DEAR-120 add authorized user check

24FSIIT16 · Jul 23, 2024 · b795155 · b795155
1 parent 9c6e893
commit b795155
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 3 deletions.
diff --git a/src/main/java/ch/fhnw/deardevbackend/annotations/ValidateUserId.java b/src/main/java/ch/fhnw/deardevbackend/annotations/ValidateUserId.java
@@ -0,0 +1,11 @@
+package ch.fhnw.deardevbackend.annotations;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ValidateUserId {
+}
diff --git a/src/main/java/ch/fhnw/deardevbackend/annotations/ValidateUserIdParam.java b/src/main/java/ch/fhnw/deardevbackend/annotations/ValidateUserIdParam.java
@@ -0,0 +1,11 @@
+package ch.fhnw.deardevbackend.annotations;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target(ElementType.PARAMETER)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface ValidateUserIdParam {
+}
diff --git a/src/main/java/ch/fhnw/deardevbackend/aspect/UserValidationAspect.java b/src/main/java/ch/fhnw/deardevbackend/aspect/UserValidationAspect.java
@@ -0,0 +1,55 @@
+package ch.fhnw.deardevbackend.aspect;
+
+import ch.fhnw.deardevbackend.controller.exceptions.YappiException;
+import ch.fhnw.deardevbackend.util.SecurityUtil;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.stereotype.Component;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Method;
+
+@Aspect
+@Component
+public class UserValidationAspect {
+
+    @Before("@annotation(ch.fhnw.deardevbackend.annotations.ValidateUserId) && args(dto,..)")
+    public void validateUserId(Object dto) {
+        Integer currentUserId = SecurityUtil.getCurrentUserId();
+        Integer userId;
+
+        try {
+            userId = (Integer) dto.getClass().getMethod("getUserId").invoke(dto);
+        } catch (Exception e) {
+            throw new YappiException("Unable to validate user ID");
+        }
+
+        assert currentUserId != null;
+        if (!currentUserId.equals(userId)) {
+            throw new YappiException("User ID mismatch");
+        }
+    }
+
+    @Before("execution(* *(.., @ch.fhnw.deardevbackend.annotations.ValidateUserIdParam (*), ..))")
+    public void validateUserIdParam(JoinPoint joinPoint) {
+        Integer currentUserId = SecurityUtil.getCurrentUserId();
+        MethodSignature methodSignature = (MethodSignature) joinPoint.getSignature();
+        Method method = methodSignature.getMethod();
+        Object[] args = joinPoint.getArgs();
+        Annotation[][] parameterAnnotations = method.getParameterAnnotations();
+
+        for (int i = 0; i < parameterAnnotations.length; i++) {
+            for (Annotation annotation : parameterAnnotations[i]) {
+                if (annotation instanceof ch.fhnw.deardevbackend.annotations.ValidateUserIdParam) {
+                    Integer userId = (Integer) args[i];
+                    assert currentUserId != null;
+                    if (!currentUserId.equals(userId)) {
+                        throw new YappiException("User ID mismatch");
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/src/main/java/ch/fhnw/deardevbackend/services/DashboardService.java b/src/main/java/ch/fhnw/deardevbackend/services/DashboardService.java
@@ -1,5 +1,7 @@
 package ch.fhnw.deardevbackend.services;
 
+import ch.fhnw.deardevbackend.annotations.ValidateUserId;
+import ch.fhnw.deardevbackend.annotations.ValidateUserIdParam;
 import ch.fhnw.deardevbackend.controller.exceptions.YappiException;
 import ch.fhnw.deardevbackend.dto.*;
 import ch.fhnw.deardevbackend.entities.EmotionSurvey;
@@ -44,6 +46,7 @@ public class DashboardService {
     @Autowired
     private SubmitEmotionSurveyMapper submitEmotionSurveyMapper;
 
+    @ValidateUserId
     @Transactional
     public HappinessSurvey saveHappinessSurvey(SubmitHappinessSurveyDTO dto) {
         try {
@@ -54,6 +57,7 @@ public HappinessSurvey saveHappinessSurvey(SubmitHappinessSurveyDTO dto) {
         }
     }
 
+    @ValidateUserId
     @Transactional
     public WorkKindSurvey saveWorkKindSurvey(SubmitWorkKindSurveyDTO dto) {
         try {
@@ -64,8 +68,9 @@ public WorkKindSurvey saveWorkKindSurvey(SubmitWorkKindSurveyDTO dto) {
         }
     }
 
+    @ValidateUserId
     @Transactional
-    public EmotionSurvey saveEmotionSurvey(SubmitEmotionSurveyDTO dto) { // todo rename!!!!!!!!!!
+    public EmotionSurvey saveEmotionSurvey(SubmitEmotionSurveyDTO dto) {
         try {
             EmotionSurvey survey = submitEmotionSurveyMapper.toEmotionSurvey(dto);
             return emotionSurveyRepository.save(survey);
@@ -75,7 +80,7 @@ public EmotionSurvey saveEmotionSurvey(SubmitEmotionSurveyDTO dto) { // todo ren
     }
 
     @Transactional(readOnly = true)
-    public Integer getAverageScoreByUserId(Integer userId) {
+    public Integer getAverageScoreByUserId(@ValidateUserIdParam Integer userId) {
         try {
             List<Object[]> dailyAverages = happinessSurveyRepository.findDailyAveragesByUserId(userId);
 
@@ -96,7 +101,7 @@ public Integer getAverageScoreByUserId(Integer userId) {
     }
 
     @Transactional(readOnly = true)
-    public DashboardDTO getDashboardDataByUserId(Integer userId) {
+    public DashboardDTO getDashboardDataByUserId(@ValidateUserIdParam Integer userId) {
         try {
 
             Integer averageScore = getAverageScoreByUserId(userId);