added authenticaion check on get fridge endpoints

5135cfa9 · Birk Øvstetun Narvhus · bbf72c7c · 5135cfa9 · 5135cfa9
Commit 5135cfa9 authored 1 year ago by Birk Øvstetun Narvhus
--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeController.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeController.java
@@ -7,6 +7,7 @@ import ntnu.idatt2016.v233.SmartMat.entity.fridgeProduct.FridgeProductAsso;
 import ntnu.idatt2016.v233.SmartMat.entity.group.Fridge;
 import ntnu.idatt2016.v233.SmartMat.entity.product.Product;
 import ntnu.idatt2016.v233.SmartMat.service.group.FridgeService;
+import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -18,9 +19,9 @@ import java.util.Optional;
 /**
 * Controller for fridges API, providing endpoints for fridge management
 *
- * @author Anders Austlid
- * @version 1.0
- * @since 24.04.2023
+ * @author Anders Austlid & Birk
+ * @version 2.0
+ * @since 3.05.2023
 */
 @AllArgsConstructor
 @RestController
@@ -32,25 +33,39 @@ public class FridgeController {

    /**
     * Gets the fridge of a group
-     * @param groupId the id of the group
-     *                group must exist
-     * @return the fridge of the group if it exists, or a 404 if it doesn't
+     * @param groupId the id of the group must exist
+     * @return the fridge of the group if it exists, or a 404 if it doesn't exist or the user is not in the group
     */
    @GetMapping("/group/{groupId}")
-    public ResponseEntity<Fridge> getFridgeByGroupId(@PathVariable("groupId") long groupId) {
-        return fridgeService.getFridgeByGroupId(groupId)
-                .map(ResponseEntity::ok)
-                .orElseGet(() -> ResponseEntity.notFound().build());
+    public ResponseEntity<Fridge> getFridgeByGroupId(@PathVariable("groupId") long groupId, Authentication authentication) {
+        Optional<Fridge> fridge = fridgeService.getFridgeByGroupId(groupId);
+
+        if (fridge.isEmpty()) {
+            return ResponseEntity.notFound().build();
+        }
+
+        if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId())
+                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
+
+        return fridge.map(ResponseEntity::ok).get();
    }


    /**
     * Gets the fridge by its fridge id
     * @param fridgeId the id of the fridge
-     * @return the fridge if it exists, or a 404 if it doesn't
+     * @return the fridge if it exists, or a 404 if it doesn't, or a 403 if the user is not in the fridge
     */
    @GetMapping("/fridge/{fridgeId}")
-    public ResponseEntity<Fridge> getFridgeByFridgeId(@PathVariable("fridgeId") long fridgeId) {
+    public ResponseEntity<Fridge> getFridgeByFridgeId(@PathVariable("fridgeId") long fridgeId,
+                                                      Authentication authentication) {
+        if (!fridgeService.isUserInFridge(authentication.getName(), fridgeId)
+                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
+
        return fridgeService.getFridgeByFridgeId(fridgeId)
                .map(ResponseEntity::ok)
                .orElseGet(() -> ResponseEntity.notFound().build());

--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/service/group/FridgeService.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/service/group/FridgeService.java
@@ -223,4 +223,16 @@ public class FridgeService {
        return fridge.map(value -> value.getGroup().getUser().stream()
                .anyMatch(user -> user.getUser().getUsername().equals(username))).orElse(false);
    }
+
+    /**
+     * check if user has accsess to fridge
+     * @param username the username of the user
+     * @param fridgeId the id of the fridge
+     * @return true if the user is in the group of the fridge
+     */
+    public boolean isUserInFridge(String username, long fridgeId) {
+        Optional<Fridge> fridge = fridgeRepository.findById(fridgeId);
+        return fridge.map(value -> value.getGroup().getUser().stream()
+                .anyMatch(user -> user.getUser().getUsername().equals(username))).orElse(false);
+    }
 }