From aebf07b398c50433446ff41daed8c49aaa310c7f Mon Sep 17 00:00:00 2001 From: Jonas Stahl Date: Sat, 5 Oct 2024 16:11:53 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Adjust=20some=20sec?= =?UTF-8?q?urity=20related=20stuff?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../turnierplaner/resources/CompetitionResource.java | 5 ++--- .../turnierplaner/resources/ConfigResource.java | 2 ++ .../turnierplaner/resources/MatchResource.java | 8 +++++++- .../turnierplaner/resources/PlayerResource.java | 6 +++++- .../turnierplaner/resources/TournamentResource.java | 1 + .../secretj12/turnierplaner/tools/CommonHelpers.java | 11 ++++++----- 6 files changed, 23 insertions(+), 10 deletions(-) diff --git a/src/main/java/de/secretj12/turnierplaner/resources/CompetitionResource.java b/src/main/java/de/secretj12/turnierplaner/resources/CompetitionResource.java index 5a4cf8e3..5cfc6bdf 100644 --- a/src/main/java/de/secretj12/turnierplaner/resources/CompetitionResource.java +++ b/src/main/java/de/secretj12/turnierplaner/resources/CompetitionResource.java @@ -74,12 +74,11 @@ public List getAllCompetitions(@PathParam("tourName") String t @GET @Path("/prepare") + @RolesAllowed("director") @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public List getPrepareCompetitions(@PathParam("tourName") String tourName) { - if (securityIdentity.hasRole("director")) - return competitions.listByName(tourName).stream().map(jDirectorCompetitionUpdate::new).toList(); - throw new UnauthorizedException("Not authorized"); + return competitions.listByName(tourName).stream().map(jDirectorCompetitionUpdate::new).toList(); } @GET diff --git a/src/main/java/de/secretj12/turnierplaner/resources/ConfigResource.java b/src/main/java/de/secretj12/turnierplaner/resources/ConfigResource.java index 8a0206cf..9306a2e5 100644 --- a/src/main/java/de/secretj12/turnierplaner/resources/ConfigResource.java +++ b/src/main/java/de/secretj12/turnierplaner/resources/ConfigResource.java @@ -5,6 +5,7 @@ import de.secretj12.turnierplaner.db.repositories.ConfigRepository; import de.secretj12.turnierplaner.db.repositories.DefaultConfigRepository; import de.secretj12.turnierplaner.model.user.jUserConfig; +import io.quarkus.security.Authenticated; import io.quarkus.security.identity.SecurityIdentity; import jakarta.annotation.security.RolesAllowed; import jakarta.inject.Inject; @@ -45,6 +46,7 @@ public jUserConfig loadUserConfig() { @POST @Path("/save") @Transactional + @Authenticated @Consumes(MediaType.APPLICATION_JSON) public void saveConfig(jUserConfig nConfig) { UUID uuid = UUID.fromString(jwt.getSubject()); diff --git a/src/main/java/de/secretj12/turnierplaner/resources/MatchResource.java b/src/main/java/de/secretj12/turnierplaner/resources/MatchResource.java index d1fa714d..f9b59db4 100644 --- a/src/main/java/de/secretj12/turnierplaner/resources/MatchResource.java +++ b/src/main/java/de/secretj12/turnierplaner/resources/MatchResource.java @@ -9,6 +9,7 @@ import de.secretj12.turnierplaner.db.repositories.PlayerRepository; import de.secretj12.turnierplaner.db.repositories.TournamentRepository; import de.secretj12.turnierplaner.model.user.jUserMatchEvent; +import de.secretj12.turnierplaner.tools.CommonHelpers; import jakarta.inject.Inject; import jakarta.ws.rs.*; import jakarta.ws.rs.core.MediaType; @@ -29,6 +30,9 @@ public class MatchResource { @Inject PlayerRepository players; + @Inject + CommonHelpers commonHelpers; + @GET @Produces(MediaType.APPLICATION_JSON) public List getMatches( @@ -48,6 +52,8 @@ public List getMatches( throw new BadRequestException("Need to specify at least a tournament or a player"); return matches.filterMatches(tournament, competition, player, fromD, toD) - .stream().map(jUserMatchEvent::new).toList(); + .stream() + .filter(m -> commonHelpers.isTournamentAccessible(m.getCompetition().getTournament())) + .map(jUserMatchEvent::new).toList(); } } diff --git a/src/main/java/de/secretj12/turnierplaner/resources/PlayerResource.java b/src/main/java/de/secretj12/turnierplaner/resources/PlayerResource.java index 8d72b96a..8e1bd15a 100644 --- a/src/main/java/de/secretj12/turnierplaner/resources/PlayerResource.java +++ b/src/main/java/de/secretj12/turnierplaner/resources/PlayerResource.java @@ -14,6 +14,7 @@ import de.secretj12.turnierplaner.model.jPage; import de.secretj12.turnierplaner.model.user.jUserPlayer; import de.secretj12.turnierplaner.model.user.jUserPlayerRegistrationForm; +import de.secretj12.turnierplaner.tools.CommonHelpers; import io.quarkus.mailer.Mailer; import io.quarkus.scheduler.Scheduled; import io.quarkus.security.identity.SecurityIdentity; @@ -51,17 +52,19 @@ public class PlayerResource { DefaultConfigRepository defaultConfigRepository; @Inject SecurityIdentity securityIdentity; + @Inject + CommonHelpers commonHelpers; @ConfigProperty(name = "turnierplaner.registration.expire") public int expire; - // expects search string as lower case! @GET @Path("/compFind/{tourId}/{compId}/") @Produces(MediaType.APPLICATION_JSON) public List listCompPlayer(@PathParam("tourId") String tourId, @PathParam("compId") String compId, @QueryParam("search") String search, @DefaultValue("false") @QueryParam("playerB") boolean playerB) { + commonHelpers.checkTournamentAccessibility(tourId); Competition competition = competitionRepository.getByName(tourId, compId); if (competition == null) throw new BadRequestException("Invalid competition"); @@ -196,6 +199,7 @@ public String playerRegistration(jUserPlayerRegistrationForm playerForm) { @Transactional @Path("/update") @Blocking + @RolesAllowed("director") @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.TEXT_PLAIN) public String playerRegistration(jDirectorPlayerUpdateForm uPlayer) { diff --git a/src/main/java/de/secretj12/turnierplaner/resources/TournamentResource.java b/src/main/java/de/secretj12/turnierplaner/resources/TournamentResource.java index 48fa3030..41885eb4 100644 --- a/src/main/java/de/secretj12/turnierplaner/resources/TournamentResource.java +++ b/src/main/java/de/secretj12/turnierplaner/resources/TournamentResource.java @@ -92,6 +92,7 @@ public Set getCourts(@PathParam("tourName") String tourName) { Tournament tournament = tournaments.getByName(tourName); if (tournament == null) throw new NotFoundException("Could not find tournament"); + common.checkTournamentAccessibility(tournament); return tournament.getCourts().stream().map(jUserCourt::new).collect(Collectors.toSet()); } diff --git a/src/main/java/de/secretj12/turnierplaner/tools/CommonHelpers.java b/src/main/java/de/secretj12/turnierplaner/tools/CommonHelpers.java index c91a54a7..0855ac0a 100644 --- a/src/main/java/de/secretj12/turnierplaner/tools/CommonHelpers.java +++ b/src/main/java/de/secretj12/turnierplaner/tools/CommonHelpers.java @@ -17,15 +17,16 @@ public class CommonHelpers { SecurityIdentity securityIdentity; public void checkTournamentAccessibility(String tourName) { - Tournament tournament = tournaments.getByName(tourName); - if (tournament == null) throw new NotFoundException("Tournament could not be found"); - if (!securityIdentity.hasRole("director") && !tournament.isVisible()) - throw new UnauthorizedException("Cannot access tournament"); + checkTournamentAccessibility(tournaments.getByName(tourName)); } public void checkTournamentAccessibility(Tournament tournament) { if (tournament == null) throw new NotFoundException("Tournament could not be found"); - if (!securityIdentity.hasRole("director") && !tournament.isVisible()) + if (!isTournamentAccessible(tournament)) throw new UnauthorizedException("Cannot access tournament"); } + + public boolean isTournamentAccessible(Tournament tournament) { + return securityIdentity.hasRole("director") || tournament.isVisible(); + } } From b3f31d0179d73b7f4c95f608868995504e334e2b Mon Sep 17 00:00:00 2001 From: Jonas Stahl Date: Sat, 5 Oct 2024 16:17:03 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=E2=9C=85=20Fix=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../turnierplaner/resources/TestPlayerResource.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/test/java/de/secretj12/turnierplaner/resources/TestPlayerResource.java b/src/test/java/de/secretj12/turnierplaner/resources/TestPlayerResource.java index 9219f2f3..f8489bca 100644 --- a/src/test/java/de/secretj12/turnierplaner/resources/TestPlayerResource.java +++ b/src/test/java/de/secretj12/turnierplaner/resources/TestPlayerResource.java @@ -1,7 +1,9 @@ package de.secretj12.turnierplaner.resources; -import de.secretj12.turnierplaner.db.entities.*; -import de.secretj12.turnierplaner.db.entities.competition.*; +import de.secretj12.turnierplaner.db.entities.Player; +import de.secretj12.turnierplaner.db.entities.Tournament; +import de.secretj12.turnierplaner.db.entities.VerificationCode; +import de.secretj12.turnierplaner.db.entities.competition.Competition; import de.secretj12.turnierplaner.db.repositories.CompetitionRepository; import de.secretj12.turnierplaner.db.repositories.PlayerRepository; import de.secretj12.turnierplaner.db.repositories.TournamentRepository; @@ -56,6 +58,7 @@ private Competition genComp() { public void addPlayer() { Tournament tournament = new Tournament(); tournament.setName("Clubmeisterschaft"); + tournament.setVisible(true); tournamentRepository.persist(tournament); Competition herren = genComp();