Browse Source

Prevent unauthorized users to alter book prices

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.4-alpha
Pekka Helenius 4 years ago
parent
commit
249bd5b6b4
1 changed files with 5 additions and 2 deletions
  1. +5
    -2
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java

+ 5
- 2
bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java View File

@ -400,11 +400,14 @@ public class BookController {
* Prevent other than MARKETING users to access hidden book * Prevent other than MARKETING users to access hidden book
* data even if they knew hash id. * data even if they knew hash id.
* *
* In this scenario, an authenticated user has manually injected publish value to
* In this scenario, an authenticated user has manually injected publish or price value to
* true but has no MARKETING authority. We force him/her out of the page to prevent * true but has no MARKETING authority. We force him/her out of the page to prevent
* unauthorized data manipulation. * unauthorized data manipulation.
*/ */
if ( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
if (
( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) ||
( book.getPrice() != null && !authorities.contains(env.getProperty("auth.authority.sales")) )
) {
//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST); //responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return "redirect:" + env.getProperty("page.url.list"); return "redirect:" + env.getProperty("page.url.list");
} }


Loading…
Cancel
Save