Commit 55171970 authored by Martin Bartoš's avatar Martin Bartoš
Browse files

Update review controller regarding the AuthZ

parent 2c127902
......@@ -14,10 +14,10 @@ import java.util.List;
public interface ReviewFacade extends GenericFacade<ReviewDto, ReviewCreateDto, ReviewUpdateDto> {
/**
* Find all reviews created by a specific 'user'
* Find review by ID
*
* @param id of review to be found
* @return list of reviews
* @return a particular review
*/
ReviewDto findById(Long id);
......
......@@ -38,7 +38,7 @@ public interface ReviewController {
@ResponseBody
ReviewDto createReview(@RequestBody ReviewCreateDto reviewCreateDto);
@PreAuthorize("isAuthenticated() and #reviewUpdateDto.user.name == principal.username")
@PreAuthorize("isAuthenticated()")
@PatchMapping
@ResponseBody
ReviewDto updateReview(@RequestBody ReviewUpdateDto reviewUpdateDto);
......
......@@ -4,28 +4,22 @@ import cz.fi.muni.pa165.movierecommender.api.dto.ReviewDto;
import cz.fi.muni.pa165.movierecommender.api.dto.create.ReviewCreateDto;
import cz.fi.muni.pa165.movierecommender.api.dto.update.ReviewUpdateDto;
import cz.fi.muni.pa165.movierecommender.api.facade.ReviewFacade;
import cz.fi.muni.pa165.movierecommender.persistence.entity.Review;
import cz.fi.muni.pa165.movierecommender.persistence.entity.User;
import cz.fi.muni.pa165.movierecommender.rest.core.RoutesHolder;
import cz.fi.muni.pa165.movierecommender.service.service.UserService;
import cz.fi.muni.pa165.movierecommender.service.service.exception.ForbiddenOperationException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PatchMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import javax.validation.constraints.NotNull;
import java.security.Principal;
import java.util.List;
/**
......@@ -35,10 +29,12 @@ import java.util.List;
@RequestMapping(RoutesHolder.REVIEW_ROUTE)
public class ReviewControllerProvider implements ReviewController {
private final ReviewFacade reviewFacade;
private final UserService userService;
@Autowired
public ReviewControllerProvider(ReviewFacade reviewFacade) {
public ReviewControllerProvider(ReviewFacade reviewFacade, UserService userService) {
this.reviewFacade = reviewFacade;
this.userService = userService;
}
@GetMapping
......@@ -66,31 +62,35 @@ public class ReviewControllerProvider implements ReviewController {
return reviewFacade.create(reviewCreateDto);
}
@PreAuthorize("isAuthenticated() and #reviewCreateDto.user.name == principal.username")
@PreAuthorize("isAuthenticated()")
@PatchMapping
@ResponseBody
public ReviewDto updateReview(@RequestBody ReviewUpdateDto reviewUpdateDto){
if(reviewUpdateDto == null) throw new IllegalArgumentException("Update review body cannot be null");
public ReviewDto updateReview(@RequestBody ReviewUpdateDto reviewUpdateDto) {
if (reviewUpdateDto == null) throw new IllegalArgumentException("Update review body cannot be null");
return reviewFacade.update(reviewUpdateDto);
final User user = userService.getAuthenticatedUser();
final ReviewDto review = reviewFacade.findById(reviewUpdateDto.getId());
final boolean isMyReview = review.getUser() != null && user.getId().equals(review.getUser().getId());
if (user.isAdmin() || isMyReview) {
return reviewFacade.update(reviewUpdateDto);
}
throw new ForbiddenOperationException("Cannot update not own review or no admin rights");
}
@PreAuthorize("isAuthenticated()")
@DeleteMapping("{id}")
@ResponseBody
public void deleteReview(@PathVariable Long id){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
boolean hasAdminRole = authentication.getAuthorities().stream()
.anyMatch(r -> r.getAuthority().equals("TYPE_ADMIN"));
String currentUserName = authentication.getName();
ReviewDto review = reviewFacade.findById(id);
public void deleteReview(@PathVariable Long id) {
final User user = userService.getAuthenticatedUser();
final ReviewDto review = reviewFacade.findById(id);
final boolean isMyReview = review.getUser() != null && user.getId().equals(review.getUser().getId());
if(!hasAdminRole && !currentUserName.equals(review.getUser().getName())){
throw new ForbiddenOperationException("Cannot delete not own review or no admin rights");
if (user.isAdmin() || isMyReview) {
reviewFacade.delete(id);
}
reviewFacade.delete(id);
throw new ForbiddenOperationException("Cannot delete not own review or no admin rights");
}
}
\ No newline at end of file
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment