Fincer
/
java-bookstore
mirror of https://github.com/Fincer/java-bookstore
1
0
Fork 0
Code Issues 0 Releases 4 Wiki Activity
Browse Source

Prevent unauthorized access to book data even if hash id is known 

Signed-off-by: Pekka Helenius <fincer89@hotmail.com>
v0.0.3-alpha
Pekka Helenius 4 years ago
parent
2d59edceaa
commit
e3a5673114
2 changed files with 40 additions and 2 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +22
    -1
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java
  2. +18
    -1
      bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java

+ 22
- 1
bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java View File

@ -259,15 +259,27 @@ public class BookController {
@PathVariable("hash_id") String bookHashId,
Model dataModel,
HttpServletRequest requestData,
HttpServletResponse responseData
HttpServletResponse responseData,
Authentication authData
) {
String authorities = authData.getAuthorities().toString();
try {
Long bookIdFromHash = bookHashRepository.findByHashId(bookHashId).getBookId();
Book book = bookRepository.findById(bookIdFromHash).get();
dataModel.addAttribute("book", book);
/*
* Prevent other than MARKETING users to access hidden book
* data even if they knew hash id.
*/
if (!book.getPublish() && !authorities.contains("MARKETING") ) {
//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return "redirect:/" + bookListPageView;
}
httpServerLogger.log(requestData, responseData);
return bookEditPageView;
@ -350,6 +362,15 @@ public class BookController {
return bookEditPageView;
}
/*
* Prevent other than MARKETING users to access hidden book
* data even if they knew hash id.
*/
if (!book.getPublish() && !authorities.contains("MARKETING") ) {
//responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return "redirect:/" + bookListPageView;
}
/*
* More sophisticated methods are required to handle
* user input with random letter cases etc. considered


+ 18
- 1
bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java View File

@ -78,12 +78,29 @@ public class BookRestController {
public @ResponseBody Optional<Book> getBookRestData(
@PathVariable("hash_id") String bookHashId,
HttpServletRequest requestData,
HttpServletResponse responseData
HttpServletResponse responseData,
Authentication authData
) {
String authorities = authData.getAuthorities().toString();
try {
Long bookId = new Long(bookHashRepository.findByHashId(bookHashId).getBookId());
Book book = bookRepository.findById(bookId).get();
/*
* Prevent other than MARKETING users to access hidden book
* data even if they knew hash id.
*/
if (!book.getPublish() && !authorities.contains("MARKETING") ) {
responseData.setHeader("Location", "/" + bookListPageView);
responseData.setStatus(302);
httpServerLogger.log(requestData, responseData);
return null;
}
httpServerLogger.log(requestData, responseData);
return bookRepository.findById(bookId);


Write Preview
Loading…
Cancel
Save