From 0f982325baca4001c34ac6d57acbce82def1f241 Mon Sep 17 00:00:00 2001
From: Mirco Nasuti <mirco.nasuti@chuv.ch>
Date: Wed, 16 Mar 2016 17:00:25 +0100
Subject: [PATCH] cannot read someone else's article if not published yet

---
 src/main/java/org/hbp/mip/controllers/ArticlesApi.java | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
index 01613d84f..75311270b 100644
--- a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
@@ -56,6 +56,7 @@ public class ArticlesApi {
         }
         else
         {
+            queryString += " AND status='published'";
             if(team != null && team)
             {
                 // TODO: decide if this is needed
@@ -182,15 +183,24 @@ public class ArticlesApi {
             @ApiParam(value = "slug", required = true) @PathVariable("slug") String slug
     ) {
 
+        User user = mipApplication.getUser();
+
         Session session = HibernateUtil.getSessionFactory().getCurrentSession();
         Article article = null;
         try{
             session.beginTransaction();
+
             article = (Article) session
                     .createQuery("FROM Article WHERE slug= :slug")
                     .setString("slug", slug)
                     .uniqueResult();
+
             session.getTransaction().commit();
+
+            if (!article.getStatus().equals("published") && !article.getCreatedBy().getUsername().equals(user.getUsername()))
+            {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).body(null);
+            }
         } catch (Exception e)
         {
             if(session.getTransaction() != null)
-- 
GitLab