added security check that checks if user can see the exercise he is liking and...

added security check that checks if user can see the exercise he is liking and added an index on exercise_id to likes table

added security check that checks if user can see the exercise he is liking and...
added security check that checks if user can see the exercise he is liking and added an index on exercise_id to likes table
9eae70a7 · Eduard Frankford · b12a61a9 · 9eae70a7 · 9eae70a7 · 9eae70a7
Commit 9eae70a7 authored 3 years ago by Eduard Frankford
--- a/src/main/java/at/ac/uibk/gitsearch/service/SearchService.java
+++ b/src/main/java/at/ac/uibk/gitsearch/service/SearchService.java
@@ -29,6 +29,7 @@ import at.ac.uibk.gitsearch.repository.gitlab.GitLabRepository;
 import at.ac.uibk.gitsearch.repository.search.MetaDataRepository;
 import at.ac.uibk.gitsearch.security.jwt.TokenProvider;
 import at.ac.uibk.gitsearch.service.dto.AutoCompleteEntry;
+import at.ac.uibk.gitsearch.security.AuthoritiesConstants.AuthoritiesConstantEnum;

 /**
 * Service for exercise/course search results
@@ -65,7 +66,7 @@ public class SearchService {
 		return metaDataRepository.getKeywordsAutoComplete(keyWordPrefix, max);
 	}

-		/**
+	/**
 	 * returns all keyword autocompletes for keyWord
 	 *
 	 * @param formatPrefix
@@ -105,7 +106,8 @@ public class SearchService {
 	 * @return
 	 * @throws IOException
 	 */
-	public List<AutoCompleteEntry> getContributorCreatorAutoComplete(String contributorPrefix, int max) throws IOException {
+	public List<AutoCompleteEntry> getContributorCreatorAutoComplete(String contributorPrefix, int max)
+			throws IOException {
 		return metaDataRepository.getContributorCreatorAutoComplete(contributorPrefix, max);
 	}

@@ -131,9 +133,8 @@ public class SearchService {
 	public SearchResultsDTO searchResultPage(SearchInputDTO searchInput) throws IOException {
 		final Optional<User> principal = tokenProvider.getCurrentPrincipal();
 		log.debug("Searchrequest for {} ", searchInput);
-		
-		final SearchResultsDTO pageDetails = metaDataRepository.pageDetails(searchInput,
-				principal);
+
+		final SearchResultsDTO pageDetails = metaDataRepository.pageDetails(searchInput, principal);

 		pageDetails.getSearchResult().stream()
 				.forEach(hit -> pluginManagementService.getRegisteredPluginConfigs().stream()
@@ -149,12 +150,13 @@ public class SearchService {
 	 * returns the result page
 	 *
 	 * @param searchInput the query definition
-	 * @param page       the index of the first record to be returned
+	 * @param page        the index of the first record to be returned
 	 * @param length      the number of records on page
 	 */
 	public SearchResultsDTO watchListResultPage(Stream<String> exerciseIds, int page, int length) throws IOException {

-		final SearchResultsDTO pageDetails = metaDataRepository.getExercisesById(exerciseIds,tokenProvider.getCurrentPrincipal(), page, length);
+		final SearchResultsDTO pageDetails = metaDataRepository.getExercisesById(exerciseIds,
+				tokenProvider.getCurrentPrincipal(), page, length);

 		pageDetails.getSearchResult().stream()
 				.forEach(hit -> pluginManagementService.getRegisteredPluginConfigs().stream()
@@ -212,19 +214,22 @@ public class SearchService {
 		}
 	}

-	
 	public File exportExercise(String exerciseId) throws IOException {
-		try{
-			final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId, tokenProvider.getCurrentPrincipal());
+		try {
+			final SearchResultDTO exercise = metaDataRepository.getExerciseById(exerciseId,
+					tokenProvider.getCurrentPrincipal());
 			final GitLabApi gitLabApi = gitLabRepository.getGitLabApi(tokenProvider.getGitLabAccessInfo());
-			InputStream inputFile = shoppingBasketService.rePackageGitLabProjectZip(new ZipInputStream(gitLabApi.getRepositoryApi().getRepositoryArchive(exercise.getProject().getProject_id(), "HEAD", "zip")), "from project " + exerciseId);
+			InputStream inputFile = shoppingBasketService.rePackageGitLabProjectZip(
+					new ZipInputStream(gitLabApi.getRepositoryApi()
+							.getRepositoryArchive(exercise.getProject().getProject_id(), "HEAD", "zip")),
+					"from project " + exerciseId);
 			File file = new File("exercise" + exerciseId + ".zip");
-	
-			return copyInputStreamToFile(inputFile, file);}
-			catch(GitLabApiException exception){
-				log.error(exception.getMessage());
-				return null;
-			}
+
+			return copyInputStreamToFile(inputFile, file);
+		} catch (GitLabApiException exception) {
+			log.error(exception.getMessage());
+			return null;
+		}
 	}

