Skip to content

Commit ae08224

Browse files
cssruphp-coder
authored andcommitted
Rework permissions for adding images: admin can add any number, owner only quantity+1.
Fix #166
1 parent a4221f0 commit ae08224

File tree

9 files changed

+55
-6
lines changed

9 files changed

+55
-6
lines changed

src/main/java/ru/mystamps/web/controller/SeriesController.java

Lines changed: 32 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
import java.util.List;
2626
import java.util.Locale;
2727
import java.util.Map;
28+
import java.util.Objects;
2829

2930
import javax.servlet.http.HttpServletRequest;
3031
import javax.servlet.http.HttpServletResponse;
@@ -47,6 +48,8 @@
4748
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
4849
import org.springframework.web.util.UriComponentsBuilder;
4950

51+
import org.springframework.security.core.authority.SimpleGrantedAuthority;
52+
5053
import lombok.RequiredArgsConstructor;
5154

5255
import ru.mystamps.web.Url;
@@ -216,7 +219,7 @@ public String showInfo(
216219

217220
model.addAttribute(
218221
"allowAddingImages",
219-
isAllowedToAddingImages(series)
222+
isUserCanAddImagesToSeries(series)
220223
);
221224

222225
model.addAttribute("maxQuantityOfImagesExceeded", false);
@@ -247,6 +250,11 @@ public String processImage(
247250
return null;
248251
}
249252

253+
if (!isUserCanAddImagesToSeries(series)) {
254+
response.sendError(HttpServletResponse.SC_FORBIDDEN);
255+
return null;
256+
}
257+
250258
model.addAttribute("series", series);
251259

252260
// CheckStyle: ignore LineLength for next 4 lines
@@ -262,10 +270,10 @@ public String processImage(
262270

263271
model.addAttribute(
264272
"allowAddingImages",
265-
isAllowedToAddingImages(series)
273+
isUserCanAddImagesToSeries(series)
266274
);
267275

268-
boolean maxQuantityOfImagesExceeded = !isAllowedToAddingImages(series);
276+
boolean maxQuantityOfImagesExceeded = !isAdmin() && !isAllowedToAddingImages(series);
269277
model.addAttribute("maxQuantityOfImagesExceeded", maxQuantityOfImagesExceeded);
270278

271279
if (result.hasErrors() || maxQuantityOfImagesExceeded) {
@@ -390,5 +398,26 @@ private static String redirectTo(String url, Object... args) {
390398
return "redirect:" + dstUrl;
391399
}
392400

401+
private static boolean isUserCanAddImagesToSeries(SeriesDto series) {
402+
return isAdmin()
403+
|| isOwner(series) && isAllowedToAddingImages(series);
404+
}
405+
406+
private static boolean isAdmin() {
407+
return SecurityContextUtils.hasAuthority(
408+
new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES")
409+
);
410+
}
411+
412+
@SuppressWarnings("PMD.UnusedNullCheckInEquals")
413+
private static boolean isOwner(SeriesDto series) {
414+
Integer userId = SecurityContextUtils.getUserId();
415+
return userId != null
416+
&& Objects.equals(
417+
series.getCreatedBy(),
418+
userId
419+
);
420+
}
421+
393422
}
394423

src/main/java/ru/mystamps/web/dao/dto/SeriesFullInfoDto.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ public class SeriesFullInfoDto {
3737
private final Integer quantity;
3838
private final Boolean perforated;
3939
private final String comment;
40+
private final Integer createdBy;
4041

4142
private final BigDecimal michelPrice;
4243
private final String michelCurrency;

src/main/java/ru/mystamps/web/dao/impl/RowMappers.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
115115
Integer quantity = rs.getInt("quantity");
116116
Boolean perforated = rs.getBoolean("perforated");
117117
String comment = rs.getString("comment");
118+
Integer createdBy = rs.getInt("created_by");
118119

