diff --git a/frontend/src/App.svelte b/frontend/src/App.svelte index c001e524..5acfec7a 100644 --- a/frontend/src/App.svelte +++ b/frontend/src/App.svelte @@ -145,6 +145,7 @@ {/if} + diff --git a/frontend/src/routes/poll/View.svelte b/frontend/src/routes/poll/View.svelte index 16a2fd03..8f388ff0 100644 --- a/frontend/src/routes/poll/View.svelte +++ b/frontend/src/routes/poll/View.svelte @@ -46,12 +46,12 @@
{t('User')} -{#if user} -
{t('logged in as: {user}',{user:user.name})}
+{#if user.name} +
{t('logged in as: {user}',{user:user.name})}
{:else} {/if}
diff --git a/poll/src/main/java/de/srsoftware/umbrella/poll/PollModule.java b/poll/src/main/java/de/srsoftware/umbrella/poll/PollModule.java index 096f3a0d..1c2a49a0 100644 --- a/poll/src/main/java/de/srsoftware/umbrella/poll/PollModule.java +++ b/poll/src/main/java/de/srsoftware/umbrella/poll/PollModule.java @@ -29,10 +29,7 @@ import de.srsoftware.umbrella.core.model.UmbrellaUser; import org.json.JSONObject; import java.io.IOException; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Optional; +import java.util.*; public class PollModule extends BaseHandler implements PollService { @@ -50,14 +47,13 @@ public class PollModule extends BaseHandler implements PollService { addCors(ex); try { Optional token = SessionToken.from(ex).map(Token::of); - var user = userService().loadUser(token); - if (user.isEmpty()) return unauthorized(ex); var head = path.pop(); + var user = userService().loadUser(token).orElse(null); return switch (head) { - case EVALUATE -> getPollEvaluation(ex,user.get(), path); - case LIST -> getPollList(ex,user.get()); + case EVALUATE -> getPollEvaluation(ex,user, path); + case LIST -> getPollList(ex,user); case null -> super.doGet(path,ex); - default -> getPoll(ex,user.get(),head); + default -> getPoll(ex,user,head); }; } catch (UmbrellaException e){ return send(ex,e); @@ -97,15 +93,19 @@ public class PollModule extends BaseHandler implements PollService { } } - private boolean getPoll(HttpExchange ex, UmbrellaUser user, String id) throws IOException { - return sendContent(ex,loadPoll(user,id)); + private boolean getPoll(HttpExchange ex, UmbrellaUser user, String pollId) throws IOException { + var poll = pollDb.loadPoll(pollId); + var permitted = !poll.isPrivate() || poll.owner().equals(user); + if (!permitted && poll.permissions().get(user) == null) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); + return sendContent(ex,poll); } private boolean getPollEvaluation(HttpExchange ex, UmbrellaUser user, Path path) throws IOException { + if (user == null) return unauthorized(ex); if (path.empty()) throw missingField(ID); - var poll = loadPoll(user,path.pop()); - LOG.log(WARNING,"Mising permission check for poll evaluation"); - // TODO: check permissions + var poll = pollDb.loadPoll(path.pop()); + var permitted = poll.owner().equals(user); + if (!permitted && !Set.of(Permission.EDIT, Permission.OWNER).contains(poll.permissions().get(user))) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); var result = new HashMap<>(poll.toMap()); var evaluation = pollDb.loadEvaluation(poll.id()); result.put(Field.EVALUATION,evaluation.toMap()); @@ -113,22 +113,16 @@ public class PollModule extends BaseHandler implements PollService { } private boolean getPollList(HttpExchange ex, UmbrellaUser user) throws IOException { + if (user == null) return unauthorized(ex); var list = pollDb.listPolls(user).stream().map(Poll::toMap); return sendContent(ex,list); } - private Poll loadPoll(UmbrellaUser user, String pollId) { + private boolean patchPoll(HttpExchange ex, UmbrellaUser user, String pollId, Path path) throws IOException { var poll = pollDb.loadPoll(pollId); - var permitted = user.equals(poll.owner()); - if (!permitted) { - var permission = poll.permissions().get(user); - if (permission == null || permission == READ_ONLY) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); - } - return poll; - } + var permitted = poll.owner().equals(user); + if (!permitted && !Set.of(Permission.EDIT, Permission.OWNER).contains(poll.permissions().get(user))) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); - private boolean patchPoll(HttpExchange ex, UmbrellaUser user, String id, Path path) throws IOException { - var poll = loadPoll(user,id); var head = path.pop(); return switch (head){ case null -> patchPoll(ex, poll); @@ -203,18 +197,19 @@ public class PollModule extends BaseHandler implements PollService { } private boolean postToPoll(HttpExchange ex, UmbrellaUser user, String id, Path path) throws IOException { - if (user == null) return unauthorized(ex); - var poll = pollDb.loadPoll(id); - var permitted = user.equals(poll.owner()); - if (!permitted) { - var permission = poll.permissions().get(user); - if (permission == null || permission == READ_ONLY) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); - } var head = path.pop(); + var poll = pollDb.loadPoll(id); + if (user == null) { + if (SELECT.equals(head)) { + if (poll.isPrivate() && poll.permissions().get(user) == null) return unauthorized(ex); + postSelection(ex, poll, user); + } + } + var permitted = poll.owner().equals(user); + if (!permitted && !Set.of(Permission.OWNER, Permission.EDIT).contains(poll.permissions().get(user))) throw forbidden(Text.NOT_ALLOWED_TO_EDIT, Field.OBJECT,Text.POLL); return switch (head){ case PERMISSIONS -> postPermission(ex, poll, user); case OPTION -> postOption(ex, poll); - case SELECT -> postSelection(ex, poll, user); case null, default -> notFound(ex); }; }