Fincer
/
java-bookstore
mirror of https://github.com/Fincer/java-bookstore
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Browse Source

Update authorization checks and improve their descriptions 

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.3-alpha
Pekka Helenius 4 years ago
parent
534204e76f
commit
dc4d9a76b3
2 changed files with 15 additions and 3 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +10
    -2
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
  2. +5
    -1
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java

+ 10
- 2
bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java View File

@ -296,8 +296,12 @@ public class BookController {
/* /*
* Prevent other than MARKETING users to access hidden book * Prevent other than MARKETING users to access hidden book
* data even if they knew hash id. * data even if they knew hash id.
*
* In this scenario, a book is invisible but a user still knows book's hash id.
* However, he/she has no proper MARKETING authorization
* to access the URL so we force him/her out of the page.
*/ */
if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
if ( !book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST); //responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return "redirect:" + env.getProperty("page.url.list"); return "redirect:" + env.getProperty("page.url.list");
} }
@ -405,8 +409,12 @@ public class BookController {
/* /*
* Prevent other than MARKETING users to access hidden book * Prevent other than MARKETING users to access hidden book
* data even if they knew hash id. * data even if they knew hash id.
*
* In this scenario, an authenticated user has manually injected publish value to
* true but has no MARKETING authority. We force him/her out of the page to prevent
* unauthorized data manipulation.
*/ */
if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
if ( book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST); //responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return "redirect:" + env.getProperty("page.url.list"); return "redirect:" + env.getProperty("page.url.list");
} }


+ 5
- 1
bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java View File

@ -95,8 +95,12 @@ public class BookRestController {
/* /*
* Prevent other than MARKETING users to access hidden book * Prevent other than MARKETING users to access hidden book
* data even if they knew hash id. * data even if they knew hash id.
*
* In this scenario, a book is invisible but a user still knows book's hash id.
* However, he/she has no proper MARKETING authorization
* to access the URL so we force him/her out of the page.
*/ */
if (!book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
if ( !book.getPublish() && !authorities.contains(env.getProperty("auth.authority.sales")) ) {
responseData.setHeader("Location", env.getProperty("page.url.index")); responseData.setHeader("Location", env.getProperty("page.url.index"));
responseData.setStatus(302); responseData.setStatus(302);
httpServerLogger.log(requestData, responseData); httpServerLogger.log(requestData, responseData);


Write Preview
Loading…
Cancel
Save