From 5c728098dff85db2dc61fcf4153d7d6269614ffe Mon Sep 17 00:00:00 2001 From: Bartha Maxime <231026@umons.ac.be> Date: Tue, 12 Mar 2024 00:03:32 +0100 Subject: [PATCH] protected post /user and get/users and return without password --- .../Clyde/EndPoints/UserController.java | 47 ++++++++++++++++--- 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java b/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java index 43bcd0c..4a20058 100644 --- a/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java +++ b/backend/src/main/java/ovh/herisson/Clyde/EndPoints/UserController.java @@ -8,8 +8,11 @@ import org.springframework.web.bind.annotation.*; import ovh.herisson.Clyde.Responses.UnauthorizedResponse; import ovh.herisson.Clyde.Services.AuthenticatorService; import ovh.herisson.Clyde.Services.UserService; +import ovh.herisson.Clyde.Tables.Role; import ovh.herisson.Clyde.Tables.User; +import java.util.ArrayList; + @RestController @CrossOrigin(origins = "http://localhost:5173") @@ -23,25 +26,57 @@ public class UserController { } @GetMapping("/user") - public ResponseEntity getUser(@RequestHeader("Cookie") String authorization){ + public ResponseEntity getUser(@RequestHeader("Authorization") String authorization){ if (authorization == null) return new UnauthorizedResponse<>(null); User user = authServ.getUserFromToken(authorization); if (user == null) return new UnauthorizedResponse<>(null); - return new ResponseEntity<>(user, HttpStatus.OK); + + return new ResponseEntity<>(userWithoutPassword(user), HttpStatus.OK); } - @PostMapping("/user") //todo check role - public ResponseEntity postUser(@RequestBody User user){ + @PostMapping("/user") + public ResponseEntity postUser(@RequestBody User user,@RequestHeader("Authorization") String authorization){ + + if (authorization == null) return new UnauthorizedResponse<>(null); + User poster = authServ.getUserFromToken(authorization); + + if (poster.getRole() != Role.Secretary || poster.getRole() != Role.Admin) + return new UnauthorizedResponse<>(null); + + userService.save(user); return new ResponseEntity<>(String.format("Account created with ID:%s",user.getRegNo()),HttpStatus.CREATED); } @GetMapping("/users") - public Iterable getAllUsers(){ - return userService.getAll(); + public ResponseEntity> getAllUsers(@RequestHeader("Authorization") String authorization){ + + if (authorization == null) return new UnauthorizedResponse<>(null); + User poster = authServ.getUserFromToken(authorization); + + if (poster == null) return new UnauthorizedResponse<>(null); + + if (poster.getRole() != Role.Secretary || poster.getRole() != Role.Admin) + return new UnauthorizedResponse<>(null); + + Iterable users = userService.getAll(); + ArrayList withoutPassword = new ArrayList<>(); + + for (User u :users){ + withoutPassword.add(userWithoutPassword(u)); + } + return new ResponseEntity<>(withoutPassword, HttpStatus.OK); } + + /** return user's data except password + * @param user the user to return + * @return all the user data without the password + */ + private Object[] userWithoutPassword(User user){ + return new Object[] {user.getRegNo(),user.getFirstName(),user.getLastName(),user.getBirthDate(),user.getCountry(),user.getAddress(),user.getRole()}; + } }