Commit 282b653c authored by Piotr Gawron's avatar Piotr Gawron
Browse files

updateUser moved to controller

parent 29b2c96f
......@@ -6,6 +6,7 @@ import java.util.Comparator;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.TreeMap;
import java.util.stream.Collectors;
......@@ -16,8 +17,10 @@ import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.MediaType;
import org.springframework.http.converter.json.MappingJacksonValue;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.util.MultiValueMap;
import org.springframework.web.bind.annotation.DeleteMapping;
......@@ -38,6 +41,7 @@ import lcsb.mapviewer.api.OperationNotAllowedException;
import lcsb.mapviewer.common.Configuration;
import lcsb.mapviewer.common.exception.InvalidStateException;
import lcsb.mapviewer.model.security.Privilege;
import lcsb.mapviewer.model.security.PrivilegeType;
import lcsb.mapviewer.model.user.ConfigurationElementType;
import lcsb.mapviewer.model.user.User;
import lcsb.mapviewer.modelutils.serializer.CustomExceptFilter;
......@@ -141,15 +145,63 @@ public class UserController extends BaseController {
return result;
}
static class UpdateUserDTO {
public String name;
public String surname;
public String password;
public Boolean connectedToLdap;
public Boolean termsOfUseConsent;
public String email;
}
static class UpdateUserData {
public UpdateUserDTO user;
}
@PreAuthorize("hasAuthority('IS_ADMIN') or #login == authentication.name")
@PatchMapping(value = "/users/{login:.+}")
public MappingJacksonValue updateUser(
@RequestBody String body,
@RequestBody UpdateUserData body,
@PathVariable(value = "login") String login,
Authentication authentication) throws QueryException, IOException {
Map<String, Object> node = parseBody(body);
Map<String, Object> data = getData(node, "user");
return createResponseWithColumns("", userRest.updateUser(login, data, authentication.getAuthorities()));
UpdateUserDTO userData = body.user;
boolean isAdmin = authentication.getAuthorities().contains(new SimpleGrantedAuthority(PrivilegeType.IS_ADMIN.toString()));
if (userData == null) {
throw new QueryException("user field cannot be undefined");
}
User user = userService.getUserByLogin(login);
if (user == null) {
throw new ObjectNotFoundException("user doesn't exist");
}
if (userData.name != null) {
user.setName(userData.name);
}
if (userData.surname != null) {
user.setSurname(userData.surname);
}
if (userData.email != null) {
user.setEmail(userData.email);
}
if (userData.termsOfUseConsent != null) {
user.setTermsOfUseConsent(userData.termsOfUseConsent);
}
if (userData.connectedToLdap != null) {
if (isAdmin) {
user.setConnectedToLdap(userData.connectedToLdap);
} else if (!Objects.equals(user.isConnectedToLdap(), userData.connectedToLdap)) {
throw new AccessDeniedException("connectedtoldap can be updated by admin");
}
}
if (userData.password != null) {
if (userData.password != null && !userData.password.trim().isEmpty()) {
user.setCryptedPassword(passwordEncoder.encode(userData.password));
}
}
userService.updateUser(user);
return getUser(login, "");
}
@PreAuthorize("hasAuthority('IS_ADMIN')")
......
......@@ -245,54 +245,6 @@ public class UserRestImpl extends BaseRestImpl {
}
}
public UserDTO updateUser(String login, Map<String, Object> userData,
Collection<? extends GrantedAuthority> authorities)
throws QueryException {
boolean isAdmin = authorities.contains(new SimpleGrantedAuthority(PrivilegeType.IS_ADMIN.toString()));
if (userData == null) {
throw new QueryException("user field cannot be undefined");
}
User user = getUserService().getUserByLogin(login);
if (user == null) {
throw new ObjectNotFoundException("user doesn't exist");
}
for (String key : userData.keySet()) {
Object value = userData.get(key);
String stringValue = null;
if (value instanceof String) {
stringValue = (String) value;
}
if (key.equalsIgnoreCase("name")) {
user.setName(stringValue);
} else if (key.equalsIgnoreCase("surname")) {
user.setSurname(stringValue);
} else if (key.equalsIgnoreCase("email")) {
user.setEmail(stringValue);
} else if (key.equalsIgnoreCase("termsofuseconsent")) {
user.setTermsOfUseConsent((Boolean) value);
} else if (key.equalsIgnoreCase("connectedtoldap")) {
if (isAdmin) {
user.setConnectedToLdap((Boolean) value);
} else if (!Objects.equals(user.isConnectedToLdap(), value)) {
throw new AccessDeniedException("connectedtoldap can be updated by admin");
}
} else if (key.equalsIgnoreCase("password")) {
if (stringValue != null && !stringValue.trim().isEmpty()) {
user.setCryptedPassword(passwordEncoder.encode(stringValue));
}
} else if (key.equalsIgnoreCase("login")) {
if (!user.getLogin().equals((String) value)) {
throw new QueryException("login cannot be modified");
}
} else {
throw new QueryException("Unknown parameter: " + key);
}
}
getUserService().updateUser(user);
return getUser(login, "");
}
public UserDTO addUser(String login, MultiValueMap<String, Object> userData) throws QueryException {
User user = getUserService().getUserByLogin(login);
if (user != null) {
......
......@@ -552,6 +552,7 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
String body = "{\"user\":{\"password\":\"" + newPassword + "\"}}";
RequestBuilder grantRequest = patch("/api/users/{login}", TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_JSON)
.content(body)
.session(session);
......@@ -570,9 +571,10 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
public void userCannotUpdateOwnLdapConnection() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = "{\"user\":{\"connectedtoldap\":" + (!user.isConnectedToLdap()) + "}}";
String body = "{\"user\":{\"connectedToLdap\":" + (!user.isConnectedToLdap()) + "}}";
RequestBuilder grantRequest = patch("/api/users/" + TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_JSON)
.content(body)
.session(session);
......@@ -584,10 +586,10 @@ public class UserControllerIntegrationTest extends ControllerIntegrationTest {
public void userCannotUpdateOwnLdapConnectionButNoChangeShouldPass() throws Exception {
MockHttpSession session = createSession(TEST_USER_LOGIN, TEST_USER_PASSWORD);
String body = "{\"user\":{\"connectedtoldap\":" + user.isConnectedToLdap() + "}}";
String body = "{\"user\":{\"connectedToLdap\":" + user.isConnectedToLdap() + "}}";
RequestBuilder grantRequest = patch("/api/users/" + TEST_USER_LOGIN)
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.contentType(MediaType.APPLICATION_JSON)
.content(body)
.session(session);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment