Fixed auth
This commit is contained in:
parent
eea38d578b
commit
e3408d1566
@ -0,0 +1,18 @@
|
|||||||
|
package com.vpr.server.controller;
|
||||||
|
|
||||||
|
import com.vpr.server.data.User;
|
||||||
|
import com.vpr.server.repository.UserRepository;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.stereotype.Controller;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
|
||||||
|
public class AuthController {
|
||||||
|
|
||||||
|
public User getAuthUserFromHeader(String authorizationHeader, UserRepository userRepository){
|
||||||
|
String[] splitAuthHeader = authorizationHeader.split("\\s");
|
||||||
|
if(splitAuthHeader.length == 2){
|
||||||
|
return userRepository.findByToken(splitAuthHeader[1]);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
@ -21,6 +21,12 @@ public class UserController {
|
|||||||
@Autowired
|
@Autowired
|
||||||
private UserRepository userRepository;
|
private UserRepository userRepository;
|
||||||
|
|
||||||
|
private AuthController authController;
|
||||||
|
|
||||||
|
public UserController() {
|
||||||
|
this.authController = new AuthController();
|
||||||
|
}
|
||||||
|
|
||||||
/******************
|
/******************
|
||||||
* POST-ENDPOINTS *
|
* POST-ENDPOINTS *
|
||||||
******************/
|
******************/
|
||||||
@ -35,9 +41,9 @@ public class UserController {
|
|||||||
@RequestParam String password,
|
@RequestParam String password,
|
||||||
@RequestParam Boolean isAdmin
|
@RequestParam Boolean isAdmin
|
||||||
) {
|
) {
|
||||||
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
|
User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
|
||||||
if(authUser == null || authUser.isAdmin()){
|
if(authUser == null || !authUser.isAdmin()){
|
||||||
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
|
return new ResponseEntity<>( "Du hast keine Rechte um einen User an zu legen", HttpStatus.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(userRepository.findByLogin(login) != null){
|
if(userRepository.findByLogin(login) != null){
|
||||||
@ -106,16 +112,31 @@ public class UserController {
|
|||||||
return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
|
return new ResponseEntity<>( "Falscher login", HttpStatus.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@PostMapping(path = "/login-with-token")
|
||||||
|
public @ResponseBody ResponseEntity<String> loginWithToken(
|
||||||
|
@RequestHeader("Authorization") String authorizationHeader,
|
||||||
|
@RequestParam long userId
|
||||||
|
){
|
||||||
|
User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
|
||||||
|
if(authUser == null || authUser.getId() != userId){
|
||||||
|
return new ResponseEntity<>( "Falscher auth-token", HttpStatus.UNAUTHORIZED);
|
||||||
|
}
|
||||||
|
return new ResponseEntity<>("", HttpStatus.OK);
|
||||||
|
}
|
||||||
|
|
||||||
@PostMapping(path = "/del")
|
@PostMapping(path = "/del")
|
||||||
public @ResponseBody ResponseEntity<String> deleteUser(
|
public @ResponseBody ResponseEntity<String> deleteUser(
|
||||||
@RequestHeader("Authorization") String authorizationHeader,
|
@RequestHeader("Authorization") String authorizationHeader,
|
||||||
@RequestParam Integer userId
|
@RequestParam long userId
|
||||||
) {
|
) {
|
||||||
User authUser = userRepository.findByToken(authorizationHeader.split("\\s")[1]);
|
User authUser = authController.getAuthUserFromHeader(authorizationHeader, userRepository);
|
||||||
if(authUser == null || authUser.isAdmin()){
|
if(authUser == null || !authUser.isAdmin()){
|
||||||
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
|
return new ResponseEntity<>( "Du hast keine Rechte um den Termin zu löschen", HttpStatus.UNAUTHORIZED);
|
||||||
}
|
}
|
||||||
userRepository.deleteById(Long.valueOf(userId));
|
User user = userRepository.findById(userId);
|
||||||
|
if(user == null){
|
||||||
|
return new ResponseEntity<>( "User nicht in der Datenbank vorhanden", HttpStatus.BAD_REQUEST);
|
||||||
|
}
|
||||||
return new ResponseEntity<>( "", HttpStatus.OK);
|
return new ResponseEntity<>( "", HttpStatus.OK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -20,7 +20,7 @@ import java.util.List;
|
|||||||
"INNER JOIN user_event ue " +
|
"INNER JOIN user_event ue " +
|
||||||
"ON e.id = ue.event_id " +
|
"ON e.id = ue.event_id " +
|
||||||
"WHERE (ue.user_id = :userId OR e.is_private = 0) " +
|
"WHERE (ue.user_id = :userId OR e.is_private = 0) " +
|
||||||
"AND ue.date > :startDate " +
|
"AND ue.date >= :startDate " +
|
||||||
"AND ue.date < :endDate " +
|
"AND ue.date < :endDate " +
|
||||||
"ORDER BY ue.date, e.priority DESC, e.start",
|
"ORDER BY ue.date, e.priority DESC, e.start",
|
||||||
resultClass = Event.class
|
resultClass = Event.class
|
||||||
|
Loading…
Reference in New Issue
Block a user