diff --git a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
index 75311270b9d8c131dd33bcc6012c86353753ab33..2ac7d351b2549ce7107a965041b1b47a82e4fde4 100644
--- a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
@@ -56,7 +56,7 @@ public class ArticlesApi {
}
else
{
- queryString += " AND status='published'";
+ queryString += " AND (status='published' or u.username= :username)";
if(team != null && team)
{
// TODO: decide if this is needed
@@ -72,14 +72,7 @@ public class ArticlesApi {
if (status != null) {
query.setString("status", status);
}
- if (own != null && own) {
- query.setString("username", user.getUsername());
- } else {
- if (team != null && team) {
- // TODO: decide if this is needed
- //query.setString("team", user.getTeam());
- }
- }
+ query.setString("username", user.getUsername());
articles = query.list();
session.getTransaction().commit();
} catch (Exception e)
diff --git a/src/main/java/org/hbp/mip/controllers/ModelsApi.java b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
index 98e29e4247f49adb9bc7ca5b259e60bb6e91bb1a..b7f3338edba6bebf546bfdd015993563dbc4ad03 100644
--- a/src/main/java/org/hbp/mip/controllers/ModelsApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
@@ -39,18 +39,24 @@ public class ModelsApi {
public ResponseEntity<List<Model>> getModels(
@ApiParam(value = "Max number of results") @RequestParam(value = "limit", required = false) Integer limit,
@ApiParam(value = "Only ask own models") @RequestParam(value = "own", required = false) Boolean own,
- @ApiParam(value = "Only ask models from own team") @RequestParam(value = "team", required = false) Boolean team
+ @ApiParam(value = "Only ask models from own team") @RequestParam(value = "team", required = false) Boolean team,
+ @ApiParam(value = "Only ask published models") @RequestParam(value = "valid", required = false) Boolean valid
) {
User user = mipApplication.getUser();
String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username";
+ if(valid != null && valid)
+ {
+ queryString += " AND m.valid= :valid";
+ }
if(own != null && own)
{
queryString += " AND u.username= :username";
}
else
{
+ queryString += " AND (m.valid=true or u.username= :username)";
if(team != null && team)
{
// TODO: decide if this is needed
@@ -63,18 +69,11 @@ public class ModelsApi {
try{
session.beginTransaction();
Query query = session.createQuery(queryString);
- if(own != null && own)
+ if(valid != null)
{
- query.setString("username", user.getUsername());
- }
- else
- {
- if(team != null && team)
- {
- // TODO: decide if this is needed
- //query.setString("team", user.getTeam());
- }
+ query.setBoolean("valid", valid);
}
+ query.setString("username", user.getUsername());
if(limit != null)
{
query.setMaxResults(limit); // Pagination : Use query.setFirstResult(...) to set begining index
@@ -104,9 +103,12 @@ public class ModelsApi {
User user = mipApplication.getUser();
model.setTitle(model.getConfig().getTitle().get("text"));
- model.setValid(true);
model.setCreatedBy(user);
model.setCreatedAt(new Date());
+ if(model.getValid() == null)
+ {
+ model.setValid(false);
+ }
Long count;
Session session = HibernateUtil.getSessionFactory().getCurrentSession();
@@ -183,6 +185,8 @@ public class ModelsApi {
@ApiParam(value = "slug", required = true) @PathVariable("slug") String slug
) {
+ User user = mipApplication.getUser();
+
Session session = HibernateUtil.getSessionFactory().getCurrentSession();
Model model = null;
Query query;
@@ -195,6 +199,11 @@ public class ModelsApi {
.uniqueResult();
session.getTransaction().commit();
+ if (!model.getValid() && !model.getCreatedBy().getUsername().equals(user.getUsername()))
+ {
+ return ResponseEntity.status(HttpStatus.FORBIDDEN).body(null);
+ }
+
} catch (Exception e)
{
if(session.getTransaction() != null)