From a118af7a6e6e525352856f4d44fcec319d577555 Mon Sep 17 00:00:00 2001
From: birkon <birkon@stud.ntnu.no>
Date: Wed, 3 May 2023 15:11:10 +0200
Subject: [PATCH] fixed authentication on get user endpoint

---
 .../v233/SmartMat/controller/user/UserController.java      | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/user/UserController.java b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/user/UserController.java
index 15290417..c591bc54 100644
--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/user/UserController.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/user/UserController.java
@@ -91,7 +91,12 @@ public class UserController {
      * @return The user with the given username.
      */
     @GetMapping("/get/{username}")
-    public ResponseEntity<User> getUser(@PathVariable String username) {
+    public ResponseEntity<User> getUser(@PathVariable String username, Authentication authentication) {
+        if (!username.equals(authentication.getName()) &&
+                !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name())))
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+
+
         return userService.getUserFromUsername(username)
                 .map(user -> {
                     user.setPassword(null);
-- 
GitLab