From 249bd5b6b4771d40877e54d2a5fc0816561427c8 Mon Sep 17 00:00:00 2001
From: Pekka Helenius <fincer89@hotmail.com>
Date: Thu, 8 Oct 2020 17:29:04 +0300
Subject: [PATCH] Prevent unauthorized users to alter book prices

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
---
 .../java/com/fjordtek/bookstore/web/BookController.java    | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
index dc5f9b2..cb9e4b8 100644
--- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
+++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
@@ -400,11 +400,14 @@ public class BookController {
 		 * Prevent other than MARKETING users to access hidden book
 		 * data even if they knew hash id.
 		 *
-		 * In this scenario, an authenticated user has manually injected publish value to
+		 * In this scenario, an authenticated user has manually injected publish or price value to
 		 * true but has no MARKETING authority. We force him/her out of the page to prevent
 		 * unauthorized data manipulation.
 		 */
-		if ( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
+		if (
+				( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) ||
+				( book.getPrice() != null && !authorities.contains(env.getProperty("auth.authority.sales")) )
+				) {
 			//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
 			return "redirect:" + env.getProperty("page.url.list");
 		}