Skip to content
Snippets Groups Projects
Commit fa69ac6e authored by Mirco Nasuti's avatar Mirco Nasuti
Browse files

edit on someone else's article/model is now forbidden

parent 3baf316f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+ 18
3
View file @ fa69ac6e
...@@ -45,7 +45,7 @@ public class ArticlesApi { ...@@ -45,7 +45,7 @@ public class ArticlesApi {
User user = mipApplication.getUser(); User user = mipApplication.getUser();
String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.id"; String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.username";
if(status != null) if(status != null)
{ {
queryString += " AND status= :status"; queryString += " AND status= :status";
...@@ -58,7 +58,8 @@ public class ArticlesApi { ...@@ -58,7 +58,8 @@ public class ArticlesApi {
{ {
if(team != null && team) if(team != null && team)
{ {
queryString += " AND u.team= :team"; // TODO: decide if this is needed
//queryString += " AND u.team= :team";
} }
} }
...@@ -74,7 +75,8 @@ public class ArticlesApi { ...@@ -74,7 +75,8 @@ public class ArticlesApi {
query.setString("username", user.getUsername()); query.setString("username", user.getUsername());
} else { } else {
if (team != null && team) { if (team != null && team) {
query.setString("team", user.getTeam()); // TODO: decide if this is needed
//query.setString("team", user.getTeam());
} }
} }
articles = query.list(); articles = query.list();
...@@ -210,10 +212,23 @@ public class ArticlesApi { ...@@ -210,10 +212,23 @@ public class ArticlesApi {
@RequestBody @ApiParam(value = "Article to update", required = true) @Valid Article article @RequestBody @ApiParam(value = "Article to update", required = true) @Valid Article article
) { ) {
User user = mipApplication.getUser();
Session session = HibernateUtil.getSessionFactory().getCurrentSession(); Session session = HibernateUtil.getSessionFactory().getCurrentSession();
try{ try{
session.beginTransaction(); session.beginTransaction();
String author = (String) session
.createQuery("select U.username from User U, Article A where A.createdBy = U.username and A.slug = :slug")
.setString("slug", slug)
.uniqueResult();
if(!user.getUsername().equals(author))
{
session.getTransaction().commit();
return new ResponseEntity<>(HttpStatus.FORBIDDEN);
}
String oldTitle = (String) session String oldTitle = (String) session
.createQuery("select title from Article where slug= :slug") .createQuery("select title from Article where slug= :slug")
.setString("slug", slug) .setString("slug", slug)
......
src/main/java/org/hbp/mip/controllers/ModelsApi.java
+ 16
3
View file @ fa69ac6e
...@@ -44,7 +44,7 @@ public class ModelsApi { ...@@ -44,7 +44,7 @@ public class ModelsApi {
User user = mipApplication.getUser(); User user = mipApplication.getUser();
String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.id"; String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username";
if(own != null && own) if(own != null && own)
{ {
queryString += " AND u.username= :username"; queryString += " AND u.username= :username";
...@@ -53,7 +53,8 @@ public class ModelsApi { ...@@ -53,7 +53,8 @@ public class ModelsApi {
{ {
if(team != null && team) if(team != null && team)
{ {
queryString += " AND u.team= :team"; // TODO: decide if this is needed
//queryString += " AND u.team= :team";
} }
} }
...@@ -70,7 +71,8 @@ public class ModelsApi { ...@@ -70,7 +71,8 @@ public class ModelsApi {
{ {
if(team != null && team) if(team != null && team)
{ {
query.setString("team", user.getTeam()); // TODO: decide if this is needed
//query.setString("team", user.getTeam());
} }
} }
if(limit != null) if(limit != null)
...@@ -288,6 +290,17 @@ public class ModelsApi { ...@@ -288,6 +290,17 @@ public class ModelsApi {
try{ try{
session.beginTransaction(); session.beginTransaction();
String author = (String) session
.createQuery("select U.username from User U, Model M where M.createdBy = U.username and M.slug = :slug")
.setString("slug", slug)
.uniqueResult();
if(!user.getUsername().equals(author))
{
session.getTransaction().commit();
return new ResponseEntity<>(HttpStatus.FORBIDDEN);
}
String oldTitle = (String) session String oldTitle = (String) session
.createQuery("select title from Model where slug= :slug") .createQuery("select title from Model where slug= :slug")
.setString("slug", slug) .setString("slug", slug)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment