(TP-77) feat: add validation sender is owner or admin

Author: Kattsyn

rentplace/src/main/java/kattsyn/dev/rentplace/controllers/PropertyController.java

@@ -18,6 +18,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
@@ -43,17 +44,18 @@ public class PropertyController {
             @ApiResponse(responseCode = "413", description = "Превышен максимальный размер запроса"),
             @ApiResponse(responseCode = "500", description = "Внутренняя ошибка сервера")
     })
-    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')" )
+    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')")
     @SecurityRequirement(name = "JWT")
     public ResponseEntity<List<ImageDTO>> uploadMultipleImages(
             @PathVariable @Parameter(description = "id объявления", example = "10") long id,
             @Parameter(
                     description = "Массив файлов фотографий",
                     required = true,
                     content = @Content(mediaType = MediaType.MULTIPART_FORM_DATA_VALUE, schema = @Schema(type = "string", format = "binary"))
-            ) @RequestPart("files") MultipartFile[] files) {
-
+            ) @RequestPart("files") MultipartFile[] files,
+            Authentication authentication) {
 
+        propertyService.ownsPropertyOrAdmin(id, authentication.getName());
         List<ImageDTO> savedImages = propertyService.uploadImages(files, id);
 
         return ResponseEntity.ok(savedImages);
@@ -104,10 +106,11 @@ public ResponseEntity<PropertyDTO> findById(@Valid @PathVariable @Parameter(desc
             @ApiResponse(responseCode = "422", description = "Ошибка валидации", content = @Content),
             @ApiResponse(responseCode = "500", description = "Непредвиденная ошибка со стороны сервера", content = @Content)
     })
-    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')" )
+    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')")
     @SecurityRequirement(name = "JWT")
     @PostMapping(path = "/", consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
-    public ResponseEntity<PropertyDTO> createPropertyWithImage(@Valid @ModelAttribute PropertyCreateEditDTO propertyCreateEditDTO) {
+    public ResponseEntity<PropertyDTO> createPropertyWithImage(@Valid @ModelAttribute PropertyCreateEditDTO propertyCreateEditDTO, Authentication authentication) {
+        propertyService.allowedToCreatePropertyOrAdmin(propertyCreateEditDTO, authentication.getName());
         return new ResponseEntity<>(propertyService.createWithImages(propertyCreateEditDTO), HttpStatus.CREATED);
     }
 
@@ -122,11 +125,13 @@ public ResponseEntity<PropertyDTO> createPropertyWithImage(@Valid @ModelAttribut
             @ApiResponse(responseCode = "422", description = "Ошибка валидации", content = @Content),
             @ApiResponse(responseCode = "500", description = "Непредвиденная ошибка со стороны сервера", content = @Content)
     })
-    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')" )
+    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')")
     @SecurityRequirement(name = "JWT")
     @PatchMapping(path = "/{id}", consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
     public ResponseEntity<PropertyDTO> updateProperty(@Valid @PathVariable @Parameter(description = "id объявления", example = "1") long id,
-                                                      @Valid @ModelAttribute PropertyCreateEditDTO propertyCreateEditDTO) {
+                                                      @Valid @ModelAttribute PropertyCreateEditDTO propertyCreateEditDTO,
+                                                      Authentication authentication) {
+        propertyService.ownsPropertyOrAdmin(id, authentication.getName());
         return ResponseEntity.ok(propertyService.update(id, propertyCreateEditDTO));
     }
 
@@ -141,11 +146,13 @@ public ResponseEntity<PropertyDTO> updateProperty(@Valid @PathVariable @Paramete
             @ApiResponse(responseCode = "422", description = "Ошибка валидации", content = @Content),
             @ApiResponse(responseCode = "500", description = "Непредвиденная ошибка со стороны сервера", content = @Content)
     })
-    @PreAuthorize("hasAuthority('ROLE_ADMIN')" )
+    @PreAuthorize("hasAuthority('ROLE_ADMIN') or hasAuthority('ROLE_USER')")
     @SecurityRequirement(name = "JWT")
     @DeleteMapping("/{id}")
-    public ResponseEntity<Void> deleteProperty(@Valid @PathVariable @Parameter(description = "id объявления", example = "10") long id) {
-        propertyService.deleteById(id);
+    public ResponseEntity<Void> deleteProperty(@Valid @PathVariable @Parameter(description = "id объявления", example = "10") long id, Authentication authentication) {
+        if (propertyService.ownsPropertyOrAdmin(id, authentication.getName())) {
+            propertyService.deleteById(id);
+        }
         return ResponseEntity.noContent().build();
     }
 }

rentplace/src/main/java/kattsyn/dev/rentplace/services/PropertyService.java

@@ -10,6 +10,10 @@
 
 public interface PropertyService {
 
+    boolean ownsPropertyOrAdmin(long propertyId, String email);
+
+    boolean allowedToCreatePropertyOrAdmin(PropertyCreateEditDTO propertyCreateEditDTO, String email);
+
     List<PropertyDTO> findAll();
 
     PropertyDTO findById(long id);

rentplace/src/main/java/kattsyn/dev/rentplace/services/impl/PropertyServiceImpl.java

@@ -6,12 +6,17 @@
 import kattsyn.dev.rentplace.dtos.PropertyDTO;
 import kattsyn.dev.rentplace.entities.Image;
 import kattsyn.dev.rentplace.entities.Property;
+import kattsyn.dev.rentplace.entities.User;
 import kattsyn.dev.rentplace.enums.ImageType;
+import kattsyn.dev.rentplace.enums.Role;
+import kattsyn.dev.rentplace.exceptions.ForbiddenException;
+import kattsyn.dev.rentplace.exceptions.NotFoundException;
 import kattsyn.dev.rentplace.mappers.ImageMapper;
 import kattsyn.dev.rentplace.mappers.PropertyMapper;
 import kattsyn.dev.rentplace.repositories.PropertyRepository;
 import kattsyn.dev.rentplace.services.ImageService;
 import kattsyn.dev.rentplace.services.PropertyService;
+import kattsyn.dev.rentplace.services.UserService;
 import kattsyn.dev.rentplace.utils.PathResolver;
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
@@ -29,6 +34,29 @@ public class PropertyServiceImpl implements PropertyService {
     private final PropertyMapper propertyMapper;
     private final ImageService imageService;
     private final ImageMapper imageMapper;
+    private final UserService userService;
+
+    @Override
+    @Transactional
+    public boolean ownsPropertyOrAdmin(long propertyId, String email) {
+        User user = userService.getUserByEmail(email);
+        Property property = getPropertyById(propertyId);
+
+        if (user.getRole() == Role.ROLE_ADMIN || property.getOwner().getUserId() == user.getUserId()) {
+            return true;
+        }
+        throw new ForbiddenException(String.format("FORBIDDEN. You are not allowed to edit or delete property id: %s.", propertyId));
+    }
+
+    @Override
+    public boolean allowedToCreatePropertyOrAdmin(PropertyCreateEditDTO propertyCreateEditDTO, String email) {
+        User user = userService.getUserByEmail(email);
+
+        if (user.getRole() == Role.ROLE_ADMIN || user.getUserId() == propertyCreateEditDTO.getOwnerId()) {
+            return true;
+        }
+        throw new ForbiddenException(String.format("FORBIDDEN. You are not allowed to create property for user email: %s.", email));
+    }
 
     @Transactional
     @Override
@@ -40,7 +68,7 @@ public List<PropertyDTO> findAll() {
     @Transactional
     public Property getPropertyById(long id) {
         return propertyRepository.findById(id).orElseThrow(
-                () -> new IllegalArgumentException(String.format("Property not found with id: %d", id))
+                () -> new NotFoundException(String.format("Property not found with id: %d", id))
         );
     }