class="flex-col gap-4"
       :class="{ flex: isNew || editPassword }"
     >
@@ -34,11 +34,10 @@
       <Password
         v-model="newPassword"
         input-id="password"
-        :disabled="!isNew && !editPassword"
         toggle-mask
         class="-mt-2"
         input-class="w-full"
-        :invalid="editPassword && (newPassword!=newPasswordConfirm || !newPassword)"
+        :invalid="editPassword && !isValidText(newPassword)"
       />
       <label for="passwordConfirm">
         Confirmer le nouveau mot de passe :
@@ -46,11 +45,10 @@
       <Password
         v-model="newPasswordConfirm"
         input-id="passwordConfirm"
-        :disabled="!isNew && !editPassword"
         toggle-mask
         class="-mt-2"
         input-class="w-full"
-        :invalid="editPassword && (newPassword!=newPasswordConfirm || !newPassword)"
+        :invalid="editPassword && newPassword!=newPasswordConfirm"
       />
     </div>
 
@@ -90,7 +88,7 @@ const user = ref(isNew
   : await state.client.getUser(userId),
 )
 
-const editPassword = ref(false)
+const editPassword = ref(isNew)
 const newPassword = ref('')
 const newPasswordConfirm = ref('')
 
@@ -103,7 +101,7 @@ definePageMeta({
 
 function isDisabled() {
   return processingRequest.value
-    || (editPassword.value && (newPassword.value != newPasswordConfirm.value || !!isValidText(newPassword.value)))
+    || (editPassword.value && (newPassword.value != newPasswordConfirm.value || !isValidText(newPassword.value)))
     || !isValidText(user.value.name)
 }
 
diff --git a/frontend/pages/admin/users/self.vue b/frontend/pages/admin/users/self.vue
index bc5b06a..150b61a 100644
--- a/frontend/pages/admin/users/self.vue
+++ b/frontend/pages/admin/users/self.vue
@@ -31,7 +31,7 @@
         toggle-mask
         class=" -mt-2"
         input-class="w-full"
-        :invalid="editPassword && (newPassword!=newPasswordConfirm || !newPassword)"
+        :invalid="editPassword && !isValidText(newPassword)"
       />
       <label
         for="passwordConfirm"
@@ -46,7 +46,7 @@
         toggle-mask
         class="-mt-2"
         input-class="w-full"
-        :invalid="editPassword && (newPassword!=newPasswordConfirm || !newPassword)"
+        :invalid="editPassword && newPassword!=newPasswordConfirm"
       />
     </div>
 
@@ -66,7 +66,7 @@
         label="Sauvegarder"
         type="submit"
         :loading="processingRequest"
-        :disabled="processingRequest || (newPassword!=newPasswordConfirm || !newPassword)"
+        :disabled="processingRequest || (newPassword!=newPasswordConfirm || !isValidText(newPassword))"
       />
     </span>
   </form>
@@ -75,6 +75,7 @@
 <script setup lang="ts">
 import type { InitAdminLayout } from '~/layouts/admin-ui.vue'
 import state from '~/lib/admin-state'
+import { isValidText } from '~/lib/validation'
 
 const editPassword = ref(false)
 const newPassword = ref('')

From 99b9dcfcd6e0ba1180e8338e10c3a48eda867c2f Mon Sep 17 00:00:00 2001
From: "Alice K." <alice.khoudli@polytechnique.org>
Date: Wed, 3 Jul 2024 17:36:06 +0200
Subject: [PATCH 9/9] frontend: add soft redirects on admin restricted pages

