Revize 72188b9a
Přidáno uživatelem Jakub Danek před více než 5 roky(ů)
| server/src/main/java/org/danekja/ymanager/business/ApiManager.java | ||
|---|---|---|
| 1 | 1 |
package org.danekja.ymanager.business; |
| 2 | 2 | |
| 3 |
import org.danekja.ymanager.business.auth.AuthExpressions;
|
|
| 3 |
import org.danekja.ymanager.business.auth.anot.IsOwner;
|
|
| 4 | 4 |
import org.danekja.ymanager.domain.*; |
| 5 | 5 |
import org.danekja.ymanager.dto.DefaultSettings; |
| 6 | 6 |
import org.danekja.ymanager.dto.*; |
| ... | ... | |
| 12 | 12 |
import org.slf4j.LoggerFactory; |
| 13 | 13 |
import org.springframework.beans.factory.annotation.Autowired; |
| 14 | 14 |
import org.springframework.dao.DataAccessException; |
| 15 |
import org.springframework.security.access.prepost.PreAuthorize; |
|
| 16 | 15 |
import org.springframework.stereotype.Component; |
| 17 | 16 | |
| 18 | 17 |
import java.time.LocalDate; |
| ... | ... | |
| 27 | 26 |
*/ |
| 28 | 27 |
private static final Logger log = LoggerFactory.getLogger(UserRepository.class); |
| 29 | 28 | |
| 30 |
private RequestRepository requestRepository; |
|
| 31 |
private UserRepository userRepository; |
|
| 32 |
private VacationRepository vacationRepository; |
|
| 29 |
private final RequestRepository requestRepository;
|
|
| 30 |
private final UserRepository userRepository;
|
|
| 31 |
private final VacationRepository vacationRepository;
|
|
| 33 | 32 | |
| 34 | 33 |
@Autowired |
| 35 | 34 |
public ApiManager(RequestRepository requestRepository, UserRepository userRepository, VacationRepository vacationRepository) {
|
| ... | ... | |
| 104 | 103 |
} |
| 105 | 104 | |
| 106 | 105 |
@Override |
| 107 |
@PreAuthorize(AuthExpressions.MASTER_SELF_ID_PARAM)
|
|
| 106 |
@IsOwner
|
|
| 108 | 107 |
public void createVacation(Long userId, VacationDay vacationDay) throws RESTFullException {
|
| 109 | 108 | |
| 110 | 109 |
if (vacationDay.getDate().isBefore(LocalDate.now())) {
|
| ... | ... | |
| 207 | 206 |
} |
| 208 | 207 | |
| 209 | 208 |
@Override |
| 210 |
@PreAuthorize(AuthExpressions.MASTER_SELF_ID_PARAM)
|
|
| 209 |
@IsOwner
|
|
| 211 | 210 |
public void changeVacation(Long userId, VacationDay vacationDay) throws RESTFullException {
|
| 212 | 211 |
try {
|
| 213 | 212 |
Optional<Vacation> vacation = vacationRepository.getVacationDay(vacationDay.getId()); |
| server/src/main/java/org/danekja/ymanager/business/auth/AuthExpressions.java | ||
|---|---|---|
| 1 |
package org.danekja.ymanager.business.auth; |
|
| 2 | ||
| 3 |
/** |
|
| 4 |
* This class holds String expressions used in authorization checks. |
|
| 5 |
* <p> |
|
| 6 |
* Please comment each expressions well enough to clarify what constraints on user authority it enforces. |
|
| 7 |
*/ |
|
| 8 |
public class AuthExpressions {
|
|
| 9 | ||
| 10 |
/** |
|
| 11 |
* Used in cases where the action can be triggered by either: |
|
| 12 |
* <ul> |
|
| 13 |
* <li>employer - typically can edit all records</li> |
|
| 14 |
* <li>data owner - employee can edit only his records</li> |
|
| 15 |
* </ul> |
|
| 16 |
* <p> |
|
| 17 |
* In this case, the protected method needs to take <b>userId</b> parameter which represents the "userId" value and |
|
| 18 |
* is compared to principal id. |
|
| 19 |
*/ |
|
| 20 |
public static final String MASTER_SELF_ID_PARAM = "hasAuthority('EMPLOYER') or #userId == authentication.principal.id";
|
|
| 21 |
} |
|
| server/src/main/java/org/danekja/ymanager/business/auth/anot/IsOwner.java | ||
|---|---|---|
| 1 |
package org.danekja.ymanager.business.auth.anot; |
|
| 2 | ||
| 3 |
import org.springframework.security.access.prepost.PreAuthorize; |
|
| 4 | ||
| 5 |
import java.lang.annotation.*; |
|
| 6 | ||
| 7 |
/** |
|
| 8 |
* Used in cases where the action can be triggered by either: |
|
| 9 |
* <ul> |
|
| 10 |
* <li>employer - typically can edit all records</li> |
|
| 11 |
* <li>data owner - employee can edit only his records</li> |
|
| 12 |
* </ul> |
|
| 13 |
* <p> |
|
| 14 |
* In this case, the protected method needs to take <b>userId</b> parameter which represents the "userId" value and |
|
| 15 |
* is compared to principal id. |
|
| 16 |
*/ |
|
| 17 |
@Target({ElementType.METHOD, ElementType.TYPE})
|
|
| 18 |
@Retention(RetentionPolicy.RUNTIME) |
|
| 19 |
@Inherited |
|
| 20 |
@Documented |
|
| 21 |
@PreAuthorize("hasAuthority('EMPLOYER') or #userId == authentication.principal.id")
|
|
| 22 |
public @interface IsOwner {
|
|
| 23 |
} |
|
| server/src/main/java/org/danekja/ymanager/business/impl/DefaultUserManager.java | ||
|---|---|---|
| 1 | 1 |
package org.danekja.ymanager.business.impl; |
| 2 | 2 | |
| 3 | 3 |
import org.danekja.ymanager.business.UserManager; |
| 4 |
import org.danekja.ymanager.business.auth.AuthExpressions; |
|
| 5 | 4 |
import org.danekja.ymanager.business.auth.anot.IsEmployer; |
| 5 |
import org.danekja.ymanager.business.auth.anot.IsOwner; |
|
| 6 | 6 |
import org.danekja.ymanager.domain.Status; |
| 7 | 7 |
import org.danekja.ymanager.domain.User; |
| 8 | 8 |
import org.danekja.ymanager.dto.BasicProfileUser; |
| ... | ... | |
| 13 | 13 |
import org.slf4j.LoggerFactory; |
| 14 | 14 |
import org.springframework.beans.factory.annotation.Autowired; |
| 15 | 15 |
import org.springframework.dao.DataAccessException; |
| 16 |
import org.springframework.security.access.prepost.PreAuthorize; |
|
| 17 | 16 |
import org.springframework.security.core.userdetails.UserDetails; |
| 18 | 17 |
import org.springframework.security.core.userdetails.UserDetailsService; |
| 19 | 18 |
import org.springframework.security.core.userdetails.UsernameNotFoundException; |
| ... | ... | |
| 42 | 41 |
} |
| 43 | 42 | |
| 44 | 43 |
@Override |
| 45 |
@PreAuthorize(AuthExpressions.MASTER_SELF_ID_PARAM)
|
|
| 44 |
@IsOwner
|
|
| 46 | 45 |
public User getUser(Long userId) {
|
| 47 | 46 |
return userRepository.getUser(userId); |
| 48 | 47 |
} |
Také k dispozici: Unified diff
re #37 replace auth expressions with custom annotation
re #37 replace auth expressions with custom annotation