permissions on api routes

This commit is contained in:
Jake Potrebic 2021-04-06 16:42:17 -07:00
parent 69442928d7
commit ed32fdace2
No known key found for this signature in database
GPG Key ID: 7C58557EC9C421F8
14 changed files with 35 additions and 19 deletions

View File

@ -1,6 +1,7 @@
package io.papermc.hangar.controller.api.v1;
import io.papermc.hangar.controller.api.v1.interfaces.IApiKeysController;
import io.papermc.hangar.model.common.NamedPermission;
import io.papermc.hangar.model.internal.api.requests.CreateAPIKeyForm;
import io.papermc.hangar.security.annotations.permission.PermissionRequired;
import org.springframework.http.HttpStatus;
@ -9,12 +10,12 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
@Controller
@PermissionRequired(NamedPermission.EDIT_API_KEYS)
public class ApiKeysController implements IApiKeysController {
@Override
@ResponseBody
@ResponseStatus(HttpStatus.CREATED)
@PermissionRequired()
public String createKey(CreateAPIKeyForm apiKeyForm) {
// TODO implement
System.out.println(apiKeyForm);

View File

@ -8,6 +8,7 @@ import io.papermc.hangar.model.api.permissions.UserPermissions;
import io.papermc.hangar.model.common.NamedPermission;
import io.papermc.hangar.model.common.Permission;
import io.papermc.hangar.model.common.PermissionType;
import io.papermc.hangar.security.annotations.Anyone;
import io.papermc.hangar.service.PermissionService;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
@ -19,6 +20,7 @@ import org.springframework.stereotype.Controller;
import java.util.List;
import java.util.function.BiPredicate;
@Anyone
@Controller
public class PermissionsController extends HangarController implements IPermissionsController {

View File

@ -14,6 +14,10 @@ import io.papermc.hangar.model.api.project.Project;
import io.papermc.hangar.model.api.project.ProjectMember;
import io.papermc.hangar.model.api.project.ProjectSortingStrategy;
import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.model.common.NamedPermission;
import io.papermc.hangar.model.common.PermissionType;
import io.papermc.hangar.security.annotations.Anyone;
import io.papermc.hangar.security.annotations.permission.PermissionRequired;
import io.papermc.hangar.security.annotations.visibility.VisibilityRequired;
import io.papermc.hangar.security.annotations.visibility.VisibilityRequired.Type;
import io.papermc.hangar.service.api.ProjectsApiService;
@ -25,6 +29,7 @@ import org.springframework.stereotype.Controller;
import java.time.OffsetDateTime;
import java.util.Map;
@Anyone
@Controller
public class ProjectsController extends HangarController implements IProjectsController {
@ -54,16 +59,19 @@ public class ProjectsController extends HangarController implements IProjectsCon
}
@Override
@PermissionRequired(type = PermissionType.PROJECT, perms = NamedPermission.IS_SUBJECT_MEMBER, args = "{#author, #slug}")
public ResponseEntity<Map<String, DayProjectStats>> getProjectStats(String author, String slug, @NotNull OffsetDateTime fromDate, @NotNull OffsetDateTime toDate) {
return ResponseEntity.ok(projectsApiService.getProjectStats(author, slug, fromDate, toDate));
}
@Override
@VisibilityRequired(type = Type.PROJECT, args = "{#author, #slug}")
public ResponseEntity<PaginatedResult<User>> getProjectStargazers(String author, String slug, @NotNull RequestPagination pagination) {
return ResponseEntity.ok(projectsApiService.getProjectStargazers(author, slug, pagination));
}
@Override
@VisibilityRequired(type = Type.PROJECT, args = "{#author, #slug}")
public ResponseEntity<PaginatedResult<User>> getProjectWatchers(String author, String slug, @NotNull RequestPagination pagination) {
return ResponseEntity.ok(projectsApiService.getProjectWatchers(author, slug, pagination));
}

View File

@ -9,12 +9,14 @@ import io.papermc.hangar.model.api.User;
import io.papermc.hangar.model.api.project.ProjectCompact;
import io.papermc.hangar.model.api.project.ProjectSortingStrategy;
import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.security.annotations.Anyone;
import io.papermc.hangar.service.api.UsersApiService;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.stereotype.Controller;
@Anyone
@Controller
public class UsersController extends HangarController implements IUsersController {

View File

@ -9,7 +9,13 @@ import io.papermc.hangar.model.api.PaginatedResult;
import io.papermc.hangar.model.api.project.version.Version;
import io.papermc.hangar.model.api.project.version.VersionStats;
import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.model.common.NamedPermission;
import io.papermc.hangar.model.common.PermissionType;
import io.papermc.hangar.model.common.Platform;
import io.papermc.hangar.security.annotations.Anyone;
import io.papermc.hangar.security.annotations.permission.PermissionRequired;
import io.papermc.hangar.security.annotations.visibility.VisibilityRequired;
import io.papermc.hangar.security.annotations.visibility.VisibilityRequired.Type;
import io.papermc.hangar.service.api.VersionsApiService;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;
@ -20,6 +26,7 @@ import java.time.OffsetDateTime;
import java.util.List;
import java.util.Map;
@Anyone
@Controller
public class VersionsController implements IVersionsController {
@ -31,22 +38,26 @@ public class VersionsController implements IVersionsController {
}
@Override
@VisibilityRequired(type = Type.VERSION, args = "{#author, #slug, #versionString, #platform}")
public ResponseEntity<Version> getVersion(String author, String slug, String versionString, Platform platform) {
return ResponseEntity.ok(versionsApiService.getVersion(author, slug, versionString, platform));
}
@Override
@VisibilityRequired(type = Type.PROJECT, args = "{#author, #slug}")
public ResponseEntity<List<Version>> getVersions(String author, String slug, String name) {
return ResponseEntity.ok(versionsApiService.getVersions(author, slug, name));
}
@Override
@VisibilityRequired(type = Type.PROJECT, args = "{#author, #slug}")
@ApplicableFilters({VersionChannelFilter.class, VersionPlatformFilter.class, VersionTagFilter.class})
public ResponseEntity<PaginatedResult<Version>> getVersions(String author, String slug, @NotNull RequestPagination pagination) {
return ResponseEntity.ok(versionsApiService.getVersions(author, slug, pagination));
}
@Override
@PermissionRequired(type = PermissionType.PROJECT, perms = NamedPermission.IS_SUBJECT_MEMBER, args = "{#author, #slug}")
public ResponseEntity<Map<String, VersionStats>> getVersionStats(String author, String slug, String versionString, Platform platform, @NotNull OffsetDateTime fromDate, @NotNull OffsetDateTime toDate) {
return ResponseEntity.ok(versionsApiService.getVersionStats(author, slug, versionString, platform, fromDate, toDate));
}