---
 .../pages/admin/families/[id]/comments.vue     |  3 +++
 .../pages/admin/families/[id]/entities.vue     |  3 +++
 frontend/pages/admin/families/[id]/general.vue |  3 +++
 frontend/pages/admin/families/index.vue        | 18 ++++++++++--------
 .../pages/admin/families/new-icon-[id].vue     |  3 +++
 frontend/pages/admin/families/new.vue          |  3 +++
 frontend/pages/admin/users/[id].vue            |  3 +++
 frontend/pages/admin/users/index.vue           |  3 +++
 8 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/frontend/pages/admin/families/[id]/comments.vue b/frontend/pages/admin/families/[id]/comments.vue
index ddc4440..c52e01b 100644
--- a/frontend/pages/admin/families/[id]/comments.vue
+++ b/frontend/pages/admin/families/[id]/comments.vue
@@ -23,6 +23,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const id = useRoute().params.id as string
 
 const fetchedFamily = await state.client.getFamily(id)
diff --git a/frontend/pages/admin/families/[id]/entities.vue b/frontend/pages/admin/families/[id]/entities.vue
index 4d3780f..e9f73d4 100644
--- a/frontend/pages/admin/families/[id]/entities.vue
+++ b/frontend/pages/admin/families/[id]/entities.vue
@@ -43,6 +43,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const id = useRoute().params.id as string
 
 const fetchedFamily = await state.client.getFamily(id)
diff --git a/frontend/pages/admin/families/[id]/general.vue b/frontend/pages/admin/families/[id]/general.vue
index f180879..d3c1227 100644
--- a/frontend/pages/admin/families/[id]/general.vue
+++ b/frontend/pages/admin/families/[id]/general.vue
@@ -82,6 +82,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const id = useRoute().params.id as string
 
 const fetchedFamily = await state.client.getFamily(id)
diff --git a/frontend/pages/admin/families/index.vue b/frontend/pages/admin/families/index.vue
index 7b718f1..9119fa8 100644
--- a/frontend/pages/admin/families/index.vue
+++ b/frontend/pages/admin/families/index.vue
@@ -123,14 +123,16 @@ const initAdminLayout = inject<InitAdminLayout>('initAdminLayout')!
 initAdminLayout(
   'Familles',
   'family',
-  [
-    {
-      icon: 'add',
-      label: 'Nouvelle famille',
-      severity: 'success',
-      url: `/admin/families/new`,
-    },
-  ],
+  state.is_admin
+    ? [
+        {
+          icon: 'add',
+          label: 'Nouvelle famille',
+          severity: 'success',
+          url: `/admin/families/new`,
+        },
+      ]
+    : [],
   [
     { label: 'Familles', url: '/admin/families' },
   ],
diff --git a/frontend/pages/admin/families/new-icon-[id].vue b/frontend/pages/admin/families/new-icon-[id].vue
index 5e4354c..7cace31 100644
--- a/frontend/pages/admin/families/new-icon-[id].vue
+++ b/frontend/pages/admin/families/new-icon-[id].vue
@@ -25,6 +25,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const id = useRoute().params.id as string
 
 const fetchedFamily = await state.fetchFamily(id)
diff --git a/frontend/pages/admin/families/new.vue b/frontend/pages/admin/families/new.vue
index 98b443b..7142cce 100644
--- a/frontend/pages/admin/families/new.vue
+++ b/frontend/pages/admin/families/new.vue
@@ -59,6 +59,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 if (state.families == undefined)
   await state.fetchFamilies()
 
diff --git a/frontend/pages/admin/users/[id].vue b/frontend/pages/admin/users/[id].vue
index 2d41c2e..3663321 100644
--- a/frontend/pages/admin/users/[id].vue
+++ b/frontend/pages/admin/users/[id].vue
@@ -79,6 +79,9 @@ import type { NewOrUpdatedUser } from '~/lib'
 import state from '~/lib/admin-state'
 import { isValidText } from '~/lib/validation'
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const userId = useRoute().params.id as string
 
 const isNew = (userId === 'new')
diff --git a/frontend/pages/admin/users/index.vue b/frontend/pages/admin/users/index.vue
index 560d5bb..5fc7834 100644
--- a/frontend/pages/admin/users/index.vue
+++ b/frontend/pages/admin/users/index.vue
@@ -111,6 +111,9 @@ definePageMeta({
   layout: 'admin-ui',
 })
 
+if (!state.is_admin)
+  navigateTo('/admin/home')
+
 const initAdminLayout = inject<InitAdminLayout>('initAdminLayout')!
 initAdminLayout(
   'Utilisateur⋅ices',