feature #8: Add security for Vote Article

2019-08-30 14:34:24 +02:00
parent 3e21884b38
commit d1999d84ca
5 changed files with 77 additions and 13 deletions
--- a/src/main/kotlin/fr/dcproject/security/voter/ArticleVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/ArticleVoter.kt
@@ -3,6 +3,7 @@ package fr.dcproject.security.voter
 import fr.dcproject.entity.User
 import io.ktor.application.ApplicationCall
 import fr.dcproject.entity.Article as ArticleEntity
+import fr.dcproject.entity.Vote as VoteEntity

 class ArticleVoter: Voter {
    enum class Action: ActionI {
@@ -13,12 +14,13 @@ class ArticleVoter: Voter {
    }

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
-        return (action is Action || action is CommentVoter.Action) && subject is Article?
+        return (action is Action || action is CommentVoter.Action || action is VoteVoter.Action)
+                && subject is ArticleEntity?
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
        val user = call.user
-        if (action == Action.CREATE && user != null) {
+        if (action == Action.CREATE && user is User) {
            return Vote.GRANTED
        }

@@ -34,12 +36,26 @@ class ArticleVoter: Voter {
            return Vote.GRANTED
        }

-        if (action == Action.DELETE && user is User && subject is ArticleEntity && subject.createdBy?.userId == user.id) {
-            return Vote.GRANTED
+        if (subject is ArticleEntity) {
+            if (action == Action.DELETE && user is User && subject.createdBy?.userId == user.id) {
+                return Vote.GRANTED
+            }
+
+            if (action == Action.UPDATE && user is User && subject.createdBy?.userId == user.id) {
+                return Vote.GRANTED
+            }
+
+            return Vote.DENIED
        }

-        if (action == Action.UPDATE && user is User && subject is ArticleEntity && subject.createdBy?.userId == user.id) {
-            return Vote.GRANTED
+        if (action == VoteVoter.Action.CREATE && subject is VoteEntity<*>) {
+            val target = subject.target
+            if (target !is ArticleEntity) {
+                return Vote.ABSTAIN
+            }
+            if (target.isDeleted()) {
+                return Vote.DENIED
+            }
        }

        if (action is Action) {
--- a/src/main/kotlin/fr/dcproject/security/voter/ConstitutionVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/ConstitutionVoter.kt
@@ -1,8 +1,9 @@
 package fr.dcproject.security.voter

-import fr.dcproject.entity.Constitution
 import fr.dcproject.entity.User
 import io.ktor.application.ApplicationCall
+import fr.dcproject.entity.Constitution as ConstitutionEntity
+import fr.dcproject.entity.Vote as VoteEntity

 class ConstitutionVoter: Voter {
    enum class Action: ActionI {
@@ -13,7 +14,7 @@ class ConstitutionVoter: Voter {
    }

    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
-        return (action is Action || action is CommentVoter.Action) && subject is Constitution?
+        return (action is Action || action is CommentVoter.Action) && subject is ConstitutionEntity?
    }

    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
@@ -34,14 +35,28 @@ class ConstitutionVoter: Voter {
            return Vote.GRANTED
        }

-        if (action == Action.DELETE && user is User && subject is Constitution && subject.createdBy?.userId == user.id) {
+        if (action == Action.DELETE && user is User && subject is ConstitutionEntity && subject.createdBy?.userId == user.id) {
            return Vote.GRANTED
        }

-        if (action == Action.UPDATE && user is User && subject is Constitution && subject.createdBy?.userId == user.id) {
+        if (action == Action.UPDATE && user is User && subject is ConstitutionEntity && subject.createdBy?.userId == user.id) {
            return Vote.GRANTED
        }

+        if (action == VoteVoter.Action.CREATE && subject is VoteEntity<*>) {
+            val target = subject.target
+            if (target !is ConstitutionEntity) {
+                return Vote.ABSTAIN
+            }
+            if (target.isDeleted()) {
+                return Vote.DENIED
+            }
+        }
+
+        if (action is Action) {
+            return Vote.DENIED
+        }
+
        return Vote.ABSTAIN
    }
 }
--- a/src/main/kotlin/fr/dcproject/security/voter/VoteVoter.kt
+++ b/src/main/kotlin/fr/dcproject/security/voter/VoteVoter.kt
@@ -0,0 +1,28 @@
+package fr.dcproject.security.voter
+
+import io.ktor.application.ApplicationCall
+import fr.dcproject.entity.Vote as VoteEntity
+
+class VoteVoter: Voter {
+    enum class Action: ActionI {
+        CREATE,
+        VIEW
+    }
+
+    override fun supports(action: ActionI, call: ApplicationCall, subject: Any?): Boolean {
+        return action is Action && subject is VoteEntity<*>?
+    }
+
+    override fun vote(action: ActionI, call: ApplicationCall, subject: Any?): Vote {
+        val user = call.user
+        if (action == Action.CREATE && user != null) {
+            return Vote.GRANTED
+        }
+
+        if (action == Action.VIEW) {
+            return Vote.GRANTED
+        }
+
+        return Vote.ABSTAIN
+    }
+}