From a0d07e88a1005ffeef872a7e0bd98b9493495cad Mon Sep 17 00:00:00 2001 From: Fabrice Lecomte Date: Wed, 31 Mar 2021 02:31:37 +0200 Subject: [PATCH] Fix all security routes --- .../component/article/routes/UpsertArticle.kt | 2 ++ .../fr/dcproject/component/auth/CitizenContext.kt | 14 ++++++++++++++ .../component/citizen/routes/ChangeMyPassword.kt | 2 ++ .../component/citizen/routes/FindCitizens.kt | 2 ++ .../component/citizen/routes/GetCurrentCitizen.kt | 2 ++ .../component/citizen/routes/GetOneCitizen.kt | 2 ++ .../comment/article/routes/CreateCommentArticle.kt | 2 ++ .../article/routes/GetCitizenArticleComments.kt | 2 ++ .../routes/CreateConstitutionComment.kt | 2 ++ .../routes/GetCitizenCommentConstitution.kt | 2 ++ .../generic/routes/CreateCommentChildren.kt | 2 ++ .../comment/generic/routes/EditComment.kt | 2 ++ .../constitution/routes/CreateConstitution.kt | 2 ++ .../follow/routes/article/FollowArticle.kt | 2 ++ .../follow/routes/article/GetMyFollowsArticle.kt | 2 ++ .../follow/routes/article/UnfollowArticle.kt | 2 ++ .../routes/constitution/FollowConstitution.kt | 2 ++ .../constitution/GetMyFollowsConstitution.kt | 2 ++ .../routes/constitution/UnfollowConstitution.kt | 2 ++ .../component/opinion/routes/GetCitizenOpinions.kt | 2 ++ .../opinion/routes/GetMyOpinionsArticle.kt | 2 ++ .../component/opinion/routes/OpinionArticle.kt | 2 ++ .../component/vote/routes/GetCitizenVotes.kt | 2 ++ .../vote/routes/GetCitizenVotesOnArticle.kt | 2 ++ .../component/vote/routes/PutVoteOnArticle.kt | 2 ++ .../component/vote/routes/PutVoteOnComment.kt | 2 ++ .../component/vote/routes/PutVoteOnConstitution.kt | 2 ++ .../component/workgroup/routes/CreateWorkgroup.kt | 2 ++ .../component/workgroup/routes/DeleteWorkgroup.kt | 2 ++ .../component/workgroup/routes/EditWorkgroup.kt | 2 ++ .../routes/members/AddMemberToWorkgroup.kt | 2 ++ .../routes/members/DeleteMembersOfWorkgroup.kt | 2 ++ .../routes/members/UpdateMemberOfWorkgroup.kt | 2 ++ .../kotlin/integration/Comment articles routes.kt | 1 + .../integration/Comment constitutions routes.kt | 1 + 35 files changed, 80 insertions(+) diff --git a/src/main/kotlin/fr/dcproject/component/article/routes/UpsertArticle.kt b/src/main/kotlin/fr/dcproject/component/article/routes/UpsertArticle.kt index 4d408ad..20beaef 100644 --- a/src/main/kotlin/fr/dcproject/component/article/routes/UpsertArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/article/routes/UpsertArticle.kt @@ -8,6 +8,7 @@ import fr.dcproject.component.article.database.ArticleRepository import fr.dcproject.component.article.routes.UpsertArticle.UpsertArticleRequest.Input import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.notification.ArticleUpdateNotification import fr.dcproject.component.notification.Publisher import fr.dcproject.component.workgroup.database.WorkgroupRef @@ -54,6 +55,7 @@ object UpsertArticle { } post { + mustBeAuth() val article = call.convertRequestToEntity() ac.assert { canUpsert(article, citizenOrNull) } repo.upsert(article)?.let { a -> diff --git a/src/main/kotlin/fr/dcproject/component/auth/CitizenContext.kt b/src/main/kotlin/fr/dcproject/component/auth/CitizenContext.kt index 466998a..ee766e1 100644 --- a/src/main/kotlin/fr/dcproject/component/auth/CitizenContext.kt +++ b/src/main/kotlin/fr/dcproject/component/auth/CitizenContext.kt @@ -26,7 +26,21 @@ val ApplicationCall.citizenOrNull: CitizenEntity? GlobalContext.get().koin.get().findByUser(it) } +val ApplicationCall.isAuth: Boolean + get() = citizenOrNull == null + +fun ApplicationCall.mustBeAuth() { + citizenOrNull ?: throw ForbiddenException("No User Connected") +} + val PipelineContext.citizen get() = context.citizen val PipelineContext.citizenOrNull get() = context.citizenOrNull val ApplicationCall.user get() = authentication.principal() + +val PipelineContext.isAuth: Boolean + get() = citizenOrNull == null + +fun PipelineContext.mustBeAuth() { + citizenOrNull ?: throw ForbiddenException("No User Connected") +} diff --git a/src/main/kotlin/fr/dcproject/component/citizen/routes/ChangeMyPassword.kt b/src/main/kotlin/fr/dcproject/component/citizen/routes/ChangeMyPassword.kt index 1c3e302..6a360de 100644 --- a/src/main/kotlin/fr/dcproject/component/citizen/routes/ChangeMyPassword.kt +++ b/src/main/kotlin/fr/dcproject/component/citizen/routes/ChangeMyPassword.kt @@ -6,6 +6,7 @@ import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull import fr.dcproject.component.auth.database.UserRepository import fr.dcproject.component.auth.database.UserWithPassword +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.CitizenAccessControl import fr.dcproject.component.citizen.database.CitizenRef