php-coder · cssru · Apr 11, 2016
@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Objects;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -47,6 +48,8 @@
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
 import lombok.RequiredArgsConstructor;
 
 import ru.mystamps.web.Url;
@@ -216,7 +219,7 @@ public String showInfo(
 
 		model.addAttribute(
 			"allowAddingImages",
-			isAllowedToAddingImages(series)
+			isUserCanAddImagesToSeries(series)
 		);
 
 		model.addAttribute("maxQuantityOfImagesExceeded", false);
@@ -247,6 +250,11 @@ public String processImage(
 			return null;
 		}
 
+		if (!isUserCanAddImagesToSeries(series)) {
+			response.sendError(HttpServletResponse.SC_FORBIDDEN);
+			return null;
+		}
+
 		model.addAttribute("series", series);
 
 		// CheckStyle: ignore LineLength for next 4 lines
@@ -262,10 +270,10 @@ public String processImage(
 
 		model.addAttribute(
 			"allowAddingImages",
-			isAllowedToAddingImages(series)
+			isUserCanAddImagesToSeries(series)
 		);
 
-		boolean maxQuantityOfImagesExceeded = !isAllowedToAddingImages(series);
+		boolean maxQuantityOfImagesExceeded = !isAdmin() && !isAllowedToAddingImages(series);
 		model.addAttribute("maxQuantityOfImagesExceeded", maxQuantityOfImagesExceeded);
 
 		if (result.hasErrors() || maxQuantityOfImagesExceeded) {
@@ -390,5 +398,26 @@ private static String redirectTo(String url, Object... args) {
 		return "redirect:" + dstUrl;
 	}
 
+	private static boolean isUserCanAddImagesToSeries(SeriesDto series) {
+		return isAdmin()
+			|| isOwner(series) && isAllowedToAddingImages(series);
+	}
+
+	private static boolean isAdmin() {
+		return SecurityContextUtils.hasAuthority(
+			new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES")
+		);
+	}
+
+	@SuppressWarnings("PMD.UnusedNullCheckInEquals")
+	private static boolean isOwner(SeriesDto series) {
+		Integer userId = SecurityContextUtils.getUserId();
+		return userId != null
+			&& Objects.equals(
+				series.getCreatedBy(),
+				userId
+			);
+	}
+
 }
 
@@ -37,6 +37,7 @@ public class SeriesFullInfoDto {
 	private final Integer quantity;
 	private final Boolean perforated;
 	private final String  comment;
+	private final Integer createdBy;
 
 	private final BigDecimal michelPrice;
 	private final String michelCurrency;

@@ -114,6 +114,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
 		Integer quantity     = rs.getInt("quantity");
 		Boolean perforated   = rs.getBoolean("perforated");
 		String comment       = rs.getString("comment");
+		Integer createdBy    = rs.getInt("created_by");
 
 		BigDecimal michelPrice = rs.getBigDecimal("michel_price");
 		String michelCurrency  = rs.getString("michel_currency");
@@ -150,6 +151,7 @@ public static SeriesFullInfoDto forSeriesFullInfoDto(ResultSet rs, int i) throws
 			quantity,
 			perforated,
 			comment,
+			createdBy,
 			michelPrice,
 			michelCurrency,
 			scottPrice,

@@ -155,7 +155,6 @@ public Integer add(AddSeriesDto dto, Integer userId, boolean userCanAddComments)
 
 	@Override
 	@Transactional
-	@PreAuthorize("hasAuthority('ADD_IMAGES_TO_SERIES')")
 	public void addImageToSeries(AddImageDto dto, Integer seriesId, Integer userId) {
 		Validate.isTrue(dto != null, "DTO must be non null");
 		Validate.isTrue(seriesId != null, "Series id must be non null");

@@ -83,6 +83,10 @@ public String getComment() {
 		return info.getComment();
 	}
 
+	public Integer getCreatedBy() {
+		return info.getCreatedBy();
+	}
+
 	public CatalogInfoDto getYvert() {
 		return yvert;
 	}

@@ -73,10 +73,10 @@ private static Collection<? extends GrantedAuthority> getAuthorities(UserDetails
 		authorities.add(new SimpleGrantedAuthority("CREATE_COUNTRY"));
 		authorities.add(new SimpleGrantedAuthority("CREATE_SERIES"));
 		authorities.add(new SimpleGrantedAuthority("UPDATE_COLLECTION"));
-		authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
 
 		if (userDetails.isAdmin()) {
 			authorities.add(new SimpleGrantedAuthority("ADD_COMMENTS_TO_SERIES"));
+			authorities.add(new SimpleGrantedAuthority("ADD_IMAGES_TO_SERIES"));
 			authorities.add(new SimpleGrantedAuthority("VIEW_SITE_EVENTS"));
 
 			// gives access to Togglz web console

@@ -17,11 +17,13 @@
  */
 package ru.mystamps.web.support.spring.security;
 
+import java.util.Collections;
 import java.util.Optional;
 
 import javax.servlet.http.HttpServletRequest;
 
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
 
@@ -34,6 +36,17 @@ public static boolean hasAuthority(HttpServletRequest request, String authority)
 		return new SecurityContextHolderAwareRequestWrapper(request, null).isUserInRole(authority);
 	}
 
+	/**
+	 * @author Sergey Chechenev
+	 */
+	public static boolean hasAuthority(GrantedAuthority authority) {
+		return Optional
+			.ofNullable(SecurityContextHolder.getContext().getAuthentication())
+			.map(Authentication::getAuthorities)
+			.orElse(Collections.emptyList())
+			.contains(authority);
+	}
+
 	/**
 	 * @author Sergey Chechenev
 	 * @author Slava Semushin

@@ -98,6 +98,7 @@ series.find_full_info_by_id = \
         , s.gibbons_price \
         , s.gibbons_currency \
         , s.comment \
+        , s.created_by \
      FROM series s \
      JOIN categories cat \
        ON cat.id = s.category_id \

@@ -295,7 +295,7 @@
 
 					</div>
 
-					<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES" sec:authorize="hasAuthority('ADD_IMAGES_TO_SERIES')">
+					<div class="row" th:if="${allowAddingImages}" togglz:active="ADD_ADDITIONAL_IMAGES_TO_SERIES">
 						<div class="col-sm-4">
 							<div class="row">
 								<div class="col-sm-6 col-sm-offset-3">