From fa69ac6e463e8ca7cdd8d3aa9e1725bff64932ea Mon Sep 17 00:00:00 2001
From: Mirco Nasuti <mirco.nasuti@chuv.ch>
Date: Wed, 16 Mar 2016 14:47:49 +0100
Subject: [PATCH] edit on someone else's article/model is now forbidden

---
 .../org/hbp/mip/controllers/ArticlesApi.java  | 21 ++++++++++++++++---
 .../org/hbp/mip/controllers/ModelsApi.java    | 19 ++++++++++++++---
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
index bfa076087..01613d84f 100644
--- a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
@@ -45,7 +45,7 @@ public class ArticlesApi {
 
         User user = mipApplication.getUser();
 
-        String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.id";
+        String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.username";
         if(status != null)
         {
             queryString += " AND status= :status";
@@ -58,7 +58,8 @@ public class ArticlesApi {
         {
             if(team != null && team)
             {
-                queryString += " AND u.team= :team";
+                // TODO: decide if this is needed
+                //queryString += " AND u.team= :team";
             }
         }
 
@@ -74,7 +75,8 @@ public class ArticlesApi {
                 query.setString("username", user.getUsername());
             } else {
                 if (team != null && team) {
-                    query.setString("team", user.getTeam());
+                    // TODO: decide if this is needed
+                    //query.setString("team", user.getTeam());
                 }
             }
             articles = query.list();
@@ -210,10 +212,23 @@ public class ArticlesApi {
             @RequestBody @ApiParam(value = "Article to update", required = true) @Valid Article article
     ) {
 
+        User user = mipApplication.getUser();
+
         Session session = HibernateUtil.getSessionFactory().getCurrentSession();
         try{
             session.beginTransaction();
 
+            String author = (String) session
+                    .createQuery("select U.username from User U, Article A where A.createdBy = U.username and A.slug = :slug")
+                    .setString("slug", slug)
+                    .uniqueResult();
+
+            if(!user.getUsername().equals(author))
+            {
+                session.getTransaction().commit();
+                return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+            }
+
             String oldTitle = (String) session
                     .createQuery("select title from Article where slug= :slug")
                     .setString("slug", slug)
diff --git a/src/main/java/org/hbp/mip/controllers/ModelsApi.java b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
index 5194e2787..98e29e424 100644
--- a/src/main/java/org/hbp/mip/controllers/ModelsApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
@@ -44,7 +44,7 @@ public class ModelsApi {
 
         User user = mipApplication.getUser();
 
-        String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.id";
+        String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username";
         if(own != null && own)
         {
             queryString += " AND u.username= :username";
@@ -53,7 +53,8 @@ public class ModelsApi {
         {
             if(team != null && team)
             {
-                queryString += " AND u.team= :team";
+                // TODO: decide if this is needed
+                //queryString += " AND u.team= :team";
             }
         }
 
@@ -70,7 +71,8 @@ public class ModelsApi {
             {
                 if(team != null && team)
                 {
-                    query.setString("team", user.getTeam());
+                    // TODO: decide if this is needed
+                    //query.setString("team", user.getTeam());
                 }
             }
             if(limit != null)
@@ -288,6 +290,17 @@ public class ModelsApi {
         try{
             session.beginTransaction();
 
+            String author = (String) session
+                    .createQuery("select U.username from User U, Model M where M.createdBy = U.username and M.slug = :slug")
+                    .setString("slug", slug)
+                    .uniqueResult();
+
+            if(!user.getUsername().equals(author))
+            {
+                session.getTransaction().commit();
+                return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+            }
+
             String oldTitle = (String) session
                     .createQuery("select title from Model where slug= :slug")
                     .setString("slug", slug)
-- 
GitLab