import io.ktor.application.call @@ -29,6 +30,7 @@ object ChangeMyPassword { fun Route.changeMyPassword(ac: CitizenAccessControl, userRepository: UserRepository) { put { + mustBeAuth() ac.assert { canChangePassword(it.citizen, citizenOrNull) } val content = call.receiveOrBadRequest() userRepository.findByCredentials(UserPasswordCredential(citizen.user.username, content.oldPassword)) ?: throw BadRequestException("Bad Password") diff --git a/src/main/kotlin/fr/dcproject/component/citizen/routes/FindCitizens.kt b/src/main/kotlin/fr/dcproject/component/citizen/routes/FindCitizens.kt index d3b1ef4..6ca46f2 100644 --- a/src/main/kotlin/fr/dcproject/component/citizen/routes/FindCitizens.kt +++ b/src/main/kotlin/fr/dcproject/component/citizen/routes/FindCitizens.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.citizen.routes import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.CitizenAccessControl import fr.dcproject.component.citizen.database.CitizenCreator import fr.dcproject.component.citizen.database.CitizenRepository @@ -30,6 +31,7 @@ object FindCitizens { fun Route.findCitizen(ac: CitizenAccessControl, repo: CitizenRepository) { get { + mustBeAuth() val citizens = repo.find(it.page, it.limit, it.sort, it.direction, it.search) ac.assert { canView(citizens.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/citizen/routes/GetCurrentCitizen.kt b/src/main/kotlin/fr/dcproject/component/citizen/routes/GetCurrentCitizen.kt index d0b4d3d..4ede796 100644 --- a/src/main/kotlin/fr/dcproject/component/citizen/routes/GetCurrentCitizen.kt +++ b/src/main/kotlin/fr/dcproject/component/citizen/routes/GetCurrentCitizen.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.citizen.routes import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.CitizenAccessControl import io.ktor.application.call import io.ktor.http.HttpStatusCode @@ -22,6 +23,7 @@ object GetCurrentCitizen { fun Route.getCurrentCitizen(ac: CitizenAccessControl) { get { + mustBeAuth() val currentUser = citizenOrNull if (currentUser === null) { call.respond(HttpStatusCode.Unauthorized) diff --git a/src/main/kotlin/fr/dcproject/component/citizen/routes/GetOneCitizen.kt b/src/main/kotlin/fr/dcproject/component/citizen/routes/GetOneCitizen.kt index b8366c2..e49a25b 100644 --- a/src/main/kotlin/fr/dcproject/component/citizen/routes/GetOneCitizen.kt +++ b/src/main/kotlin/fr/dcproject/component/citizen/routes/GetOneCitizen.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.citizen.routes import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.CitizenAccessControl import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.citizen.database.CitizenRepository @@ -26,6 +27,7 @@ object GetOneCitizen { fun Route.getOneCitizen(ac: CitizenAccessControl, citizenRepository: CitizenRepository) { get { + mustBeAuth() val citizen = citizenRepository.findById(it.citizen.id) ?: throw NotFoundException("Citizen not found ${it.citizen.id}") ac.assert { canView(citizen, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/comment/article/routes/CreateCommentArticle.kt b/src/main/kotlin/fr/dcproject/component/comment/article/routes/CreateCommentArticle.kt index f4a103e..fd10799 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/article/routes/CreateCommentArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/article/routes/CreateCommentArticle.kt @@ -6,6 +6,7 @@ import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.comment.article.database.CommentArticleRepository import fr.dcproject.component.comment.article.routes.CreateCommentArticle.PostArticleCommentRequest.Input import fr.dcproject.component.comment.generic.CommentAccessControl @@ -30,6 +31,7 @@ object CreateCommentArticle { fun Route.createCommentArticle(repo: CommentArticleRepository, ac: CommentAccessControl) { post { + mustBeAuth() call.receiveOrBadRequest().run { CommentForUpdate( target = it.article, diff --git a/src/main/kotlin/fr/dcproject/component/comment/article/routes/GetCitizenArticleComments.kt b/src/main/kotlin/fr/dcproject/component/comment/article/routes/GetCitizenArticleComments.kt index 3e4409f..7aa6d1d 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/article/routes/GetCitizenArticleComments.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/article/routes/GetCitizenArticleComments.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.comment.article.routes import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.comment.article.database.CommentArticleRepository import fr.dcproject.component.comment.generic.CommentAccessControl @@ -25,6 +26,7 @@ object GetCitizenArticleComments { fun Route.getCitizenArticleComments(repo: CommentArticleRepository, ac: CommentAccessControl) { get { + mustBeAuth() repo.findByCitizen(it.citizen).let { comments -> ac.assert { canView(comments.