From 83e4e07f5031a68df374b1bdd3ddadf53e26a0e0 Mon Sep 17 00:00:00 2001 From: neviyn Date: Sun, 18 Apr 2021 12:00:01 +0100 Subject: [PATCH] Deduplicated PreAuthorize in ProjectController --- .../neviyn/projectplanner/HtmlController.kt | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/src/main/kotlin/uk/co/neviyn/projectplanner/HtmlController.kt b/src/main/kotlin/uk/co/neviyn/projectplanner/HtmlController.kt index d87dc6f..4edb03c 100644 --- a/src/main/kotlin/uk/co/neviyn/projectplanner/HtmlController.kt +++ b/src/main/kotlin/uk/co/neviyn/projectplanner/HtmlController.kt @@ -5,11 +5,11 @@ import org.springframework.http.HttpStatus import org.springframework.security.access.prepost.PreAuthorize import org.springframework.security.core.annotation.AuthenticationPrincipal import org.springframework.stereotype.Controller -import org.springframework.web.bind.annotation.GetMapping -import org.springframework.web.bind.annotation.PathVariable import org.springframework.ui.Model import org.springframework.validation.BindingResult +import org.springframework.web.bind.annotation.GetMapping import org.springframework.web.bind.annotation.ModelAttribute +import org.springframework.web.bind.annotation.PathVariable import org.springframework.web.bind.annotation.PostMapping import org.springframework.web.bind.annotation.RequestBody import org.springframework.web.bind.annotation.RequestMapping @@ -88,7 +88,7 @@ class HtmlController @Autowired constructor(val userRepository: UserRepository, @GetMapping("/projects") @Transactional - fun listUserProjects(model: Model, @AuthenticationPrincipal userDetails: CustomUserDetails) : String { + fun listUserProjects(model: Model, @AuthenticationPrincipal userDetails: CustomUserDetails): String { val user = entityManager.merge(userDetails.user) // Reattach User entity model.addAttribute("projects", user.projects.sortedBy { it.id }) model.addAttribute("newProject", NewProject("")) @@ -97,12 +97,16 @@ class HtmlController @Autowired constructor(val userRepository: UserRepository, } +@Suppress("ELValidationInJSP", "SpringElInspection") +@PreAuthorize("hasPermission(#id, 'Long', '')") +annotation class IsProjectMember + @Controller @RequestMapping("/project/{id}") +@IsProjectMember class ProjectController @Autowired constructor(val projectRepository: ProjectRepository, val userRepository: UserRepository, val eventRepository: EventRepository, val commentRepository: CommentRepository) { @GetMapping("") - @PreAuthorize("hasPermission(#id, 'Long', '')") fun getProject(@PathVariable id: Long, model: Model): String { val project = projectRepository.findById(id).get() val nonMembers = userRepository.findByIdNotIn(project.members.map { it.id!! }) @@ -112,7 +116,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @GetMapping("/events") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun getProjectEventsBetween(@PathVariable id: Long, @RequestParam start: Instant?, @RequestParam end: Instant?) : Set { val project = projectRepository.findById(id).get() @@ -124,7 +127,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep @PostMapping("/adduser") - @PreAuthorize("hasPermission(#id, 'Long', '')") fun addUserToProject(@PathVariable id: Long, @RequestParam("uid") uid: Long) : String { val user = userRepository.findById(uid).get() val project = projectRepository.findById(id).get() @@ -134,7 +136,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @PostMapping("/removeuser") - @PreAuthorize("hasPermission(#id, 'Long', '')") fun removeUserFromProject(@PathVariable id: Long, @RequestParam("id") uid: Long) : String{ val project = projectRepository.findById(id).get() // Don't allow projects to have no members @@ -146,7 +147,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @PostMapping("/addevent") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun addEventToProject(@PathVariable id: Long, @RequestBody e: NewEvent) { val project = projectRepository.findById(id).get() @@ -155,7 +155,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @PostMapping("/editevent") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun editEvent(@PathVariable id: Long, @RequestBody e: EditedEvent) { val event = eventRepository.findById(e.id).get() @@ -167,14 +166,12 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @PostMapping("/deleteevent") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun deleteEvent(@PathVariable id: Long, @RequestBody e: EventID) { eventRepository.deleteById(e.id) } @GetMapping("/eventcomments/{eventID}") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun getCommentsForEvent(@PathVariable id: Long, @PathVariable eventID: Long): List { val project = projectRepository.findById(id).get() @@ -184,7 +181,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep } @PostMapping("/addcomment/{eventID}") - @PreAuthorize("hasPermission(#id, 'Long', '')") @ResponseBody fun addCommentToEvent(@PathVariable id: Long, @PathVariable eventID: Long, @RequestBody c: NewComment, @AuthenticationPrincipal userDetails: CustomUserDetails) { val event = eventRepository.findById(eventID).get()