Content restriction: client only retrieves itself

fadul97 · Sep 10, 2021 · 75cf06c · 75cf06c
1 parent 8ba6b28
commit 75cf06c
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 0 deletions.
diff --git a/...om/leonardofadul/springboot/ionic/learning/project/exceptions/AuthorizationException.java b/...om/leonardofadul/springboot/ionic/learning/project/exceptions/AuthorizationException.java
@@ -0,0 +1,12 @@
+package com.leonardofadul.springboot.ionic.learning.project.exceptions;
+
+public class AuthorizationException extends RuntimeException{
+
+    public AuthorizationException(String msg){
+        super(msg);
+    }
+
+    public AuthorizationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/...adul/springboot/ionic/learning/project/resources/exceptions/ResourceExceptionHandler.java b/...adul/springboot/ionic/learning/project/resources/exceptions/ResourceExceptionHandler.java
@@ -1,5 +1,6 @@
 package com.leonardofadul.springboot.ionic.learning.project.resources.exceptions;
 
+import com.leonardofadul.springboot.ionic.learning.project.exceptions.AuthorizationException;
 import com.leonardofadul.springboot.ionic.learning.project.exceptions.DataIntegrityException;
 import com.leonardofadul.springboot.ionic.learning.project.exceptions.ObjectNotFoundException;
 import org.springframework.http.HttpStatus;
@@ -36,4 +37,10 @@ public ResponseEntity<StandardError> validation(MethodArgumentNotValidException
 
         return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(err);
     }
+
+    @ExceptionHandler(AuthorizationException.class)
+    public ResponseEntity<StandardError> authorization(AuthorizationException e, HttpServletRequest request){
+        StandardError err = new StandardError(HttpStatus.FORBIDDEN.value(), e.getMessage(), System.currentTimeMillis());
+        return ResponseEntity.status(HttpStatus.NOT_FOUND).body(err);
+    }
 }
diff --git a/src/main/java/com/leonardofadul/springboot/ionic/learning/project/security/UserSS.java b/src/main/java/com/leonardofadul/springboot/ionic/learning/project/security/UserSS.java
@@ -66,4 +66,8 @@ public boolean isCredentialsNonExpired() {
     public boolean isEnabled() {
         return true;
     }
+
+    public boolean hasRole(Profile profile){
+        return getAuthorities().contains(new SimpleGrantedAuthority(profile.getDescription()));
+    }
 }
diff --git a/...main/java/com/leonardofadul/springboot/ionic/learning/project/services/ClientService.java b/...main/java/com/leonardofadul/springboot/ionic/learning/project/services/ClientService.java
@@ -4,13 +4,16 @@
 import com.leonardofadul.springboot.ionic.learning.project.domain.City;
 import com.leonardofadul.springboot.ionic.learning.project.domain.Client;
 import com.leonardofadul.springboot.ionic.learning.project.domain.enums.ClientType;
+import com.leonardofadul.springboot.ionic.learning.project.domain.enums.Profile;
 import com.leonardofadul.springboot.ionic.learning.project.dto.ClientDTO;
 import com.leonardofadul.springboot.ionic.learning.project.dto.ClientNewDTO;
+import com.leonardofadul.springboot.ionic.learning.project.exceptions.AuthorizationException;
 import com.leonardofadul.springboot.ionic.learning.project.exceptions.DataIntegrityException;
 import com.leonardofadul.springboot.ionic.learning.project.exceptions.ObjectNotFoundException;
 import com.leonardofadul.springboot.ionic.learning.project.repositories.AddressRepository;
 import com.leonardofadul.springboot.ionic.learning.project.repositories.CityRepository;
 import com.leonardofadul.springboot.ionic.learning.project.repositories.ClientRepository;
+import com.leonardofadul.springboot.ionic.learning.project.security.UserSS;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.data.domain.Page;
@@ -40,6 +43,11 @@ public class ClientService {
     private AddressRepository addressRepository;
 
     public Client find(Integer id){
+        UserSS user = UserService.authenticated();
+        if(user == null || !user.hasRole(Profile.ADMIN) && !id.equals(user.getId())){
+            throw new AuthorizationException("Access denied");
+        }
+
         Optional<Client> obj = clientRepository.findById(id);
         return  obj.orElseThrow(() -> new ObjectNotFoundException(
                 "Object not found! Id: " +  id + ", Type: " + Client.class.getName()

diff --git a/src/main/java/com/leonardofadul/springboot/ionic/learning/project/services/UserService.java b/src/main/java/com/leonardofadul/springboot/ionic/learning/project/services/UserService.java
@@ -0,0 +1,15 @@
+package com.leonardofadul.springboot.ionic.learning.project.services;
+
+import com.leonardofadul.springboot.ionic.learning.project.security.UserSS;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+public class UserService {
+
+    public static UserSS authenticated(){
+        try{
+            return (UserSS) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        } catch (Exception e){
+            return null;
+        }
+    }
+}