improve security.

2019-08-30 22:32:30 +02:00
parent f5bff403f0
commit 9e88b33595
14 changed files with 109 additions and 39 deletions
--- a/src/main/kotlin/fr/dcproject/routes/Article.kt
+++ b/src/main/kotlin/fr/dcproject/routes/Article.kt
@@ -16,7 +16,6 @@ import io.ktor.routing.Route
 import fr.dcproject.entity.Article as ArticleEntity
 import fr.dcproject.repository.Article as ArticleRepository

-
@KtorExperimentalLocationsAPI
 object ArticlesPaths {
    @Location("/articles") class ArticlesRequest(page: Int = 1, limit: Int = 50, val sort: String? = null, val direction: RepositoryI.Direction? = null, val search: String? = null) {
@@ -30,9 +29,8 @@ object ArticlesPaths {
@KtorExperimentalLocationsAPI
 fun Route.article(repo: ArticleRepository) {
    get<ArticlesPaths.ArticlesRequest> {
-        assertCan(VIEW)
-
        val articles = repo.find(it.page, it.limit, it.sort, it.direction, it.search)
+        assertCan(VIEW, articles.result)
        call.respond(articles)
    }

@@ -43,11 +41,11 @@ fun Route.article(repo: ArticleRepository) {
    }

    post<ArticlesPaths.PostArticleRequest> {
-        assertCan(CREATE)
-
        val article = call.receive<ArticleEntity>()
        article.createdBy = citizen

+        assertCan(CREATE, article)
+
        repo.upsert(article)

        call.respond(article)
--- a/src/main/kotlin/fr/dcproject/routes/Citizen.kt
+++ b/src/main/kotlin/fr/dcproject/routes/Citizen.kt
@@ -26,9 +26,8 @@ object CitizenPaths {
@KtorExperimentalLocationsAPI
 fun Route.citizen(repo: CitizenRepository) {
    get<CitizenPaths.CitizensRequest> {
-        assertCan(VIEW)
-
        val citizens = repo.find(it.page, it.limit, it.sort, it.direction, it.search)
+        assertCan(VIEW, citizens.result)
        call.respond(citizens)
    }

--- a/src/main/kotlin/fr/dcproject/routes/CommentArticle.kt
+++ b/src/main/kotlin/fr/dcproject/routes/CommentArticle.kt
@@ -27,10 +27,8 @@ object CommentArticlePaths {
@KtorExperimentalLocationsAPI
 fun Route.commentArticle(repo: CommentArticleRepository) {
    get<CommentArticlePaths.ArticleCommentRequest> {
-        assertCan(VIEW, it.article)
-
        val comment = repo.findByTarget(it.article)
-
+        assertCan(VIEW, comment.result)
        call.respond(HttpStatusCode.OK, comment)
    }

@@ -50,6 +48,7 @@ fun Route.commentArticle(repo: CommentArticleRepository) {

    get<CommentArticlePaths.CitizenCommentArticleRequest> {
        val comments = repo.findByCitizen(it.citizen)
+        assertCan(VIEW, comments.result)
        call.respond(comments)
    }
 }
--- a/src/main/kotlin/fr/dcproject/routes/CommentConstitution.kt
+++ b/src/main/kotlin/fr/dcproject/routes/CommentConstitution.kt
@@ -27,22 +27,19 @@ object CommentConstitutionPaths {
@KtorExperimentalLocationsAPI
 fun Route.commentConstitution(repo: CommentConstitutionRepository) {
    get<CommentConstitutionPaths.ConstitutionCommentRequest> {
-        assertCan(VIEW, it.constitution)
-
-        val comment = repo.findByTarget(it.constitution)
-
-        call.respond(HttpStatusCode.OK, comment)
+        val comments = repo.findByTarget(it.constitution)
+        assertCan(VIEW, comments.result)
+        call.respond(HttpStatusCode.OK, comments)
    }

    post<CommentConstitutionPaths.ConstitutionCommentRequest> {
-        assertCan(CREATE, it.constitution)
-
        val content = call.receiveText()
        val comment = CommentEntity(
            target = it.constitution,
            createdBy = citizen,
            content = content
        )
+        assertCan(CREATE, comment)
        repo.comment(comment)

        call.respond(HttpStatusCode.Created, comment)
@@ -50,6 +47,7 @@ fun Route.commentConstitution(repo: CommentConstitutionRepository) {

