From fe18cb8dc2f5a9f2140a2f3191bcfac00f782782 Mon Sep 17 00:00:00 2001
From: Stephan Richter <s.richter@srsoftware.de>
Date: Wed, 6 May 2026 08:37:24 +0200
Subject: [PATCH] implemented security measures for account management

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
---
 .../umbrella/accounting/AccountDb.java        |  4 ++++
 .../umbrella/accounting/AccountingModule.java | 11 ++++-----
 .../umbrella/accounting/SqliteDb.java         | 24 +++++++++++++++++++
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java b/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java
index 88626ad1..e507416f 100644
--- a/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java
+++ b/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java
@@ -3,6 +3,8 @@ package de.srsoftware.umbrella.accounting;
 
 import de.srsoftware.umbrella.core.model.Account;
 import de.srsoftware.umbrella.core.model.Transaction;
+import de.srsoftware.umbrella.core.model.UmbrellaUser;
+
 import java.util.Collection;
 import java.util.List;
 import java.util.Optional;
@@ -13,6 +15,8 @@ public interface AccountDb {
 
 	void dropTransactionTag(long transactionId, String tag);
 
+	Collection<UmbrellaUser> getMembers(long accountId);
+
 	Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount);
 
 	Collection<Account> listAccounts(long userId);
diff --git a/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java b/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java
index 80c20cd3..b92c2559 100644
--- a/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java
+++ b/accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java
@@ -7,8 +7,7 @@ import static de.srsoftware.umbrella.core.ConnectionProvider.connect;
 import static de.srsoftware.umbrella.core.ModuleRegistry.tagService;
 import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
 import static de.srsoftware.umbrella.core.constants.Path.*;
-import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.invalidField;
-import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.missingField;
+import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
 import static de.srsoftware.umbrella.messagebus.MessageBus.messageBus;
 import static de.srsoftware.umbrella.messagebus.events.Event.EventType.CREATE;
 import static java.lang.System.Logger.Level.WARNING;
@@ -55,6 +54,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 				case TRANSACTION -> {
 					try {
 						var transaction = accountDb.loadTransaction(Long.parseLong(path.pop()));
+						if (!accountDb.getMembers(transaction.accountId()).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 						yield dropTransaction(transaction, user.get(), path, ex);
 					} catch (NumberFormatException ignored) {
 						yield super.doDelete(path,ex);
@@ -128,6 +128,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 				default -> {
 					try {
 						var accountId = Long.parseLong(head);
+						if (!accountDb.getMembers(accountId).contains(user.get())) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 						yield postToAccount(accountId,path,user.get(),ex);
 					} catch (NumberFormatException ignored) {
 						yield super.doPost(path,ex);
@@ -156,7 +157,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean dropTransactionTag(UmbrellaUser user, Transaction transaction, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing permission check in AccountModule.dropTransactionTag!");
 		var json = json(ex);
 		if (!json.has(Field.TAG)) throw missingField(Field.TAG);
 		var tag = json.getString(Field.TAG);
@@ -186,7 +186,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean getAccount(UmbrellaUser user, long accountId, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!");
+		if (!accountDb.getMembers(accountId).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 		return sendContent(ex, loadAccount(accountId));
 	}
 
@@ -225,7 +225,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 
 	private boolean patchTransaction(UmbrellaUser user, long transactionId, HttpExchange ex) throws IOException {
 		var transaction = accountDb.loadTransaction(transactionId);
-		LOG.log(WARNING,"Missing permission check in patchTransaction(…)!");
+		if (!accountDb.getMembers(transaction.accountId()).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
 		var oldData = transaction.toMap();
 		var json = json(ex);
 		if (json.has(Field.AMOUNT)) transaction.amount(json.getDouble(Field.AMOUNT));
@@ -337,7 +337,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
 	}
 
 	private boolean postSearchTags(long accountId, UmbrellaUser user, HttpExchange ex) throws IOException {
-		LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!");
 		var key = body(ex);
 		if (!key.trim().startsWith("{")) { // search tags that contain value of body
 			var tags = accountDb.searchTagsContaining(key, accountId);
diff --git a/accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java b/accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java
index b9e62b58..c499a004 100644
--- a/accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java
+++ b/accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java
@@ -7,6 +7,7 @@ import static de.srsoftware.tools.jdbc.Condition.*;
 import static de.srsoftware.tools.jdbc.Query.*;
 import static de.srsoftware.tools.jdbc.Query.SelectQuery.ALL;
 import static de.srsoftware.umbrella.accounting.Constants.*;
+import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
 import static de.srsoftware.umbrella.core.constants.Field.*;
 import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
 import static de.srsoftware.umbrella.core.model.Translatable.t;
@@ -19,6 +20,8 @@ import de.srsoftware.umbrella.core.constants.Field;
 import de.srsoftware.umbrella.core.constants.Text;
 import de.srsoftware.umbrella.core.model.Account;
 import de.srsoftware.umbrella.core.model.Transaction;
+import de.srsoftware.umbrella.core.model.UmbrellaUser;
+
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.time.ZoneOffset;
@@ -146,6 +149,27 @@ public class SqliteDb extends BaseDb implements AccountDb {
 		}
 	}
 
+	@Override
+	public Collection<UmbrellaUser> getMembers(long accountId) {
+		try {
+			var userIds = new HashSet<Long>();
+			var rs = select("DISTINCT "+ SOURCE).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
+			while (rs.next()) try {
+				userIds.add(Long.parseLong(rs.getString(1)));
+			} catch (NumberFormatException ignored) {}
+			rs.close();
+			rs = select("DISTINCT "+ DESTINATION).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
+			while (rs.next()) try {
+				userIds.add(Long.parseLong(rs.getString(1)));
+			} catch (NumberFormatException ignored) {}
+			rs.close();
+			var us = userService();
+			return userIds.stream().map(us::loadUser).toList();
+		} catch (SQLException e) {
+			throw failedToLoadMembers(Text.ACCOUNT);
+		}
+	}
+
 	@Override
 	public Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount) {
 		try {