add security on blog resource + only the blog user can edit/delete his blogs

07ad6a1e · Remy POCQUERUSSE · 6d4d4894 · 07ad6a1e
Commit 07ad6a1e authored 3 years ago by Remy POCQUERUSSE
--- a/src/main/java/com/ippon/belt/web/rest/BlogResource.java
+++ b/src/main/java/com/ippon/belt/web/rest/BlogResource.java
@@ -2,6 +2,7 @@ package com.ippon.belt.web.rest;
 import com.ippon.belt.domain.Blog;
 import com.ippon.belt.repository.BlogRepository;
+import com.ippon.belt.security.SecurityUtils;
 import com.ippon.belt.web.rest.errors.BadRequestAlertException;
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -13,6 +14,7 @@ import javax.validation.constraints.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.*;
@@ -48,11 +50,14 @@ public class BlogResource {
     * @throws URISyntaxException if the Location URI syntax is incorrect.
     */
    @PostMapping("/blogs")
-    public ResponseEntity<Blog> createBlog(@Valid @RequestBody Blog blog) throws URISyntaxException {
+    public ResponseEntity<?> createBlog(@Valid @RequestBody Blog blog) throws URISyntaxException {
        log.debug("REST request to save Blog : {}", blog);
        if (blog.getId() != null) {
            throw new BadRequestAlertException("A new blog cannot already have an ID", ENTITY_NAME, "idexists");
        }
+        if (!blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
+            return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
+        }
        Blog result = blogRepository.save(blog);
        return ResponseEntity
            .created(new URI("/api/blogs/" + result.getId()))
@@ -71,7 +76,7 @@ public class BlogResource {
     * @throws URISyntaxException if the Location URI syntax is incorrect.
     */
    @PutMapping("/blogs/{id}")
-    public ResponseEntity<Blog> updateBlog(@PathVariable(value = "id", required = false) final Long id, @Valid @RequestBody Blog blog)
+    public ResponseEntity<?> updateBlog(@PathVariable(value = "id", required = false) final Long id, @Valid @RequestBody Blog blog)
        throws URISyntaxException {
        log.debug("REST request to update Blog : {}, {}", id, blog);
        if (blog.getId() == null) {
@@ -80,11 +85,12 @@ public class BlogResource {
        if (!Objects.equals(id, blog.getId())) {
            throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid");
        }
        if (!blogRepository.existsById(id)) {
            throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound");
        }
+        if (blog.getUser() != null && !blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
+            return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
+        }
        Blog result = blogRepository.save(blog);
        return ResponseEntity
            .ok()
@@ -103,8 +109,8 @@ public class BlogResource {
     * or with status {@code 500 (Internal Server Error)} if the blog couldn't be updated.
     * @throws URISyntaxException if the Location URI syntax is incorrect.
     */
-    @PatchMapping(value = "/blogs/{id}", consumes = { "application/json", "application/merge-patch+json" })
+    @PatchMapping(value = "/blogs/{id}", consumes = "application/merge-patch+json")
-    public ResponseEntity<Blog> partialUpdateBlog(
+    public ResponseEntity<?> partialUpdateBlog(
        @PathVariable(value = "id", required = false) final Long id,
        @NotNull @RequestBody Blog blog
    ) throws URISyntaxException {
@@ -115,11 +121,12 @@ public class BlogResource {
        if (!Objects.equals(id, blog.getId())) {
            throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid");
        }
        if (!blogRepository.existsById(id)) {
            throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound");
        }
+        if (blog.getUser() != null && !blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
+            return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
+        }
        Optional<Blog> result = blogRepository
            .findById(blog.getId())
            .map(existingBlog -> {
@@ -158,9 +165,16 @@ public class BlogResource {
     * @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the blog, or with status {@code 404 (Not Found)}.
     */
    @GetMapping("/blogs/{id}")
-    public ResponseEntity<Blog> getBlog(@PathVariable Long id) {
+    public ResponseEntity<?> getBlog(@PathVariable Long id) {
        log.debug("REST request to get Blog : {}", id);
        Optional<Blog> blog = blogRepository.findById(id);
+        if (
+            blog.isPresent() &&
+            blog.get().getUser() != null &&
+            !blog.get().getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))
+        ) {
+            return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
+        }
        return ResponseUtil.wrapOrNotFound(blog);
    }
@@ -171,8 +185,16 @@ public class BlogResource {
     * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
     */
    @DeleteMapping("/blogs/{id}")
-    public ResponseEntity<Void> deleteBlog(@PathVariable Long id) {
+    public ResponseEntity<?> deleteBlog(@PathVariable Long id) {
        log.debug("REST request to delete Blog : {}", id);
+        Optional<Blog> blog = blogRepository.findById(id);
+        if (
+            blog.isPresent() &&
+            blog.get().getUser() != null &&
+            !blog.get().getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))
+        ) {
+            return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
+        }
        blogRepository.deleteById(id);
        return ResponseEntity
            .noContent()