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/CreateConstitutionComment.kt b/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/CreateConstitutionComment.kt index e1034c7..cf368e4 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/CreateConstitutionComment.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/CreateConstitutionComment.kt @@ -5,6 +5,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.comment.constitution.database.CommentConstitutionRepository import fr.dcproject.component.comment.constitution.routes.CreateConstitutionComment.CreateConstitutionCommentRequest.Input import fr.dcproject.component.comment.generic.CommentAccessControl @@ -30,6 +31,7 @@ object CreateConstitutionComment { fun Route.createConstitutionComment(repo: CommentConstitutionRepository, ac: CommentAccessControl) { post { + mustBeAuth() call.receiveOrBadRequest().run { CommentForUpdate( target = it.constitution, diff --git a/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/GetCitizenCommentConstitution.kt b/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/GetCitizenCommentConstitution.kt index 3296bea..9d9b3e2 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/GetCitizenCommentConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/constitution/routes/GetCitizenCommentConstitution.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.comment.constitution.routes import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.comment.constitution.database.CommentConstitutionRepository import fr.dcproject.component.comment.generic.CommentAccessControl @@ -25,6 +26,7 @@ object GetCitizenCommentConstitution { fun Route.getCitizenCommentConstitution(repo: CommentConstitutionRepository, ac: CommentAccessControl) { get { + mustBeAuth() val comments = repo.findByCitizen(it.citizen) ac.assert { canView(comments.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/comment/generic/routes/CreateCommentChildren.kt b/src/main/kotlin/fr/dcproject/component/comment/generic/routes/CreateCommentChildren.kt index c05b973..b95d2cd 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/generic/routes/CreateCommentChildren.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/generic/routes/CreateCommentChildren.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.comment.generic.CommentAccessControl import fr.dcproject.component.comment.generic.database.CommentForUpdate import fr.dcproject.component.comment.generic.database.CommentRef @@ -29,6 +30,7 @@ object CreateCommentChildren { fun Route.createCommentChildren(repo: CommentRepository, ac: CommentAccessControl) { post { + mustBeAuth() val parent = repo.findById(it.comment.id) ?: throw NotFoundException("Comment not found") val newComment = CommentForUpdate( content = call.receiveOrBadRequest().content, diff --git a/src/main/kotlin/fr/dcproject/component/comment/generic/routes/EditComment.kt b/src/main/kotlin/fr/dcproject/component/comment/generic/routes/EditComment.kt index 305fa32..7aa20c0 100644 --- a/src/main/kotlin/fr/dcproject/component/comment/generic/routes/EditComment.kt +++ b/src/main/kotlin/fr/dcproject/component/comment/generic/routes/EditComment.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.comment.generic.CommentAccessControl import fr.dcproject.component.comment.generic.database.CommentRef import fr.dcproject.component.comment.generic.database.CommentRepository @@ -28,6 +29,7 @@ object EditComment { fun Route.editComment(repo: CommentRepository, ac: CommentAccessControl) { put { + mustBeAuth() val comment = repo.findById(it.comment.id) ?: throw NotFoundException("Comment not found") ac.assert { canUpdate(comment, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/constitution/routes/CreateConstitution.kt b/src/main/kotlin/fr/dcproject/component/constitution/routes/CreateConstitution.kt index 6e4a7fb..dfc69d0 100644 --- a/src/main/kotlin/fr/dcproject/component/constitution/routes/CreateConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/constitution/routes/CreateConstitution.kt @@ -6,6 +6,7 @@ import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.Citizen import fr.dcproject.component.citizen.database.CitizenWithUserI import fr.dcproject.component.constitution.ConstitutionAccessControl @@ -68,6 +69,7 @@ object CreateConstitution { fun Route.createConstitution(repo: ConstitutionRepository, ac: ConstitutionAccessControl) { post { + mustBeAuth() getNewConstitution(call.receiveOrBadRequest(), citizen).let { ac.assert { canCreate(it, citizenOrNull) } val c = repo.upsert(it) ?: error("Unable to create Constitution") diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/article/FollowArticle.