Rework permissions for adding images: admin can add any number, owner only quantity+1.

cssru · php-coder · commit ae0822435926 · 2016-04-20T16:57:53.000+02:00
Fix #166
diff --git a/src/main/java/ru/mystamps/web/controller/SeriesController.java b/src/main/java/ru/mystamps/web/controller/SeriesController.java
@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -47,6 +48,8 @@
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
 import lombok.RequiredArgsConstructor;
 
 import ru.mystamps.web.Url;
@@ -216,7 +219,7 @@ public String showInfo(
 		
 		model.addAttribute(
 			"allowAddingImages",
-			isAllowedToAddingImages(series)
+			isUserCanAddImagesToSeries(series)
 		);
 		
 		model.addAttribute("maxQuantityOfImagesExceeded", false);
@@ -247,6 +250,11 @@ public String processImage(
 			return null;
 		}
 		
+		if (!isUserCanAddImagesToSeries(series)) {
+			response.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return null;
+		}
+		
 		model.addAttribute("series", series);
 		
 		// CheckStyle: ignore LineLength for next 4 lines
@@ -262,10 +270,10 @@ public String processImage(
 		
 		model.addAttribute(
 			"allowAddingImages",
-			isAllowedToAddingImages(series)
+			isUserCanAddImagesToSeries(series)
 		);
 		
-		boolean maxQuantityOfImagesExceeded = !isAllowedToAddingImages(series);
+		boolean maxQuantityOfImagesExceeded = !isAdmin() && !isAllowedToAddingImages(series);
 		model.addAttribute("maxQuantityOfImagesExceeded", maxQuantityOfImagesExceeded);
 		
 		if (result.hasErrors() || maxQuantityOfImagesExceeded) {
@@ -390,5 +398,26 @@ private static String redirectTo(String url, Object... args) {
 		return "redirect:" + dstUrl;
 	}
 	
+	private static boolean isUserCanAddImagesToSeries(SeriesDto series) {
+		return isAdmin()
+			|| isOwner(series) && isAllowedToAddingImages(series);
+	}
+	
+	private static boolean isAdmin() {
+		return SecurityContextUtils.hasAuthority(
+			new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES")
+		);
+	}
+	
+	@SuppressWarnings("PMD.UnusedNullCheckInEquals")
+	private static boolean isOwner(SeriesDto series) {
+		Integer userId = SecurityContextUtils.getUserId();
+		return userId != null
+			&& Objects.equals(
+				series.getCreatedBy(),
+				userId
+			);
+	}
+	
 }
 
diff --git a/src/main/java/ru/mystamps/web/dao/dto/SeriesFullInfoDto.java b/src/main/java/ru/mystamps/web/dao/dto/SeriesFullInfoDto.java
@@ -37,6 +37,7 @@ public class SeriesFullInfoDto {
 	private final Integer quantity;
 	private final Boolean perforated;
 	private final String  comment;
+	private final Integer createdBy;
 	
 	private final BigDecimal michelPrice;
 	private final String michelCurrency;
diff --git a/src/main/java/ru/mystamps/web/dao/impl/RowMappers.java b/src/main/java/ru/mystamps/web/dao/impl/RowMappers.java
@@ -115,6 +115,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
 		Integer quantity     = rs.getInt("quantity");
 		Boolean perforated   = rs.getBoolean("perforated");
 		String comment       = rs.getString("comment");
+		Integer createdBy    = rs.getInt("created_by");
 		
 		BigDecimal michelPrice = rs.getBigDecimal("michel_price");
 		String michelCurrency  = rs.getString("michel_currency");
@@ -151,6 +152,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
 			quantity,
 			perforated,
 			comment,
+			createdBy,
 			michelPrice,
 			michelCurrency,
 			scottPrice,
diff --git a/src/main/java/ru/mystamps/web/service/SeriesServiceImpl.java b/src/main/java/ru/mystamps/web/service/SeriesServiceImpl.java
@@ -155,7 +155,6 @@ public Integer add(AddSeriesDto dto, Integer userId, boolean userCanAddComments)
 
