Skip to content

Commit 1179142

Browse files
php-coderphp-coder
committed
CollectionService.findSeriesWithPricesBySlug(): restrict access by only an owner who is also a paid user.
Fix #891
1 parent 4222a84 commit 1179142

File tree

3 files changed

+6
-3
lines changed

3 files changed

+6
-3
lines changed

pom.xml

+2
Original file line numberDiff line numberDiff line change
@@ -754,6 +754,8 @@
754754
<showWarnings>true</showWarnings>
755755
<debug>false</debug>
756756
<failOnWarning>true</failOnWarning>
757+
<!-- Required for using method's parameters inside of @PreAuthorize expressions -->
758+
<parameters>true</parameters>
757759
</configuration>
758760
</plugin>
759761

src/main/java/ru/mystamps/web/service/CollectionServiceImpl.java

+1-2
Original file line numberDiff line numberDiff line change
@@ -152,10 +152,9 @@ public List<LinkEntityDto> findRecentlyCreated(int quantity) {
152152
}
153153

154154
// @todo #884 CollectionService.findSeriesWithPricesBySlug(): add unit tests
155-
// @todo #884 CollectionService.findSeriesWithPricesBySlug(): restrict access by only an owner
156155
@Override
157156
@Transactional(readOnly = true)
158-
@PreAuthorize(HasAuthority.ADD_SERIES_PRICE)
157+
@PreAuthorize(HasAuthority.ADD_SERIES_PRICE_AND_COLLECTION_OWNER)
159158
public List<SeriesInCollectionWithPriceDto> findSeriesWithPricesBySlug(
160159
String slug,
161160
String lang) {

src/main/java/ru/mystamps/web/support/spring/security/HasAuthority.java

+3-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,9 @@
2121
public final class HasAuthority {
2222
// Constants sorted in an ascending order.
2323
public static final String ADD_PARTICIPANT = "hasAuthority('" + StringAuthority.ADD_PARTICIPANT + "')";
24-
public static final String ADD_SERIES_PRICE = "hasAuthority('" + StringAuthority.ADD_SERIES_PRICE + "')";
24+
@SuppressWarnings("PMD.LongVariable")
25+
public static final String ADD_SERIES_PRICE_AND_COLLECTION_OWNER
26+
= "hasAuthority('" + StringAuthority.ADD_SERIES_PRICE + "') and principal?.userCollectionSlug == #slug";
2527
public static final String ADD_SERIES_SALES = "hasAuthority('" + StringAuthority.ADD_SERIES_SALES + "')";
2628
public static final String CREATE_CATEGORY = "hasAuthority('" + StringAuthority.CREATE_CATEGORY + "')";
2729
public static final String CREATE_COUNTRY = "hasAuthority('" + StringAuthority.CREATE_COUNTRY + "')";

0 commit comments

Comments
 (0)