Skip to content
Snippets Groups Projects
Commit 8e9270d0 authored by Mirco Nasuti's avatar Mirco Nasuti
Browse files

add models reading rights

parent 0f982325
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+ 2
9
View file @ 8e9270d0
...@@ -56,7 +56,7 @@ public class ArticlesApi { ...@@ -56,7 +56,7 @@ public class ArticlesApi {
} }
else else
{ {
queryString += " AND status='published'"; queryString += " AND (status='published' or u.username= :username)";
if(team != null && team) if(team != null && team)
{ {
// TODO: decide if this is needed // TODO: decide if this is needed
...@@ -72,14 +72,7 @@ public class ArticlesApi { ...@@ -72,14 +72,7 @@ public class ArticlesApi {
if (status != null) { if (status != null) {
query.setString("status", status); query.setString("status", status);
} }
if (own != null && own) { query.setString("username", user.getUsername());
query.setString("username", user.getUsername());
} else {
if (team != null && team) {
// TODO: decide if this is needed
//query.setString("team", user.getTeam());
}
}
articles = query.list(); articles = query.list();
session.getTransaction().commit(); session.getTransaction().commit();
} catch (Exception e) } catch (Exception e)
......
src/main/java/org/hbp/mip/controllers/ModelsApi.java
+ 21
12
View file @ 8e9270d0
...@@ -39,18 +39,24 @@ public class ModelsApi { ...@@ -39,18 +39,24 @@ public class ModelsApi {
public ResponseEntity<List<Model>> getModels( public ResponseEntity<List<Model>> getModels(
@ApiParam(value = "Max number of results") @RequestParam(value = "limit", required = false) Integer limit, @ApiParam(value = "Max number of results") @RequestParam(value = "limit", required = false) Integer limit,
@ApiParam(value = "Only ask own models") @RequestParam(value = "own", required = false) Boolean own, @ApiParam(value = "Only ask own models") @RequestParam(value = "own", required = false) Boolean own,
@ApiParam(value = "Only ask models from own team") @RequestParam(value = "team", required = false) Boolean team @ApiParam(value = "Only ask models from own team") @RequestParam(value = "team", required = false) Boolean team,
@ApiParam(value = "Only ask published models") @RequestParam(value = "valid", required = false) Boolean valid
) { ) {
User user = mipApplication.getUser(); User user = mipApplication.getUser();
String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username"; String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username";
if(valid != null && valid)
{
queryString += " AND m.valid= :valid";
}
if(own != null && own) if(own != null && own)
{ {
queryString += " AND u.username= :username"; queryString += " AND u.username= :username";
} }
else else
{ {
queryString += " AND (m.valid=true or u.username= :username)";
if(team != null && team) if(team != null && team)
{ {
// TODO: decide if this is needed // TODO: decide if this is needed
...@@ -63,18 +69,11 @@ public class ModelsApi { ...@@ -63,18 +69,11 @@ public class ModelsApi {
try{ try{
session.beginTransaction(); session.beginTransaction();
Query query = session.createQuery(queryString); Query query = session.createQuery(queryString);
if(own != null && own) if(valid != null)
{ {
query.setString("username", user.getUsername()); query.setBoolean("valid", valid);
}
else
{
if(team != null && team)
{
// TODO: decide if this is needed
//query.setString("team", user.getTeam());
}
} }
query.setString("username", user.getUsername());
if(limit != null) if(limit != null)
{ {
query.setMaxResults(limit); // Pagination : Use query.setFirstResult(...) to set begining index query.setMaxResults(limit); // Pagination : Use query.setFirstResult(...) to set begining index
...@@ -104,9 +103,12 @@ public class ModelsApi { ...@@ -104,9 +103,12 @@ public class ModelsApi {
User user = mipApplication.getUser(); User user = mipApplication.getUser();
model.setTitle(model.getConfig().getTitle().get("text")); model.setTitle(model.getConfig().getTitle().get("text"));
model.setValid(true);
model.setCreatedBy(user); model.setCreatedBy(user);
model.setCreatedAt(new Date()); model.setCreatedAt(new Date());
if(model.getValid() == null)
{
model.setValid(false);
}
Long count; Long count;
Session session = HibernateUtil.getSessionFactory().getCurrentSession(); Session session = HibernateUtil.getSessionFactory().getCurrentSession();
...@@ -183,6 +185,8 @@ public class ModelsApi { ...@@ -183,6 +185,8 @@ public class ModelsApi {
@ApiParam(value = "slug", required = true) @PathVariable("slug") String slug @ApiParam(value = "slug", required = true) @PathVariable("slug") String slug
) { ) {
User user = mipApplication.getUser();
Session session = HibernateUtil.getSessionFactory().getCurrentSession(); Session session = HibernateUtil.getSessionFactory().getCurrentSession();
Model model = null; Model model = null;
Query query; Query query;
...@@ -195,6 +199,11 @@ public class ModelsApi { ...@@ -195,6 +199,11 @@ public class ModelsApi {
.uniqueResult(); .uniqueResult();
session.getTransaction().commit(); session.getTransaction().commit();
if (!model.getValid() && !model.getCreatedBy().getUsername().equals(user.getUsername()))
{
return ResponseEntity.status(HttpStatus.FORBIDDEN).body(null);
}
} catch (Exception e) } catch (Exception e)
{ {
if(session.getTransaction() != null) if(session.getTransaction() != null)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment