From e05faab31eeaa8764cbfcecc591e19cf42ec39ee Mon Sep 17 00:00:00 2001 From: Marc Beyer Date: Fri, 14 Jan 2022 19:59:16 +0100 Subject: [PATCH] Added auth to the /event/del endpoint --- .../vpr/server/controller/EventController.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/server/src/main/java/com/vpr/server/controller/EventController.java b/server/src/main/java/com/vpr/server/controller/EventController.java index 8132ef0..853dad4 100644 --- a/server/src/main/java/com/vpr/server/controller/EventController.java +++ b/server/src/main/java/com/vpr/server/controller/EventController.java @@ -10,10 +10,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import org.springframework.stereotype.Controller; -import org.springframework.web.bind.annotation.PostMapping; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RequestParam; -import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.*; import org.springframework.web.server.ResponseStatusException; import java.sql.Time; @@ -103,7 +100,15 @@ public class EventController { @PostMapping(path = "/del") public @ResponseBody - ResponseEntity delEvent(@RequestParam Integer eventId) { + ResponseEntity delEvent( + @RequestHeader("Authorization") String authorizationHeader, + @RequestParam Integer eventId + ) { + User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]); + if(authUser == null || authUser.isAdmin()){ + return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED); + } + eventRepository.deleteUserEventsById(Long.valueOf(eventId)); eventRepository.deleteById(Long.valueOf(eventId)); return new ResponseEntity<>("", HttpStatus.OK);