From ce025f3ee1d955cf2385f273504b75eb102d7939 Mon Sep 17 00:00:00 2001
From: araddcc002 <araddcc002@euro.ngc.com>
Date: Wed, 17 Jul 2024 10:41:54 +0000
Subject: [PATCH] added more validation for editing access requests

---
 backend/src/services/accessRequest.ts              | 14 ++++++++++++++
 .../accessRequests/EditableAccessRequestForm.tsx   | 12 +++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/backend/src/services/accessRequest.ts b/backend/src/services/accessRequest.ts
index 793c1286b..82f1f52e4 100644
--- a/backend/src/services/accessRequest.ts
+++ b/backend/src/services/accessRequest.ts
@@ -127,6 +127,20 @@ export async function updateAccessRequest(
     throw Forbidden(auth.info, { userDn: user.dn, accessRequestId })
   }
 
+  // Ensure that the AR meets the schema
+  const schema = await findSchemaById(accessRequest.schemaId)
+  try {
+    new Validator().validate(accessRequest.metadata, schema.jsonSchema, { throwAll: true, required: true })
+  } catch (error) {
+    if (isValidatorResultError(error)) {
+      throw BadReq('Access Request Metadata could not be validated against the schema.', {
+        schemaId: accessRequest.schemaId,
+        validationErrors: error.errors,
+      })
+    }
+    throw error
+  }
+
   if (diff.metadata) {
     accessRequest.metadata = diff.metadata
     accessRequest.markModified('metadata')
diff --git a/frontend/src/entry/model/accessRequests/EditableAccessRequestForm.tsx b/frontend/src/entry/model/accessRequests/EditableAccessRequestForm.tsx
index 281e99e21..9b4061405 100644
--- a/frontend/src/entry/model/accessRequests/EditableAccessRequestForm.tsx
+++ b/frontend/src/entry/model/accessRequests/EditableAccessRequestForm.tsx
@@ -21,7 +21,7 @@ import MessageAlert from 'src/MessageAlert'
 import { AccessRequestInterface, EntryKind, SplitSchemaNoRender } from 'types/types'
 import { entitiesIncludesCurrentUser } from 'utils/entityUtils'
 import { getErrorMessage } from 'utils/fetcher'
-import { getStepsData, getStepsFromSchema } from 'utils/formUtils'
+import { getStepsData, getStepsFromSchema, validateForm } from 'utils/formUtils'
 import { getCurrentUserRoles, hasRole } from 'utils/roles'
 
 type EditableAccessRequestFormProps = {
@@ -81,6 +81,16 @@ export default function EditableAccessRequestForm({
     if (schema) {
       setErrorMessage('')
       setIsLoading(true)
+
+      for (const step of splitSchema.steps) {
+        const isValid = validateForm(step)
+
+        if (!isValid) {
+          setIsLoading(false)
+          return
+        }
+      }
+
       const data = getStepsData(splitSchema, true)
       const res = await patchAccessRequest(accessRequest.modelId, accessRequest.id, data)
       if (!res.ok) {