SRSoftware/Umbrella
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases Wiki Activity

implemented security measures for account management

Browse Source 
Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
This commit is contained in:
Stephan Richter
2026-05-06 08:37:24 +02:00
parent 20f47055f6
commit fe18cb8dc2
3 changed files with 33 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountDb.java
+4
View File
@@ -3,6 +3,8 @@ package de.srsoftware.umbrella.accounting;
import de.srsoftware.umbrella.core.model.Account; import de.srsoftware.umbrella.core.model.Account;
import de.srsoftware.umbrella.core.model.Transaction; import de.srsoftware.umbrella.core.model.Transaction;
import de.srsoftware.umbrella.core.model.UmbrellaUser;
import java.util.Collection; import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Optional; import java.util.Optional;
@@ -13,6 +15,8 @@ public interface AccountDb {
void dropTransactionTag(long transactionId, String tag); void dropTransactionTag(long transactionId, String tag);
Collection<UmbrellaUser> getMembers(long accountId);
Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount); Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount);
Collection<Account> listAccounts(long userId); Collection<Account> listAccounts(long userId);
accounting/src/main/java/de/srsoftware/umbrella/accounting/AccountingModule.java
+5 -6
View File
@@ -7,8 +7,7 @@ import static de.srsoftware.umbrella.core.ConnectionProvider.connect;
import static de.srsoftware.umbrella.core.ModuleRegistry.tagService; import static de.srsoftware.umbrella.core.ModuleRegistry.tagService;
import static de.srsoftware.umbrella.core.ModuleRegistry.userService; import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
import static de.srsoftware.umbrella.core.constants.Path.*; import static de.srsoftware.umbrella.core.constants.Path.*;
import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.invalidField; import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.missingField;
import static de.srsoftware.umbrella.messagebus.MessageBus.messageBus; import static de.srsoftware.umbrella.messagebus.MessageBus.messageBus;
import static de.srsoftware.umbrella.messagebus.events.Event.EventType.CREATE; import static de.srsoftware.umbrella.messagebus.events.Event.EventType.CREATE;
import static java.lang.System.Logger.Level.WARNING; import static java.lang.System.Logger.Level.WARNING;
@@ -55,6 +54,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
case TRANSACTION -> { case TRANSACTION -> {
try { try {
var transaction = accountDb.loadTransaction(Long.parseLong(path.pop())); var transaction = accountDb.loadTransaction(Long.parseLong(path.pop()));
if (!accountDb.getMembers(transaction.accountId()).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
yield dropTransaction(transaction, user.get(), path, ex); yield dropTransaction(transaction, user.get(), path, ex);
} catch (NumberFormatException ignored) { } catch (NumberFormatException ignored) {
yield super.doDelete(path,ex); yield super.doDelete(path,ex);
@@ -128,6 +128,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
default -> { default -> {
try { try {
var accountId = Long.parseLong(head); var accountId = Long.parseLong(head);
if (!accountDb.getMembers(accountId).contains(user.get())) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
yield postToAccount(accountId,path,user.get(),ex); yield postToAccount(accountId,path,user.get(),ex);
} catch (NumberFormatException ignored) { } catch (NumberFormatException ignored) {
yield super.doPost(path,ex); yield super.doPost(path,ex);
@@ -156,7 +157,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
} }
private boolean dropTransactionTag(UmbrellaUser user, Transaction transaction, HttpExchange ex) throws IOException { private boolean dropTransactionTag(UmbrellaUser user, Transaction transaction, HttpExchange ex) throws IOException {
LOG.log(WARNING,"Missing permission check in AccountModule.dropTransactionTag!");
var json = json(ex); var json = json(ex);
if (!json.has(Field.TAG)) throw missingField(Field.TAG); if (!json.has(Field.TAG)) throw missingField(Field.TAG);
var tag = json.getString(Field.TAG); var tag = json.getString(Field.TAG);
@@ -186,7 +186,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
} }
private boolean getAccount(UmbrellaUser user, long accountId, HttpExchange ex) throws IOException { private boolean getAccount(UmbrellaUser user, long accountId, HttpExchange ex) throws IOException {
LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!"); if (!accountDb.getMembers(accountId).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
return sendContent(ex, loadAccount(accountId)); return sendContent(ex, loadAccount(accountId));
} }
@@ -225,7 +225,7 @@ public class AccountingModule extends BaseHandler implements AccountingService {
private boolean patchTransaction(UmbrellaUser user, long transactionId, HttpExchange ex) throws IOException { private boolean patchTransaction(UmbrellaUser user, long transactionId, HttpExchange ex) throws IOException {
var transaction = accountDb.loadTransaction(transactionId); var transaction = accountDb.loadTransaction(transactionId);
LOG.log(WARNING,"Missing permission check in patchTransaction(…)!"); if (!accountDb.getMembers(transaction.accountId()).contains(user)) throw forbidden("You are not allowed to access account {id}",Field.ID,accountId);
var oldData = transaction.toMap(); var oldData = transaction.toMap();
var json = json(ex); var json = json(ex);
if (json.has(Field.AMOUNT)) transaction.amount(json.getDouble(Field.AMOUNT)); if (json.has(Field.AMOUNT)) transaction.amount(json.getDouble(Field.AMOUNT));
@@ -337,7 +337,6 @@ public class AccountingModule extends BaseHandler implements AccountingService {
} }
private boolean postSearchTags(long accountId, UmbrellaUser user, HttpExchange ex) throws IOException { private boolean postSearchTags(long accountId, UmbrellaUser user, HttpExchange ex) throws IOException {
LOG.log(WARNING,"Missing authorization check in AccountingModule.getAccount(…)!");
var key = body(ex); var key = body(ex);
if (!key.trim().startsWith("{")) { // search tags that contain value of body if (!key.trim().startsWith("{")) { // search tags that contain value of body
var tags = accountDb.searchTagsContaining(key, accountId); var tags = accountDb.searchTagsContaining(key, accountId);
accounting/src/main/java/de/srsoftware/umbrella/accounting/SqliteDb.java
+24
View File
@@ -7,6 +7,7 @@ import static de.srsoftware.tools.jdbc.Condition.*;
import static de.srsoftware.tools.jdbc.Query.*; import static de.srsoftware.tools.jdbc.Query.*;
import static de.srsoftware.tools.jdbc.Query.SelectQuery.ALL; import static de.srsoftware.tools.jdbc.Query.SelectQuery.ALL;
import static de.srsoftware.umbrella.accounting.Constants.*; import static de.srsoftware.umbrella.accounting.Constants.*;
import static de.srsoftware.umbrella.core.ModuleRegistry.userService;
import static de.srsoftware.umbrella.core.constants.Field.*; import static de.srsoftware.umbrella.core.constants.Field.*;
import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*; import static de.srsoftware.umbrella.core.exceptions.UmbrellaException.*;
import static de.srsoftware.umbrella.core.model.Translatable.t; import static de.srsoftware.umbrella.core.model.Translatable.t;
@@ -19,6 +20,8 @@ import de.srsoftware.umbrella.core.constants.Field;
import de.srsoftware.umbrella.core.constants.Text; import de.srsoftware.umbrella.core.constants.Text;
import de.srsoftware.umbrella.core.model.Account; import de.srsoftware.umbrella.core.model.Account;
import de.srsoftware.umbrella.core.model.Transaction; import de.srsoftware.umbrella.core.model.Transaction;
import de.srsoftware.umbrella.core.model.UmbrellaUser;
import java.sql.Connection; import java.sql.Connection;
import java.sql.SQLException; import java.sql.SQLException;
import java.time.ZoneOffset; import java.time.ZoneOffset;
@@ -146,6 +149,27 @@ public class SqliteDb extends BaseDb implements AccountDb {
} }
} }
@Override
public Collection<UmbrellaUser> getMembers(long accountId) {
try {
var userIds = new HashSet<Long>();
var rs = select("DISTINCT "+ SOURCE).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
while (rs.next()) try {
userIds.add(Long.parseLong(rs.getString(1)));
} catch (NumberFormatException ignored) {}
rs.close();
rs = select("DISTINCT "+ DESTINATION).from(TABLE_TRANSACTIONS).where(ACCOUNT,equal(accountId)).exec(db);
while (rs.next()) try {
userIds.add(Long.parseLong(rs.getString(1)));
} catch (NumberFormatException ignored) {}
rs.close();
var us = userService();
return userIds.stream().map(us::loadUser).toList();
} catch (SQLException e) {
throw failedToLoadMembers(Text.ACCOUNT);
}
}
@Override @Override
public Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount) { public Optional<Transaction> lastTransaction(long accountId, String source, String dest, double amount) {
try { try {