From e3a5673114ea27bb47d1311b2d0f70db148cdf0f Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Sat, 3 Oct 2020 19:16:58 +0300 Subject: [PATCH] Prevent unauthorized access to book data even if hash id is known Signed-off-by: Pekka Helenius --- .../bookstore/web/BookController.java | 23 ++++++++++++++++++- .../bookstore/web/BookRestController.java | 19 ++++++++++++++- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java index 662f092..d5be729 100644 --- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java +++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookController.java @@ -259,15 +259,27 @@ public class BookController { @PathVariable("hash_id") String bookHashId, Model dataModel, HttpServletRequest requestData, - HttpServletResponse responseData + HttpServletResponse responseData, + Authentication authData ) { + String authorities = authData.getAuthorities().toString(); + try { Long bookIdFromHash = bookHashRepository.findByHashId(bookHashId).getBookId(); Book book = bookRepository.findById(bookIdFromHash).get(); dataModel.addAttribute("book", book); + /* + * Prevent other than MARKETING users to access hidden book + * data even if they knew hash id. + */ + if (!book.getPublish() && !authorities.contains("MARKETING") ) { + //responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST); + return "redirect:/" + bookListPageView; + } + httpServerLogger.log(requestData, responseData); return bookEditPageView; @@ -350,6 +362,15 @@ public class BookController { return bookEditPageView; } + /* + * Prevent other than MARKETING users to access hidden book + * data even if they knew hash id. + */ + if (!book.getPublish() && !authorities.contains("MARKETING") ) { + //responseData.setStatus(HttpServletResponse.SC_BAD_REQUEST); + return "redirect:/" + bookListPageView; + } + /* * More sophisticated methods are required to handle * user input with random letter cases etc. considered diff --git a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java index b21d92e..51a7ddc 100644 --- a/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java +++ b/bookstore/src/main/java/com/fjordtek/bookstore/web/BookRestController.java @@ -78,12 +78,29 @@ public class BookRestController { public @ResponseBody Optional getBookRestData( @PathVariable("hash_id") String bookHashId, HttpServletRequest requestData, - HttpServletResponse responseData + HttpServletResponse responseData, + Authentication authData ) { + String authorities = authData.getAuthorities().toString(); + try { Long bookId = new Long(bookHashRepository.findByHashId(bookHashId).getBookId()); + + Book book = bookRepository.findById(bookId).get(); + + /* + * Prevent other than MARKETING users to access hidden book + * data even if they knew hash id. + */ + if (!book.getPublish() && !authorities.contains("MARKETING") ) { + responseData.setHeader("Location", "/" + bookListPageView); + responseData.setStatus(302); + httpServerLogger.log(requestData, responseData); + return null; + } + httpServerLogger.log(requestData, responseData); return bookRepository.findById(bookId);