 	private File copyInputStreamToFile(InputStream inputStream, File file) throws IOException {
@@ -239,10 +244,30 @@ public class SearchService {
 			return file;
 		}
 	}
-	
+
+	public Boolean hasAccessToExerciseId(String exerciseId) {
+
+		if (tokenProvider.getCurrentPrincipal().isEmpty()) {
+			log.warn("Cannot find a principal for for exercise {}", exerciseId);
+			return false;
+		}
+		if (tokenProvider.getCurrentPrincipal().get().getAuthorities()
+				.contains(AuthoritiesConstantEnum.ADMIN.getGrantedAuthority())) {
+			log.info("Admin can access everything : {}", exerciseId);
+			return true; // ADMIN is always allowed
+		}
+		SearchResultDTO result = metaDataRepository.getExerciseById(exerciseId, tokenProvider.getCurrentPrincipal());
+		if (result == null) {
+			log.warn("Cannot find exercise for : {}", exerciseId);
+			return false;
+		}
+		return true;
+	}
+
 	public Optional<SearchResultDTO> findExerciseById(ExerciseId exerciseId) {
 		try {
-			SearchResultDTO result = metaDataRepository.getExerciseById(exerciseId.toString(), tokenProvider.getCurrentPrincipal());
+			SearchResultDTO result = metaDataRepository.getExerciseById(exerciseId.toString(),
+					tokenProvider.getCurrentPrincipal());
 			return Optional.ofNullable(result);
 		} catch (javax.ws.rs.NotFoundException e) {
 			log.error("exercise with id {} not found?", exerciseId, e);

--- a/src/main/java/at/ac/uibk/gitsearch/web/rest/LikesResource.java
+++ b/src/main/java/at/ac/uibk/gitsearch/web/rest/LikesResource.java
@@ -3,6 +3,7 @@ package at.ac.uibk.gitsearch.web.rest;
 import at.ac.uibk.gitsearch.domain.Likes;
 import at.ac.uibk.gitsearch.security.AuthoritiesConstants;
 import at.ac.uibk.gitsearch.service.LikesService;
+import at.ac.uibk.gitsearch.service.SearchService;
 import at.ac.uibk.gitsearch.service.UserService;
 import at.ac.uibk.gitsearch.web.rest.errors.BadRequestAlertException;
 import at.ac.uibk.gitsearch.service.dto.LikesCriteria;
@@ -47,13 +48,15 @@ public class LikesResource {

    private final LikesService likesService;
    private final UserService userService;
+    private final SearchService searchService;

    private final LikesQueryService likesQueryService;

-    public LikesResource(LikesService likesService, LikesQueryService likesQueryService, UserService userService) {
+    public LikesResource(LikesService likesService, LikesQueryService likesQueryService, UserService userService, SearchService searchService) {
        this.likesService = likesService;
        this.likesQueryService = likesQueryService;
        this.userService = userService;
+        this.searchService = searchService;
    }

    /**
@@ -105,7 +108,8 @@ public class LikesResource {
    @PutMapping("/likeExercise")
    public ResponseEntity<Likes> updateLikeWithexerciseID(@RequestBody Likes likes) {

-        if (likes.getExerciseID() != null) {
+        if (likes.getExerciseID() != null && searchService.hasAccessToExerciseId(likes.getExerciseID())) {
+
            Likes like = likesService.findLikesByUserIDandExerciseID(userService.getUserWithAuthorities().get().getId().intValue(), likes.getExerciseID());
            
            if(like == null){

--- a/src/main/resources/.h2.server.properties
+++ b/src/main/resources/.h2.server.properties
 #H2 Server Properties
-#Tue Jun 15 15:37:27 CEST 2021
+#Wed Jul 14 11:21:35 CEST 2021
 0=JHipster H2 (Disk)|org.h2.Driver|jdbc\:h2\:file\:./target/h2db/db/gitsearch|gitsearch
 webSSL=false
 webAllowOthers=true

--- a/src/main/resources/config/liquibase/changelog/20211407105122_added_Index_exerciseID.xml
+++ b/src/main/resources/config/liquibase/changelog/20211407105122_added_Index_exerciseID.xml
+<?xml version="1.0" encoding="utf-8"?>
+<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+    xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.9.xsd
+                        http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd">
+
+    <!--
+        create index on exercise_id.
+    -->
+    <changeSet id="20211407105122-1" author="eduard frankford">
+        <createIndex indexName="index_exerciseID" tableName="likes">
+            <column name="exercise_id"></column>
+            <column name="user_id"></column>
+            <column name="id"></column>
+            <column name="date"></column>
+        </createIndex>
+    </changeSet>
+</databaseChangeLog>
\ No newline at end of file
--- a/src/main/resources/config/liquibase/master.xml
+++ b/src/main/resources/config/liquibase/master.xml
@@ -25,6 +25,7 @@
    <include file="config/liquibase/changelog/20210613120444_added_entity_Likes.xml" relativeToChangelogFile="false"/>
    <include file="config/liquibase/changelog/20210701160634_changelog.xml" relativeToChangelogFile="false"/>
    <include file="config/liquibase/changelog/20210702104135_update_projectID_Likes.xml" relativeToChangelogFile="false"/>
+    <include file="config/liquibase/changelog/20211407105122_added_Index_exerciseID.xml" relativeToChangelogFile="false"/>

    <!-- jhipster-needle-liquibase-add-changelog - JHipster will add liquibase changelogs here -->