improve security.

2019-08-30 22:32:30 +02:00
parent f5bff403f0
commit 9e88b33595
14 changed files with 109 additions and 39 deletions
--- a/src/main/kotlin/fr/dcproject/security/voter/ArticleVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/ArticleVoter.kt
@@ -3,6 +3,7 @@ package fr.dcproject.security.voter
 import fr.dcproject.entity.User
 import io.ktor.application.ApplicationCall
 import fr.dcproject.entity.Article as ArticleEntity
+import fr.dcproject.entity.Comment as CommentEntity
 import fr.dcproject.entity.Vote as VoteEntity

 class ArticleVoter: Voter {
@@ -15,7 +16,8 @@ class ArticleVoter: Voter {

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
        return (action is Action || action is CommentVoter.Action || action is VoteVoter.Action)
-                && subject is ArticleEntity?
+               &&
+               (subject is List<*> || subject is ArticleEntity? || subject is VoteEntity<*> || subject is CommentEntity<*>)
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
@@ -25,7 +27,19 @@ class ArticleVoter: Voter {
        }

        if (action == Action.VIEW) {
-            return Vote.GRANTED
+            if (subject is ArticleEntity) {
+                return if (subject.isDeleted()) Vote.DENIED
+                else Vote.GRANTED
+            }
+            if (subject is List<*>) {
+                subject.forEach {
+                    if (it !is ArticleEntity || it.isDeleted()) {
+                        return Vote.DENIED
+                    }
+                }
+                return Vote.GRANTED
+            }
+            return Vote.DENIED
        }

        if (action is CommentVoter.Action) return voteForComment(action)
--- a/src/main/kotlin/fr/dcproject/security/voter/CitizenVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/CitizenVoter.kt
@@ -13,7 +13,9 @@ class CitizenVoter: Voter {
    }

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
-        return action is Action && subject is Citizen?
+        return (action is Action)
+               &&
+               (subject is List<*> || subject is Citizen?)
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
@@ -22,8 +24,20 @@ class CitizenVoter: Voter {
            return Vote.GRANTED
        }

-        if (action == Action.VIEW && user != null) {
-            return Vote.GRANTED
+        if (action == Action.VIEW) {
+            if (subject is Citizen) {
+                return if (subject.isDeleted()) Vote.DENIED
+                else Vote.GRANTED
+            }
+            if (subject is List<*>) {
+                subject.forEach {
+                    if (it !is Citizen || it.isDeleted()) {
+                        return Vote.DENIED
+                    }
+                }
+                return Vote.GRANTED
+            }
+            return Vote.DENIED
        }

        if (action == Action.DELETE) {
--- a/src/main/kotlin/fr/dcproject/security/voter/CommentVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/CommentVoter.kt
@@ -12,7 +12,8 @@ class CommentVoter: Voter {
    }

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
-        return action is Action && subject is Comment<*>?
+        return (action is Action) &&
+               (subject is Comment<*>? || subject is List<*>)
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
@@ -22,7 +23,19 @@ class CommentVoter: Voter {
        }

        if (action == Action.VIEW) {
-            return Vote.GRANTED
+            if (subject is Comment<*>) {
+                return if (subject.isDeleted()) Vote.DENIED
+                else Vote.GRANTED
+            }
+            if (subject is List<*>) {
+                subject.forEach {
+                    if (it !is Comment<*> || it.isDeleted()) {
+                        return Vote.DENIED
+                    }
+                }
+                return Vote.GRANTED
+            }
+            return Vote.DENIED
        }

        if (action == Action.UPDATE && user != null && subject is Comment<*> && user.id == subject.createdBy?.userId) {
--- a/src/main/kotlin/fr/dcproject/security/voter/ConstitutionVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/ConstitutionVoter.kt
@@ -1,5 +1,6 @@
 package fr.dcproject.security.voter

+import fr.dcproject.entity.Comment
 import fr.dcproject.entity.User
 import io.ktor.application.ApplicationCall
 import fr.dcproject.entity.Constitution as ConstitutionEntity
@@ -14,7 +15,9 @@ class ConstitutionVoter: Voter {
    }

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
-        return (action is Action || action is CommentVoter.Action) && subject is ConstitutionEntity?
+        return (action is Action || action is CommentVoter.Action || action is VoteVoter.Action)
+               &&
+               (subject is List<*> || subject is ConstitutionEntity? || subject is VoteEntity<*> || subject is Comment<*>)
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
@@ -24,7 +27,19 @@ class ConstitutionVoter: Voter {
        }

        if (action == Action.VIEW) {
-            return Vote.GRANTED
+            if (subject is ConstitutionEntity) {
+                return if (subject.isDeleted()) Vote.DENIED
+                else Vote.GRANTED
+            }
+            if (subject is List<*>) {
+                subject.forEach {
+                    if (it !is ConstitutionEntity || it.isDeleted()) {
+                        return Vote.DENIED
+                    }
+                }
+                return Vote.GRANTED
+            }
+            return Vote.DENIED
        }

        if (action == Action.DELETE && user is User && subject is ConstitutionEntity && subject.createdBy?.userId == user.id) {