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/article/FollowArticle.kt index e9fbfc6..f9d82e4 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/article/FollowArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/article/FollowArticle.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowArticleRepository import fr.dcproject.component.follow.database.FollowForUpdate @@ -25,6 +26,7 @@ object FollowArticle { fun Route.followArticle(repo: FollowArticleRepository, ac: FollowAccessControl) { post { + mustBeAuth() val follow = FollowForUpdate(target = it.article, createdBy = this.citizen) ac.assert { canCreate(follow, citizenOrNull) } repo.follow(follow) diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/article/GetMyFollowsArticle.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/article/GetMyFollowsArticle.kt index 29aa22b..ea40bec 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/article/GetMyFollowsArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/article/GetMyFollowsArticle.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.follow.routes.article import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowArticleRepository @@ -25,6 +26,7 @@ object GetMyFollowsArticle { fun Route.getMyFollowsArticle(repo: FollowArticleRepository, ac: FollowAccessControl) { get { + mustBeAuth() val follows = repo.findByCitizen(it.citizen) ac.assert { canView(follows.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/article/UnfollowArticle.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/article/UnfollowArticle.kt index bf33cec..e90b797 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/article/UnfollowArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/article/UnfollowArticle.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowArticleRepository import fr.dcproject.component.follow.database.FollowForUpdate @@ -25,6 +26,7 @@ object UnfollowArticle { fun Route.unfollowArticle(repo: FollowArticleRepository, ac: FollowAccessControl) { delete { + mustBeAuth() val follow = FollowForUpdate(target = it.article, createdBy = this.citizen) ac.assert { canDelete(follow, citizenOrNull) } repo.unfollow(follow) diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/FollowConstitution.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/FollowConstitution.kt index debfbab..cba056c 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/FollowConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/FollowConstitution.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.follow.routes.constitution import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.constitution.database.ConstitutionRef import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowConstitutionRepository @@ -25,6 +26,7 @@ object FollowConstitution { fun Route.followConstitution(repo: FollowConstitutionRepository, ac: FollowAccessControl) { post { + mustBeAuth() val follow = FollowForUpdate(target = it.constitution, createdBy = this.citizen) ac.assert { canCreate(follow, citizenOrNull) } repo.follow(follow) diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/GetMyFollowsConstitution.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/GetMyFollowsConstitution.kt index bc398f2..6a11a2e 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/GetMyFollowsConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/GetMyFollowsConstitution.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.follow.routes.constitution import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowConstitutionRepository @@ -25,6 +26,7 @@ object GetMyFollowsConstitution { fun Route.getMyFollowsConstitution(repo: FollowConstitutionRepository, ac: FollowAccessControl) { get { + mustBeAuth() val follows = repo.findByCitizen(it.citizen) ac.assert { canView(follows.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/UnfollowConstitution.kt b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/UnfollowConstitution.kt index 7f2f6fe..f892e3c 100644 --- a/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/UnfollowConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/follow/routes/constitution/UnfollowConstitution.