    get<CommentConstitutionPaths.CitizenCommentConstitutionRequest> {
        val comments = repo.findByCitizen(it.citizen)
+        assertCan(VIEW, comments.result)
        call.respond(comments)
    }
 }
--- a/src/main/kotlin/fr/dcproject/routes/Constitution.kt
+++ b/src/main/kotlin/fr/dcproject/routes/Constitution.kt
@@ -1,6 +1,9 @@
 package fr.dcproject.routes

 import fr.dcproject.citizen
+import fr.dcproject.security.voter.ConstitutionVoter.Action.CREATE
+import fr.dcproject.security.voter.ConstitutionVoter.Action.VIEW
+import fr.dcproject.security.voter.assertCan
 import fr.postgresjson.repository.RepositoryI
 import io.ktor.application.call
 import io.ktor.locations.KtorExperimentalLocationsAPI
@@ -28,16 +31,19 @@ object ConstitutionPaths {
 fun Route.constitution(repo: ConstitutionRepository) {
    get<ConstitutionPaths.ConstitutionsRequest> {
        val constitutions = repo.find(it.page, it.limit, it.sort, it.direction, it.search)
+        assertCan(VIEW, constitutions.result)
        call.respond(constitutions)
    }

    get<ConstitutionPaths.ConstitutionRequest> {
+        assertCan(VIEW, it.constitution)
        call.respond(it.constitution)
    }

    post<ConstitutionPaths.PostConstitutionRequest> {
        val constitution = call.receive<ConstitutionEntity>()
        constitution.createdBy = citizen
+        assertCan(CREATE, constitution)

        repo.upsert(constitution)

--- a/src/main/kotlin/fr/dcproject/routes/FollowArticle.kt
+++ b/src/main/kotlin/fr/dcproject/routes/FollowArticle.kt
@@ -20,17 +20,25 @@ object FollowArticlePaths {
@KtorExperimentalLocationsAPI
 fun Route.followArticle(repo: FollowArticleRepository) {
    post<FollowArticlePaths.ArticleFollowRequest> {
-        repo.follow(FollowEntity(target = it.article, createdBy = this.citizen))
+        val follow = FollowEntity(target = it.article, createdBy = this.citizen)
+        // TODO create voter
+//        assertCan(FollowVoter.Action.CREATE, follow)
+        repo.follow(follow)
        call.respond(HttpStatusCode.Created)
    }

    delete<FollowArticlePaths.ArticleFollowRequest> {
-        repo.unfollow(FollowEntity(target = it.article, createdBy = this.citizen))
+        val follow = FollowEntity(target = it.article, createdBy = this.citizen)
+        // TODO create voter
+//        assertCan(FollowVoter.Action.DELETE, follow)
+        repo.unfollow(follow)
        call.respond(HttpStatusCode.NoContent)
    }

    get<FollowArticlePaths.CitizenFollowArticleRequest> {
        val follows = repo.findByCitizen(it.citizen)
+        // TODO add security
+//        assertCan(FollowVoter.Action.VIEW, follows)
        call.respond(follows)
    }
 }
--- a/src/main/kotlin/fr/dcproject/routes/FollowConstitution.kt
+++ b/src/main/kotlin/fr/dcproject/routes/FollowConstitution.kt
@@ -20,17 +20,25 @@ object FollowConstitutionPaths {
@KtorExperimentalLocationsAPI
 fun Route.followConstitution(repo: FollowConstitutionRepository) {
    post<FollowConstitutionPaths.ConstitutionFollowRequest> {
-        repo.follow(FollowEntity(target = it.constitution, createdBy = this.citizen))
+        val follow = FollowEntity(target = it.constitution, createdBy = this.citizen)
+//        TODO create voter
+//        assertCan(FollowVoter.Action.CREATE, follow)
+        repo.follow(follow)
        call.respond(HttpStatusCode.Created)
    }

    delete<FollowConstitutionPaths.ConstitutionFollowRequest> {
-        repo.unfollow(FollowEntity(target = it.constitution, createdBy = this.citizen))
+        val follow = FollowEntity(target = it.constitution, createdBy = this.citizen)
+//        TODO create voter
+//        assertCan(FollowVoter.Action.DELETE, follow)
+        repo.unfollow(follow)
        call.respond(HttpStatusCode.NoContent)
    }

    get<FollowConstitutionPaths.CitizenFollowConstitutionRequest> {
        val follows = repo.findByCitizen(it.citizen)
+//        TODO create voter
+//        assertCan(FollowVoter.Action.VIEW, follows)
        call.respond(follows)
    }
 }