From fa69ac6e463e8ca7cdd8d3aa9e1725bff64932ea Mon Sep 17 00:00:00 2001
From: Mirco Nasuti <mirco.nasuti@chuv.ch>
Date: Wed, 16 Mar 2016 14:47:49 +0100
Subject: [PATCH] edit on someone else's article/model is now forbidden
---
.../org/hbp/mip/controllers/ArticlesApi.java | 21 ++++++++++++++++---
.../org/hbp/mip/controllers/ModelsApi.java | 19 ++++++++++++++---
2 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
index bfa076087..01613d84f 100644
--- a/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ArticlesApi.java
@@ -45,7 +45,7 @@ public class ArticlesApi {
User user = mipApplication.getUser();
- String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.id";
+ String queryString = "SELECT a FROM Article a, User u WHERE a.createdBy=u.username";
if(status != null)
{
queryString += " AND status= :status";
@@ -58,7 +58,8 @@ public class ArticlesApi {
{
if(team != null && team)
{
- queryString += " AND u.team= :team";
+ // TODO: decide if this is needed
+ //queryString += " AND u.team= :team";
}
}
@@ -74,7 +75,8 @@ public class ArticlesApi {
query.setString("username", user.getUsername());
} else {
if (team != null && team) {
- query.setString("team", user.getTeam());
+ // TODO: decide if this is needed
+ //query.setString("team", user.getTeam());
}
}
articles = query.list();
@@ -210,10 +212,23 @@ public class ArticlesApi {
@RequestBody @ApiParam(value = "Article to update", required = true) @Valid Article article
) {
+ User user = mipApplication.getUser();
+
Session session = HibernateUtil.getSessionFactory().getCurrentSession();
try{
session.beginTransaction();
+ String author = (String) session
+ .createQuery("select U.username from User U, Article A where A.createdBy = U.username and A.slug = :slug")
+ .setString("slug", slug)
+ .uniqueResult();
+
+ if(!user.getUsername().equals(author))
+ {
+ session.getTransaction().commit();
+ return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+ }
+
String oldTitle = (String) session
.createQuery("select title from Article where slug= :slug")
.setString("slug", slug)
diff --git a/src/main/java/org/hbp/mip/controllers/ModelsApi.java b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
index 5194e2787..98e29e424 100644
--- a/src/main/java/org/hbp/mip/controllers/ModelsApi.java
+++ b/src/main/java/org/hbp/mip/controllers/ModelsApi.java
@@ -44,7 +44,7 @@ public class ModelsApi {
User user = mipApplication.getUser();
- String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.id";
+ String queryString = "SELECT m FROM Model m, User u WHERE m.createdBy=u.username";
if(own != null && own)
{
queryString += " AND u.username= :username";
@@ -53,7 +53,8 @@ public class ModelsApi {
{
if(team != null && team)
{
- queryString += " AND u.team= :team";
+ // TODO: decide if this is needed
+ //queryString += " AND u.team= :team";
}
}
@@ -70,7 +71,8 @@ public class ModelsApi {
{
if(team != null && team)
{
- query.setString("team", user.getTeam());
+ // TODO: decide if this is needed
+ //query.setString("team", user.getTeam());
}
}
if(limit != null)
@@ -288,6 +290,17 @@ public class ModelsApi {
try{
session.beginTransaction();
+ String author = (String) session
+ .createQuery("select U.username from User U, Model M where M.createdBy = U.username and M.slug = :slug")
+ .setString("slug", slug)
+ .uniqueResult();
+
+ if(!user.getUsername().equals(author))
+ {
+ session.getTransaction().commit();
+ return new ResponseEntity<>(HttpStatus.FORBIDDEN);
+ }
+
String oldTitle = (String) session
.createQuery("select title from Model where slug= :slug")
.setString("slug", slug)
--
GitLab