diff --git a/src/main/java/djmil/cashcard/CashCardController.java b/src/main/java/djmil/cashcard/CashCardController.java index 011f697..6787d20 100644 --- a/src/main/java/djmil/cashcard/CashCardController.java +++ b/src/main/java/djmil/cashcard/CashCardController.java @@ -13,6 +13,8 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RestController; import org.springframework.web.util.UriComponentsBuilder; +import java.security.Principal; + import java.net.URI; import java.util.List; import java.util.Optional; @@ -28,8 +30,12 @@ public class CashCardController { } @GetMapping("/{requestedId}") - public ResponseEntity findById(@PathVariable Long requestedId) { - Optional cashCardOptional = cashCardRepository.findById(requestedId); + public ResponseEntity findById(@PathVariable Long requestedId, Principal principal) { + CashCard cashCard = cashCardRepository.findByIdAndOwner( + requestedId, + principal.getName() + ); + Optional cashCardOptional = Optional.ofNullable(cashCard); if (cashCardOptional.isPresent()) { return ResponseEntity.ok(cashCardOptional.get()); @@ -44,8 +50,9 @@ public class CashCardController { // } @GetMapping - public ResponseEntity> findAll(Pageable pageable) { - Page page = cashCardRepository.findAll( + public ResponseEntity> findAll(Pageable pageable, Principal principal) { + Page page = cashCardRepository.findByOwner( + principal.getName(), PageRequest.of( pageable.getPageNumber(), pageable.getPageSize(), @@ -56,13 +63,15 @@ public class CashCardController { } @PostMapping - private ResponseEntity createCashCard(@RequestBody CashCard newCashCardRequest, UriComponentsBuilder ucb) { - CashCard savedCashCard = cashCardRepository.save(newCashCardRequest); // CRUD - Create + private ResponseEntity createCashCard(@RequestBody CashCard newCashCardRequest, UriComponentsBuilder ucb, Principal principal) { + CashCard cashCardWithOwner = new CashCard(null, newCashCardRequest.amount(), principal.getName()); + CashCard savedCashCard = cashCardRepository.save(cashCardWithOwner); // CRUD - Create URI locationOfNewCashCard = ucb .path("cashcards/{id}") .buildAndExpand(savedCashCard.id()) .toUri(); + return ResponseEntity.created(locationOfNewCashCard).build(); } } diff --git a/src/main/java/djmil/cashcard/CashCardRepository.java b/src/main/java/djmil/cashcard/CashCardRepository.java index 9818157..8e5e602 100644 --- a/src/main/java/djmil/cashcard/CashCardRepository.java +++ b/src/main/java/djmil/cashcard/CashCardRepository.java @@ -2,10 +2,15 @@ package djmil.cashcard; import org.springframework.data.repository.CrudRepository; import org.springframework.data.repository.PagingAndSortingRepository; +import org.springframework.data.domain.Page; +import org.springframework.data.domain.PageRequest; public interface CashCardRepository extends CrudRepository, - PagingAndSortingRepository { + PagingAndSortingRepository +{ + CashCard findByIdAndOwner(Long id, String owner); + Page findByOwner(String owner, PageRequest amount); } diff --git a/src/test/java/djmil/cashcard/CashcardApplicationTests.java b/src/test/java/djmil/cashcard/CashcardApplicationTests.java index a17ef59..a287d48 100644 --- a/src/test/java/djmil/cashcard/CashcardApplicationTests.java +++ b/src/test/java/djmil/cashcard/CashcardApplicationTests.java @@ -59,7 +59,7 @@ class CashcardApplicationTests { @Test @DirtiesContext void shouldCreateANewCashCard() { - CashCard newCashCard = new CashCard(null, 250.00, "sarah1"); + CashCard newCashCard = new CashCard(null, 250.00, null); ResponseEntity createResponse = restTemplate .withBasicAuth("sarah1", "abc123") .postForEntity("/cashcards", newCashCard, Void.class ); @@ -161,4 +161,12 @@ class CashcardApplicationTests { .getForEntity("/cashcards/99", String.class); assertThat(response.getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN); } + + @Test + void shouldNotAllowAccessToCashCardsTheyDoNotOwn() { + ResponseEntity response = restTemplate + .withBasicAuth("sarah1", "abc123") + .getForEntity("/cashcards/102", String.class); // <<-- kumar2's data + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); + } } diff --git a/src/test/resources/data.sql b/src/test/resources/data.sql index 2134f06..f1ab8ff 100644 --- a/src/test/resources/data.sql +++ b/src/test/resources/data.sql @@ -1,3 +1,4 @@ INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (99, 123.45, 'sarah1'); INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (100, 1.00, 'sarah1'); -INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (101, 150.00, 'sarah1'); \ No newline at end of file +INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (101, 150.00, 'sarah1'); +INSERT INTO CASH_CARD(ID, AMOUNT, OWNER) VALUES (102, 200.00, 'kumar2'); \ No newline at end of file