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.follow.routes.constitution import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.constitution.database.ConstitutionRef import fr.dcproject.component.follow.FollowAccessControl import fr.dcproject.component.follow.database.FollowConstitutionRepository @@ -25,6 +26,7 @@ object UnfollowConstitution { fun Route.unfollowConstitution(repo: FollowConstitutionRepository, ac: FollowAccessControl) { delete { + mustBeAuth() val follow = FollowForUpdate(target = it.constitution, createdBy = this.citizen) ac.assert { canDelete(follow, citizenOrNull) } repo.unfollow(follow) diff --git a/src/main/kotlin/fr/dcproject/component/opinion/routes/GetCitizenOpinions.kt b/src/main/kotlin/fr/dcproject/component/opinion/routes/GetCitizenOpinions.kt index f330ce8..3857944 100644 --- a/src/main/kotlin/fr/dcproject/component/opinion/routes/GetCitizenOpinions.kt +++ b/src/main/kotlin/fr/dcproject/component/opinion/routes/GetCitizenOpinions.kt @@ -5,6 +5,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.toUUID import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.opinion.OpinionAccessControl import fr.dcproject.component.opinion.database.Opinion @@ -31,6 +32,7 @@ object GetCitizenOpinions { fun Route.getCitizenOpinions(repo: OpinionArticleRepository, ac: OpinionAccessControl) { get { + mustBeAuth() val opinionsEntities: List> = repo.findCitizenOpinionsByTargets(it.citizen, it.id) ac.assert { canView(opinionsEntities, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/opinion/routes/GetMyOpinionsArticle.kt b/src/main/kotlin/fr/dcproject/component/opinion/routes/GetMyOpinionsArticle.kt index bfd7d20..7679ace 100644 --- a/src/main/kotlin/fr/dcproject/component/opinion/routes/GetMyOpinionsArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/opinion/routes/GetMyOpinionsArticle.kt @@ -5,6 +5,7 @@ import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.opinion.OpinionAccessControl import fr.dcproject.component.opinion.database.Opinion @@ -37,6 +38,7 @@ object GetMyOpinionsArticle { fun Route.getMyOpinionsArticle(repo: OpinionArticleRepository, ac: OpinionAccessControl) { get { + mustBeAuth() val opinions: Paginated> = repo.findCitizenOpinions(citizen, it.page, it.limit) ac.assert { canView(opinions.result, citizenOrNull) } call.respond( diff --git a/src/main/kotlin/fr/dcproject/component/opinion/routes/OpinionArticle.kt b/src/main/kotlin/fr/dcproject/component/opinion/routes/OpinionArticle.kt index 4d4d5b9..210671d 100644 --- a/src/main/kotlin/fr/dcproject/component/opinion/routes/OpinionArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/opinion/routes/OpinionArticle.kt @@ -6,6 +6,7 @@ import fr.dcproject.common.utils.toUUID import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.opinion.OpinionAccessControl import fr.dcproject.component.opinion.database.OpinionChoiceRef import fr.dcproject.component.opinion.database.OpinionForUpdate @@ -34,6 +35,7 @@ object OpinionArticle { fun Route.setOpinionOnArticle(repo: OpinionArticleRepository, ac: OpinionAccessControl) { put { + mustBeAuth() call.receiveOrBadRequest().ids.map { id -> OpinionForUpdate( choice = OpinionChoiceRef(id), diff --git a/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotes.kt b/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotes.kt index 9524a29..d4920ee 100644 --- a/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotes.kt +++ b/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotes.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.common.utils.toUUID import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.vote.VoteAccessControl import fr.dcproject.component.vote.database.VoteRepository @@ -26,6 +27,7 @@ object GetCitizenVotes { fun Route.getCitizenVote(repo: VoteRepository, ac: VoteAccessControl) { get { + mustBeAuth() val votes = repo.findCitizenVotesByTargets(it.citizen, it.id) if (votes.isNotEmpty()) { ac.assert { canView(votes, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotesOnArticle.kt b/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotesOnArticle.kt index 5328f1f..d8b5654 100644 --- a/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotesOnArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/vote/routes/GetCitizenVotesOnArticle.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.vote.routes import fr.dcproject.common.response.toOutput import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.vote.VoteAccessControl import fr.dcproject.component.vote.database.VoteArticleRepository @@ -31,6 +32,7 @@ object GetCitizenVotesOnArticle { fun Route.getCitizenVotesOnArticle(repo: VoteArticleRepository, ac: VoteAccessControl) { get { + mustBeAuth() val votes = repo.findByCitizen(it.citizen, it.page, it.limit) ac.assert { canView(votes.result, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnArticle.kt b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnArticle.kt index 85212ad..8f45229 100644 --- a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnArticle.kt +++ b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnArticle.kt @@ -6,6 +6,7 @@ import fr.dcproject.component.article.database.ArticleRef import fr.dcproject.component.article.database.ArticleRepository import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.vote.VoteAccessControl import fr.dcproject.component.vote.database.VoteArticleRepository import fr.dcproject.component.vote.database.VoteForUpdate @@ -29,6 +30,7 @@ object PutVoteOnArticle { fun Route.putVoteOnArticle(repo: VoteArticleRepository, ac: VoteAccessControl, articleRepo: ArticleRepository) { put { + mustBeAuth() val input = call.receiveOrBadRequest() val article = articleRepo.findById(it.article.id) ?: throw NotFoundException("Article ${it.article.id} not found") val vote = VoteForUpdate( diff --git a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnComment.kt b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnComment.kt index 6d65e4e..8884047 100644 --- a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnComment.kt +++ b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnComment.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.comment.generic.database.CommentRepository import fr.dcproject.component.vote.VoteAccessControl import fr.dcproject.component.vote.database.VoteCommentRepository @@ -26,6 +27,7 @@ object PutVoteOnComment { fun Route.putVoteOnComment(voteCommentRepo: VoteCommentRepository, commentRepo: CommentRepository, ac: VoteAccessControl) { put { + mustBeAuth() val comment = commentRepo.findById(it.comment)!! val content = call.receiveOrBadRequest() val vote = VoteForUpdate( diff --git a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnConstitution.kt b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnConstitution.kt index c643e57..03c30ec 100644 --- a/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnConstitution.kt +++ b/src/main/kotlin/fr/dcproject/component/vote/routes/PutVoteOnConstitution.kt @@ -4,6 +4,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.constitution.database.ConstitutionRef import fr.dcproject.component.constitution.database.ConstitutionRepository import fr.dcproject.component.vote.VoteAccessControl @@ -30,6 +31,7 @@ object PutVoteOnConstitution { fun Route.voteConstitution(repo: VoteConstitutionRepository, ac: VoteAccessControl, constitutionRepo: ConstitutionRepository) { put { + mustBeAuth() val constitution = constitutionRepo.findById(it.constitution.id) ?: throw NotFoundException("Unable to find constitution ${it.constitution.id}") val content = call.receiveOrBadRequest() val vote = VoteForUpdate( diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/CreateWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/CreateWorkgroup.kt index e97128e..4c7f2b1 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/CreateWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/CreateWorkgroup.kt @@ -5,6 +5,7 @@ import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizen import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupForUpdate import fr.dcproject.component.workgroup.database.WorkgroupRepository @@ -33,6 +34,7 @@ object CreateWorkgroup { fun Route.createWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { post { + mustBeAuth() call.receiveOrBadRequest().run { WorkgroupForUpdate( id ?: UUID.randomUUID(), diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/DeleteWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/DeleteWorkgroup.kt index 17fbdcd..cb6788d 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/DeleteWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/DeleteWorkgroup.kt @@ -2,6 +2,7 @@ package fr.dcproject.component.workgroup.routes import fr.dcproject.common.security.assert import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupRepository import io.ktor.application.call @@ -20,6 +21,7 @@ object DeleteWorkgroup { fun Route.deleteWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { delete { + mustBeAuth() repo.findById(it.workgroupId)?.let { workgroup -> ac.assert { canDelete(workgroup, citizenOrNull) } repo.delete(workgroup) diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/EditWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/EditWorkgroup.kt index b4c61f0..4d96298 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/EditWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/EditWorkgroup.