Skip to content
Snippets Groups Projects
Commit 07ad6a1e authored by Remy POCQUERUSSE's avatar Remy POCQUERUSSE
Browse files

add security on blog resource + only the blog user can edit/delete his blogs

parent 6d4d4894
No related branches found
No related tags found
No related merge requests found
...@@ -2,6 +2,7 @@ package com.ippon.belt.web.rest; ...@@ -2,6 +2,7 @@ package com.ippon.belt.web.rest;
import com.ippon.belt.domain.Blog; import com.ippon.belt.domain.Blog;
import com.ippon.belt.repository.BlogRepository; import com.ippon.belt.repository.BlogRepository;
import com.ippon.belt.security.SecurityUtils;
import com.ippon.belt.web.rest.errors.BadRequestAlertException; import com.ippon.belt.web.rest.errors.BadRequestAlertException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
...@@ -13,6 +14,7 @@ import javax.validation.constraints.NotNull; ...@@ -13,6 +14,7 @@ import javax.validation.constraints.NotNull;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value; import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity; import org.springframework.http.ResponseEntity;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
...@@ -48,11 +50,14 @@ public class BlogResource { ...@@ -48,11 +50,14 @@ public class BlogResource {
* @throws URISyntaxException if the Location URI syntax is incorrect. * @throws URISyntaxException if the Location URI syntax is incorrect.
*/ */
@PostMapping("/blogs") @PostMapping("/blogs")
public ResponseEntity<Blog> createBlog(@Valid @RequestBody Blog blog) throws URISyntaxException { public ResponseEntity<?> createBlog(@Valid @RequestBody Blog blog) throws URISyntaxException {
log.debug("REST request to save Blog : {}", blog); log.debug("REST request to save Blog : {}", blog);
if (blog.getId() != null) { if (blog.getId() != null) {
throw new BadRequestAlertException("A new blog cannot already have an ID", ENTITY_NAME, "idexists"); throw new BadRequestAlertException("A new blog cannot already have an ID", ENTITY_NAME, "idexists");
} }
if (!blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}
Blog result = blogRepository.save(blog); Blog result = blogRepository.save(blog);
return ResponseEntity return ResponseEntity
.created(new URI("/api/blogs/" + result.getId())) .created(new URI("/api/blogs/" + result.getId()))
...@@ -71,7 +76,7 @@ public class BlogResource { ...@@ -71,7 +76,7 @@ public class BlogResource {
* @throws URISyntaxException if the Location URI syntax is incorrect. * @throws URISyntaxException if the Location URI syntax is incorrect.
*/ */
@PutMapping("/blogs/{id}") @PutMapping("/blogs/{id}")
public ResponseEntity<Blog> updateBlog(@PathVariable(value = "id", required = false) final Long id, @Valid @RequestBody Blog blog) public ResponseEntity<?> updateBlog(@PathVariable(value = "id", required = false) final Long id, @Valid @RequestBody Blog blog)
throws URISyntaxException { throws URISyntaxException {
log.debug("REST request to update Blog : {}, {}", id, blog); log.debug("REST request to update Blog : {}, {}", id, blog);
if (blog.getId() == null) { if (blog.getId() == null) {
...@@ -80,11 +85,12 @@ public class BlogResource { ...@@ -80,11 +85,12 @@ public class BlogResource {
if (!Objects.equals(id, blog.getId())) { if (!Objects.equals(id, blog.getId())) {
throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid"); throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid");
} }
if (!blogRepository.existsById(id)) { if (!blogRepository.existsById(id)) {
throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound"); throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound");
} }
if (blog.getUser() != null && !blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}
Blog result = blogRepository.save(blog); Blog result = blogRepository.save(blog);
return ResponseEntity return ResponseEntity
.ok() .ok()
...@@ -103,8 +109,8 @@ public class BlogResource { ...@@ -103,8 +109,8 @@ public class BlogResource {
* or with status {@code 500 (Internal Server Error)} if the blog couldn't be updated. * or with status {@code 500 (Internal Server Error)} if the blog couldn't be updated.
* @throws URISyntaxException if the Location URI syntax is incorrect. * @throws URISyntaxException if the Location URI syntax is incorrect.
*/ */
@PatchMapping(value = "/blogs/{id}", consumes = { "application/json", "application/merge-patch+json" }) @PatchMapping(value = "/blogs/{id}", consumes = "application/merge-patch+json")
public ResponseEntity<Blog> partialUpdateBlog( public ResponseEntity<?> partialUpdateBlog(
@PathVariable(value = "id", required = false) final Long id, @PathVariable(value = "id", required = false) final Long id,
@NotNull @RequestBody Blog blog @NotNull @RequestBody Blog blog
) throws URISyntaxException { ) throws URISyntaxException {
...@@ -115,11 +121,12 @@ public class BlogResource { ...@@ -115,11 +121,12 @@ public class BlogResource {
if (!Objects.equals(id, blog.getId())) { if (!Objects.equals(id, blog.getId())) {
throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid"); throw new BadRequestAlertException("Invalid ID", ENTITY_NAME, "idinvalid");
} }
if (!blogRepository.existsById(id)) { if (!blogRepository.existsById(id)) {
throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound"); throw new BadRequestAlertException("Entity not found", ENTITY_NAME, "idnotfound");
} }
if (blog.getUser() != null && !blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}
Optional<Blog> result = blogRepository Optional<Blog> result = blogRepository
.findById(blog.getId()) .findById(blog.getId())
.map(existingBlog -> { .map(existingBlog -> {
...@@ -158,9 +165,16 @@ public class BlogResource { ...@@ -158,9 +165,16 @@ public class BlogResource {
* @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the blog, or with status {@code 404 (Not Found)}. * @return the {@link ResponseEntity} with status {@code 200 (OK)} and with body the blog, or with status {@code 404 (Not Found)}.
*/ */
@GetMapping("/blogs/{id}") @GetMapping("/blogs/{id}")
public ResponseEntity<Blog> getBlog(@PathVariable Long id) { public ResponseEntity<?> getBlog(@PathVariable Long id) {
log.debug("REST request to get Blog : {}", id); log.debug("REST request to get Blog : {}", id);
Optional<Blog> blog = blogRepository.findById(id); Optional<Blog> blog = blogRepository.findById(id);
if (
blog.isPresent() &&
blog.get().getUser() != null &&
!blog.get().getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))
) {
return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}
return ResponseUtil.wrapOrNotFound(blog); return ResponseUtil.wrapOrNotFound(blog);
} }
...@@ -171,8 +185,16 @@ public class BlogResource { ...@@ -171,8 +185,16 @@ public class BlogResource {
* @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}. * @return the {@link ResponseEntity} with status {@code 204 (NO_CONTENT)}.
*/ */
@DeleteMapping("/blogs/{id}") @DeleteMapping("/blogs/{id}")
public ResponseEntity<Void> deleteBlog(@PathVariable Long id) { public ResponseEntity<?> deleteBlog(@PathVariable Long id) {
log.debug("REST request to delete Blog : {}", id); log.debug("REST request to delete Blog : {}", id);
Optional<Blog> blog = blogRepository.findById(id);
if (
blog.isPresent() &&
blog.get().getUser() != null &&
!blog.get().getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))
) {
return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}
blogRepository.deleteById(id); blogRepository.deleteById(id);
return ResponseEntity return ResponseEntity
.noContent() .noContent()
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment