fixed auth on fridge and shoppinglist

src/main/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListController.java

@@ -50,9 +50,11 @@ public class ShoppingListController {
      */
     @GetMapping("/{id}")
     public ResponseEntity<ShoppingList> getShoppingListById(@PathVariable("id") long id, Authentication auth) {
-        if(!shoppingListService.isUserInShoppinglist(id, auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(id, auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+        }
 
         Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(id);
         return shoppingList.map(list -> ResponseEntity.status(HttpStatus.OK).body(list))
@@ -67,9 +69,11 @@ public class ShoppingListController {
      */
     @GetMapping("/group/{groupId}")
     public ResponseEntity<ShoppingList> getAllShoppingListsByGroupId(@PathVariable("groupId") long id, Authentication auth) {
-        if(!groupService.isUserAssociatedWithGroup(auth.getName(), id) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!groupService.isUserAssociatedWithGroup(auth.getName(), id)){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+        }
 
         Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListByGroupId(id);
         return shoppingList.map(list -> ResponseEntity.status(HttpStatus.OK).body(list))
@@ -87,9 +91,19 @@ public class ShoppingListController {
     public ResponseEntity<?> addItemToShoppingList(@PathVariable("shoppingListId") long shoppingListId,
                                                               @PathVariable("ean") String ean, Authentication auth){
 
-        if(!shoppingListService.isUserInShoppinglist(shoppingListId, auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(shoppingListId, auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+            long groupId = shoppingListService.getGroupIdByShoppingListId(shoppingListId);
+
+            if(groupId == -1)
+                return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+
+            if (groupService.getUserGroupAssoAuthority(auth.getName(), groupId).equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+
+        }
 
         Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(shoppingListId);
 
@@ -142,9 +156,20 @@ public class ShoppingListController {
     public ResponseEntity<ShoppingList> removeProductFromShoppingList(@PathVariable("shoppingListId") String shoppingListId,
                                                                       @PathVariable("ean") String ean, Authentication auth) {
 
-        if(!shoppingListService.isUserInShoppinglist(Long.parseLong(shoppingListId), auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(Long.parseLong(shoppingListId), auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+            long groupId = shoppingListService.getGroupIdByShoppingListId(Long.parseLong(shoppingListId));
+
+            if(groupId == -1)
+                return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+
+            if (groupService.getUserGroupAssoAuthority(auth.getName(), groupId).equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+
+        }
+
 
 
         Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(Long.parseLong(shoppingListId));

src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeController.java

@@ -7,6 +7,7 @@ import ntnu.idatt2016.v233.SmartMat.entity.fridgeProduct.FridgeProductAsso;
 import ntnu.idatt2016.v233.SmartMat.entity.group.Fridge;
 import ntnu.idatt2016.v233.SmartMat.entity.product.Product;
 import ntnu.idatt2016.v233.SmartMat.service.group.FridgeService;
+import ntnu.idatt2016.v233.SmartMat.service.group.GroupService;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
@@ -21,7 +22,7 @@ import java.util.Optional;
  *
  * @author Anders Austlid & Birk
  * @version 2.0
- * @since 3.05.2023
+ * @since 5.05.2023
  */
 @AllArgsConstructor
 @RestController
@@ -30,6 +31,8 @@ public class FridgeController {
 
     private final FridgeService fridgeService;
 
+    private final GroupService groupService;
+
 
     /**
      * Gets the fridge of a group
@@ -87,10 +90,10 @@ public class FridgeController {
         if (fridge.isEmpty()) {
             return ResponseEntity.notFound().build();
         }
-
-        if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId()) &&
-                !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId())) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
         }
 
         try {
@@ -116,11 +119,15 @@ public class FridgeController {
             return ResponseEntity.notFound().build();
         }
 
-        if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId()) &&
-                !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-        }
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId())) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
 
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(), request.groupId())
+                    .equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
 
         return fridgeService.updateProductInFridge(request).map(ResponseEntity::ok).orElseGet(()-> ResponseEntity.notFound().build());
     }
@@ -137,9 +144,16 @@ public class FridgeController {
                                                        @PathVariable("amount") String amountStr, Authentication authentication) {
 
 
-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-        && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                    fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+                   )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
         }
 
         try {
@@ -167,9 +181,16 @@ public class FridgeController {
     public ResponseEntity<String> removeProductFromFridge(@PathVariable("fridgeProductId") long fridgeProductId,
                                                           Authentication authentication) {
 
-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                            fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+            )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
         }
 
         try {
@@ -193,9 +214,16 @@ public class FridgeController {
     @DeleteMapping("/waste/product/{fridgeProductId}")
     public ResponseEntity<?> wasteProductFromFridge(@PathVariable("fridgeProductId") long fridgeProductId,
                                                     Authentication authentication){
-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                            fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+            )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
         }
 
         return fridgeService.wasteProductFromFridge(fridgeProductId)

src/main/java/ntnu/idatt2016/v233/SmartMat/service/ShoppingListService.java

@@ -117,4 +117,14 @@ public class ShoppingListService {
                 .anyMatch(shoppingList -> shoppingList.getShoppingListID() == id);
 
     }
+
+    /**
+     * Get group id by shoppinglist id
+     * @param shoppinglistId id of shoppinglist
+     * @return id of group
+     */
+    public long getGroupIdByShoppingListId(long shoppinglistId){
+        return shoppingListRepository.findById(shoppinglistId).map(shoppingList -> shoppingList.getGroup().getGroupId())
+                .orElse(-1L);
+    }
 }

src/main/java/ntnu/idatt2016/v233/SmartMat/service/group/FridgeService.java

@@ -28,7 +28,7 @@ import java.util.Optional;
  *
  * @author Anders Austlid & Birk
  * @version 2
- * @since 04.05.2023
+ * @since 05.05.2023
  */
 @AllArgsConstructor
 @Service
@@ -207,4 +207,16 @@ public class FridgeService {
         return fridge.map(value -> value.getGroup().getUser().stream()
                 .anyMatch(user -> user.getUser().getUsername().equals(username))).orElse(false);
     }
+
+
+    /**
+     * Get the group id of a fridge product
+     * @param fridgeProductId the id of the fridge product
+     * @return the id of the group of the fridge product
+     */
+    public long getGroupIdFromFridgeProuctId(long fridgeProductId){
+        return fridgeProductAssoRepo.findById(fridgeProductId)
+                .map(fridgeProductAsso -> fridgeProductAsso.getFridgeId().getGroup().getGroupId()).orElse(0L);
+
+    }
 }

src/test/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListControllerTest.java

@@ -265,6 +265,10 @@ public class ShoppingListControllerTest {
         when(shoppingListService.addProductToShoppingList(ean, shoppingListId))
                 .thenReturn(Optional.of(shoppingList));
 
+        when(shoppingListService.getGroupIdByShoppingListId(shoppingListId)).thenReturn(groupId);
+
+        when(groupService.getUserGroupAssoAuthority(eq(regularUser.getName()), eq(groupId))).thenReturn("USER");
+
         when(userService.getUserFromUsername(regularUser.getName())).thenReturn(Optional.of(user));
 
         ResponseEntity<?> response = shoppingListController.addItemToShoppingList(shoppingListId, String.valueOf(ean), regularUser);
@@ -317,6 +321,12 @@ public class ShoppingListControllerTest {
         when(shoppingListService.removeProductFromShoppingList(ean, shoppingListId))
                 .thenReturn(Optional.of(shoppingList));
 
+        when(shoppingListService.getGroupIdByShoppingListId(shoppingListId)).thenReturn(groupId);
+
+        when(groupService.getUserGroupAssoAuthority(eq(regularUser.getName()), eq(groupId))).thenReturn("USER");
+
+
+
 
         ResponseEntity<?> response = shoppingListController.removeProductFromShoppingList(String.valueOf(shoppingListId),
                 String.valueOf(ean), regularUser);

src/test/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeControllerTest.java

@@ -239,9 +239,10 @@ public class FridgeControllerTest {
         when(fridgeService.addProductToFridge(any(FridgeProductRequest.class))).thenReturn(Optional.empty( ));
 
         when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+        when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);
 
 
-        ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, adminUser);
+        ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, regularUser);
 
         verify(fridgeService).isUserInFridge("test", 0L);