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.workgroup.routes import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupForUpdate import fr.dcproject.component.workgroup.database.WorkgroupRepository @@ -31,6 +32,7 @@ object EditWorkgroup { fun Route.editWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { put { + mustBeAuth() repo.findById(it.workgroupId)?.let { old -> call.receiveOrBadRequest().run { WorkgroupForUpdate( diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/AddMemberToWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/AddMemberToWorkgroup.kt index dd73f81..add4574 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/AddMemberToWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/AddMemberToWorkgroup.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.workgroup.routes.members import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupRepository @@ -44,6 +45,7 @@ object AddMemberToWorkgroup { fun Route.addMemberToWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { /* Add members to workgroup */ post { + mustBeAuth() repo.findById(it.workgroupId)?.let { workgroup -> call.getMembersFromRequest().let { members -> ac.assert { canAddMembers(workgroup, citizenOrNull) } diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/DeleteMembersOfWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/DeleteMembersOfWorkgroup.kt index fb22715..daf93b1 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/DeleteMembersOfWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/DeleteMembersOfWorkgroup.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.workgroup.routes.members import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupRepository @@ -35,6 +36,7 @@ object DeleteMembersOfWorkgroup { fun Route.deleteMemberOfWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { /* Delete members of workgroup */ delete { + mustBeAuth() repo.findById(it.workgroupId)?.let { workgroup -> call.getMembersFromRequest() .let { members -> diff --git a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/UpdateMemberOfWorkgroup.kt b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/UpdateMemberOfWorkgroup.kt index b36a2b3..885a789 100644 --- a/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/UpdateMemberOfWorkgroup.kt +++ b/src/main/kotlin/fr/dcproject/component/workgroup/routes/members/UpdateMemberOfWorkgroup.kt @@ -3,6 +3,7 @@ package fr.dcproject.component.workgroup.routes.members import fr.dcproject.common.security.assert import fr.dcproject.common.utils.receiveOrBadRequest import fr.dcproject.component.auth.citizenOrNull +import fr.dcproject.component.auth.mustBeAuth import fr.dcproject.component.citizen.database.CitizenRef import fr.dcproject.component.workgroup.WorkgroupAccessControl import fr.dcproject.component.workgroup.database.WorkgroupRepository @@ -42,6 +43,7 @@ object UpdateMemberOfWorkgroup { fun Route.updateMemberOfWorkgroup(repo: WorkgroupRepository, ac: WorkgroupAccessControl) { /* Update members of workgroup */ put { + mustBeAuth() repo.findById(it.workgroupId)?.let { workgroup -> call.getMembersFromRequest().let { members -> ac.assert { canUpdateMembers(workgroup, citizenOrNull) } diff --git a/src/test/kotlin/integration/Comment articles routes.kt b/src/test/kotlin/integration/Comment articles routes.kt index 74e8107..6c7c00e 100644 --- a/src/test/kotlin/integration/Comment articles routes.kt +++ b/src/test/kotlin/integration/Comment articles routes.kt @@ -84,6 +84,7 @@ class `Comment articles routes` : BaseTest() { `Given I have article`(id = "17df7fb9-b388-4e20-ab19-29c29972da01", createdBy = Name("Erwin", "Schrodinger")) `Given I have comment on article`(article = "17df7fb9-b388-4e20-ab19-29c29972da01", createdBy = Name("Erwin", "Schrodinger")) `When I send a GET request`("/citizens/292a20cc-4a60-489e-9866-a95d38ffaf47/comments/articles") { + `authenticated as`("Erwin", "Schrodinger") } `Then the response should be` OK and { `And the response should not be null`() `And the response should contain`("$.currentPage", 1) diff --git a/src/test/kotlin/integration/Comment constitutions routes.kt b/src/test/kotlin/integration/Comment constitutions routes.kt index 8af64ed..f887ce1 100644 --- a/src/test/kotlin/integration/Comment constitutions routes.kt +++ b/src/test/kotlin/integration/Comment constitutions routes.kt @@ -50,6 +50,7 @@ class `Comment constitutions routes` : BaseTest() { `Given I have constitution`(id = "34ddd50a-da00-4a90-a869-08baa2a121be", createdBy = Name("Charles", "Darwin")) `Given I have comment on constitution`(constitution = "34ddd50a-da00-4a90-a869-08baa2a121be", createdBy = Name("Charles", "Darwin")) `When I send a GET request`("/citizens/46e0bda9-ca6a-4c65-a58b-7e7267a0bbc5/comments/constitutions") { + `authenticated as`("Charles", "Darwin") } `Then the response should be` OK and { `And the response should not be null`() `And the response should contain`("$.currentPage", 1)