BUG - Administrator can add emergency notice to chatbot widget

[rasmusei]

AS AN Administrator I WANT TO be able to set emergency notice to chatbot widget SO THAT I can notify End Users about important extraordinary situations

Acceptance Criteria

• [x] Under "haldus" new tab is created called "erakorralised teated" - emergency notice
• [x] Text area with limit of 250 characters
• [ ] Administrator can set display period for the emergency notice with start and end period, date and time can be chosen from calendar and time widget
• [x] Emergency notice is displayed above Bürokratt greeting message in chatbot widget according to prototype (to be created)

GUI

Administrative view

• [ ] According to Figma design
• [ ] A REST endpoint to fetch the current status with all the appropriate information
• [ ] Make a request to a REST endpoint to apply changes

End User's view

• [ ] Input received as part of a standard message flow with this one marked appropriately
• [ ] According to Figma design

[janaliiv]

Found an unexpected behaviour in conditional jump in YAML-based Ruuter.

Example yml to reproduce (based on README example):

conditionalSwitch:
  switch:
    - condition: ${incoming.body.dayOfTheWeek === "Friday"}
      next: friday
    - condition: ${incoming.body.dayOfTheWeek === "Saturday" || incoming.body.dayOfTheWeek === "Sunday"}
      next: weekend
  next: workWeek

friday:
  return: "It's Friday! Almost the weekend!"
  next: end

weekend:
  return: "It's the weekend!"
  next: end

workWeek:
  return: "It's the work week."

example queries (must be performed sequentially):

first query:

curl --location --request POST 'http://localhost:9091/bug' \
--header 'Content-Type: application/json' \
--data-raw '{
    "dayOfTheWeek": "Monday"
}'

first response:

{
    "response": "It's the work week."
}

second query:

curl --location --request POST 'http://localhost:9091/bug' \
--header 'Content-Type: application/json' \
--data-raw '{
    "dayOfTheWeek": "Sunday"
}'

second response:

{
    "response": "It's the weekend!"
}

third query:

curl --location --request POST 'http://localhost:9091/bug' \
--header 'Content-Type: application/json' \
--data-raw '{
    "dayOfTheWeek": "Monday"
}'

third response (incorrect):

{
    "response": "It's the weekend!"
}

[janaliiv]

@turnerrainer ☝ is related to #26 and other issues since currently conditional jumps are used to validate user roles and input.

[turnerrainer]

@janaliiv continue using current functionalities of Ruuter, including the ones you outlined in your previous comments.

This is a serious security bug and will be fixed outside of this project. Thank you very much for bringing this up.

Ruuter 2.0 will be pentested in February 2023, until then, expect it to be vulnerable.

[rasmusei]

Add activate/deactivate button in addition to period selection. When emergency notice period is still active, user can use deactivation button to end the emergency notice before the time given in the period section. User can use both activate/deactivate button or time period to display the emergency notice

[janaliiv]

Added the following Ruuter endpoints:

Public Ruuter: GET /cs-get-emergency-notice

Private Ruuter: GET /cs-get-emergency-notice POST /cs-set-emergency-notice

example query (replace URL and customJwtCookie with appropriate values if needed):

curl --location --request POST 'http://localhost:9091/cs-set-emergency-notice' \
--header 'Cookie: customJwtCookie=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIiLCJmaXJzdE5hbWUiOiJtYXJ5IiwibGFzdE5hbWUiOiJtYXJ5IiwiaWRDb2RlIjoiRUU2MDAwMTAxOTkwNiIsImRpc3BsYXlOYW1lIjoibWFyeSIsImlzcyI6ImJ5ay5idWVyb2tyYXR0LmVlIiwiZXhwIjoxNjcwNDIzNTE2LCJsb2dpbiI6Im1hcnkiLCJpYXQiOjE2NzA0MTYzMTYsImp0aSI6IjUzZmViM2I0LWM0NTgtNGZiOC1hMmEyLTA2NzU0ZGQzYWNkZSIsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU5JU1RSQVRPUiJdfQ.lmod2v_UmMmCxjx-Qjsv35OgwdAMWKha-cM_tejP4O5qFrMLoahUrnWxjk4rBzyI9y_4VegfPbC8nMg82QhDcGyH78N5gz2T_zatdYJZ0Ium_qD8QSyMDic2W38a0kW3Ksb4M_wiiaNSfk3vh829dvpcal0f6u2VI5Zb7iRbp3SVKkRKuhQssvQ42cyvNcw9fE8avDAwet1gBD7Ag82faHdHzWt1esDHC5aVDrUoofuAnNjACMMP3ZYLaPFOyu_hwTUHCQzDu1JUyoSzU5RmnQdFlkB0yGAyQ5dG1MYLuHDXiWlnR0cZ8huEpcIOyAPX1rAhbMQgmJQCcrgX4M8XAg' \
--header 'Content-Type: application/json' \
--data-raw '{
    "emergencyNoticeText": "Example emergency notice",
    "emergencyNoticeStartISO": "01-17-2023",
    "emergencyNoticeEndISO": "01-18-2023",
    "isEmergencyNoticeVisible": false
}'

[janinakimtrohlev]

BUG - right now I can as Administrator set display period for the emergency notice with start and end period date. But also it should be opportunity to set start and end time.

[turnerrainer]

BUG - right now I can as Administrator set display period for the emergency notice with start and end period date. But also it should be opportunity to set start and end time.

I'd say it's not a bug but a feature request. @rasmusei, @PaulaMerle ?