119120
BigDecimal michelPrice = rs.getBigDecimal("michel_price");
120121
String michelCurrency = rs.getString("michel_currency");
@@ -151,6 +152,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
151152
quantity,
152153
perforated,
153154
comment,
155+
createdBy,
154156
michelPrice,
155157
michelCurrency,
156158
scottPrice,

src/main/java/ru/mystamps/web/service/SeriesServiceImpl.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,6 @@ public Integer add(AddSeriesDto dto, Integer userId, boolean userCanAddComments)
155155

156156
@Override
157157
@Transactional
158-
@PreAuthorize("hasAuthority('ADD_IMAGES_TO_SERIES')")
159158
public void addImageToSeries(AddImageDto dto, Integer seriesId, Integer userId) {
160159
Validate.isTrue(dto != null, "DTO must be non null");
161160
Validate.isTrue(seriesId != null, "Series id must be non null");

src/main/java/ru/mystamps/web/service/dto/SeriesDto.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,10 @@ public String getComment() {
8383
return info.getComment();
8484
}
8585

86+
public Integer getCreatedBy() {
87+
return info.getCreatedBy();
88+
}
89+
8690
public CatalogInfoDto getYvert() {
8791
return yvert;
8892
}

src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetailsService.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,10 +73,10 @@ private static Collection<? extends GrantedAuthority> getAuthorities(UserDetails
7373
authorities.add(new SimpleGrantedAuthority("CREATE_COUNTRY"));
7474
authorities.add(new SimpleGrantedAuthority("CREATE_SERIES"));
7575
authorities.add(new SimpleGrantedAuthority("UPDATE_COLLECTION"));
76-
authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
7776

7877
if (userDetails.isAdmin()) {
7978
authorities.add(new SimpleGrantedAuthority("ADD_COMMENTS_TO_SERIES"));
79+
authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
8080
authorities.add(new SimpleGrantedAuthority("VIEW_SITE_EVENTS"));
8181

8282
// gives access to Togglz web console

src/main/java/ru/mystamps/web/support/spring/security/SecurityContextUtils.java

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,13 @@
1717
*/
1818
package ru.mystamps.web.support.spring.security;
1919

20+
import java.util.Collections;
2021
import java.util.Optional;
2122

2223
import javax.servlet.http.HttpServletRequest;
2324

2425
import org.springframework.security.core.Authentication;
26+
import org.springframework.security.core.GrantedAuthority;
2527
import org.springframework.security.core.context.SecurityContextHolder;
2628
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
2729

@@ -34,6 +36,17 @@ public static boolean hasAuthority(HttpServletRequest request, String authority)
3436
return new SecurityContextHolderAwareRequestWrapper(request, null).isUserInRole(authority);
3537
}
3638

39+
/**
40+
* @author Sergey Chechenev
41+
*/
42+
public static boolean hasAuthority(GrantedAuthority authority) {
43+
return Optional
44+
.ofNullable(SecurityContextHolder.getContext().getAuthentication())
45+
.map(Authentication::getAuthorities)
46+
.orElse(Collections.emptyList())
47+
.contains(authority);
48+
}
49+
3750
/**
3851
* @author Sergey Chechenev
3952
* @author Slava Semushin

src/main/resources/sql/series_dao_queries.properties

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,7 @@ series.find_full_info_by_id = \
9898
, s.gibbons_price \
9999
, s.gibbons_currency \
100100
, s.comment \
101+
, s.created_by \
101102
FROM series s \
102103
JOIN categories cat \
103104
ON cat.id = s.category_id \

src/main/webapp/WEB-INF/views/series/info.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -295,7 +295,7 @@
295295

296296
</div>
297297

298-
<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES" sec:authorize="hasAuthority('ADD_IMAGES_TO_SERIES')">
298+
<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES">
299299
<div class="col-sm-4">
300300
<div class="row">
301301
<div class="col-sm-6 col-sm-offset-3">

0 commit comments

Comments
 (0)