 	@Override
 	@Transactional
-	@PreAuthorize("hasAuthority('ADD_IMAGES_TO_SERIES')")
 	public void addImageToSeries(AddImageDto dto, Integer seriesId, Integer userId) {
 		Validate.isTrue(dto != null, "DTO must be non null");
 		Validate.isTrue(seriesId != null, "Series id must be non null");
diff --git a/src/main/java/ru/mystamps/web/service/dto/SeriesDto.java b/src/main/java/ru/mystamps/web/service/dto/SeriesDto.java
@@ -83,6 +83,10 @@ public String getComment() {
 		return info.getComment();
 	}
 	
+	public Integer getCreatedBy() {
+		return info.getCreatedBy();
+	}
+	
 	public CatalogInfoDto getYvert() {
 		return yvert;
 	}
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetailsService.java b/src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetailsService.java
@@ -73,10 +73,10 @@ private static Collection<? extends GrantedAuthority> getAuthorities(UserDetails
 		authorities.add(new SimpleGrantedAuthority("CREATE_COUNTRY"));
 		authorities.add(new SimpleGrantedAuthority("CREATE_SERIES"));
 		authorities.add(new SimpleGrantedAuthority("UPDATE_COLLECTION"));
-		authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
 		
 		if (userDetails.isAdmin()) {
 			authorities.add(new SimpleGrantedAuthority("ADD_COMMENTS_TO_SERIES"));
+			authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
 			authorities.add(new SimpleGrantedAuthority("VIEW_SITE_EVENTS"));
 			
 			// gives access to Togglz web console
diff --git a/src/main/java/ru/mystamps/web/support/spring/security/SecurityContextUtils.java b/src/main/java/ru/mystamps/web/support/spring/security/SecurityContextUtils.java
@@ -17,11 +17,13 @@
  */
 package ru.mystamps.web.support.spring.security;
 
+import java.util.Collections;
 import java.util.Optional;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
 
@@ -34,6 +36,17 @@ public static boolean hasAuthority(HttpServletRequest request, String authority)
 		return new SecurityContextHolderAwareRequestWrapper(request, null).isUserInRole(authority);
 	}
 	
+	/**
+	 * @author Sergey Chechenev
+	 */
+	public static boolean hasAuthority(GrantedAuthority authority) {
+		return Optional
+			.ofNullable(SecurityContextHolder.getContext().getAuthentication())
+			.map(Authentication::getAuthorities)
+			.orElse(Collections.emptyList())
+			.contains(authority);
+	}
+	
 	/**
 	 * @author Sergey Chechenev
 	 * @author Slava Semushin
diff --git a/src/main/resources/sql/series_dao_queries.properties b/src/main/resources/sql/series_dao_queries.properties
@@ -98,6 +98,7 @@ series.find_full_info_by_id = \
         , s.gibbons_price \
         , s.gibbons_currency \
         , s.comment \
+        , s.created_by \
      FROM series s \
      JOIN categories cat \
        ON cat.id = s.category_id \
diff --git a/src/main/webapp/WEB-INF/views/series/info.html b/src/main/webapp/WEB-INF/views/series/info.html
@@ -295,7 +295,7 @@
 							
 					</div>
 					
-					<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES" sec:authorize="hasAuthority('ADD_IMAGES_TO_SERIES')">
+					<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES">
 						<div class="col-sm-4">
 							<div class="row">
 								<div class="col-sm-6 col-sm-offset-3">

Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,10 @@ public String getComment() {`
`83`	`83`	`return info.getComment();`
`84`	`84`	`}`
`85`	`85`
	`86`	`+ public Integer getCreatedBy() {`
	`87`	`+ return info.getCreatedBy();`
	`88`	`+ }`
	`89`	`+`
`86`	`90`	`public CatalogInfoDto getYvert() {`
`87`	`91`	`return yvert;`
`88`	`92`	`}`