View File

@ -11,7 +11,6 @@ import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.Authorization;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.annotation.Secured;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
@ -22,7 +21,6 @@ import java.util.List;
@Api(tags = "Permissions", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/api/v1", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
@Secured("ROLE_USER")
public interface IPermissionsController {
@ApiOperation(

View File

@ -7,7 +7,6 @@ import io.papermc.hangar.model.api.project.Project;
import io.papermc.hangar.model.api.project.ProjectMember;
import io.papermc.hangar.model.api.project.ProjectSortingStrategy;
import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.security.annotations.Anyone;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
@ -26,7 +25,6 @@ import org.springframework.web.bind.annotation.RequestParam;
import java.time.OffsetDateTime;
import java.util.Map;
@Anyone
@Api(tags = "Projects", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path ="/api/v1", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public interface IProjectsController {

View File

@ -5,7 +5,6 @@ import io.papermc.hangar.model.api.User;
import io.papermc.hangar.model.api.project.ProjectCompact;
import io.papermc.hangar.model.api.project.ProjectSortingStrategy;
import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.security.annotations.Anyone;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
@ -21,7 +20,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
@Anyone
@Api(tags = "Users", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/api/v1", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public interface IUsersController {

View File

@ -7,7 +7,6 @@ import io.papermc.hangar.model.api.requests.RequestPagination;
import io.papermc.hangar.model.common.NamedPermission;
import io.papermc.hangar.model.common.PermissionType;
import io.papermc.hangar.model.common.Platform;
import io.papermc.hangar.security.annotations.Anyone;
import io.papermc.hangar.security.annotations.permission.PermissionRequired;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
@ -27,7 +26,6 @@ import java.time.OffsetDateTime;
import java.util.List;
import java.util.Map;
@Anyone
@Api(tags = "Versions", produces = MediaType.APPLICATION_JSON_VALUE)
@RequestMapping(path = "/api/v1", produces = MediaType.APPLICATION_JSON_VALUE)
public interface IVersionsController {

View File

@ -68,7 +68,7 @@ public class ChannelController extends HangarController {
@Unlocked
@ResponseStatus(HttpStatus.OK)
@PermissionRequired(type = PermissionType.PROJECT,perms = NamedPermission.EDIT_TAGS, args = "{#projectId}")
@PermissionRequired(type = PermissionType.PROJECT, perms = NamedPermission.EDIT_TAGS, args = "{#projectId}")
@PostMapping("/{projectId}/delete/{channelId}")
public void deleteChannel(@PathVariable long projectId, @PathVariable long channelId) {
channelService.deleteProjectChannel(projectId, channelId);

View File

@ -79,7 +79,7 @@ public class HangarUserController extends HangarController {
@Unlocked
@CurrentUser("#userName")
@ResponseStatus(HttpStatus.OK)
@PermissionRequired(perms = NamedPermission.EDIT_OWN_USER_SETTINGS)
@PermissionRequired(NamedPermission.EDIT_OWN_USER_SETTINGS)
@PostMapping(path = "/users/{userName}/settings/tagline", consumes = MediaType.APPLICATION_JSON_VALUE)
public void saveTagline(@PathVariable String userName, @Valid @RequestBody StringContent content) {
UserTable userTable = userService.getUserTable(userName);
@ -97,7 +97,7 @@ public class HangarUserController extends HangarController {
@Unlocked
@ResponseStatus(HttpStatus.OK)
@PermissionRequired(perms = NamedPermission.EDIT_OWN_USER_SETTINGS)
@PermissionRequired(NamedPermission.EDIT_OWN_USER_SETTINGS)
@PostMapping("/users/{userName}/settings/resetTagline")
public void resetTagline(@PathVariable String userName) {
UserTable userTable = userService.getUserTable(userName);

View File

@ -27,7 +27,7 @@ import java.util.List;
@Controller
@Secured("ROLE_USER")
@RequestMapping(path = "/api/internal/reviews")
@PermissionRequired(perms = NamedPermission.REVIEWER)
@PermissionRequired(NamedPermission.REVIEWER)
public class ReviewController {
private final ReviewService reviewService;

View File

@ -40,21 +40,21 @@ public class FlagController extends HangarController {
@ResponseStatus(HttpStatus.NO_CONTENT)
@PostMapping("/{id}/resolve/{resolve}")
@PermissionRequired(perms = NamedPermission.MOD_NOTES_AND_FLAGS)
@PermissionRequired(NamedPermission.MOD_NOTES_AND_FLAGS)
public void resolve(@PathVariable long id, @PathVariable boolean resolve) {
flagService.markAsResolved(id, resolve);
}
@ResponseBody
@GetMapping(path = "/{projectId}", produces = MediaType.APPLICATION_JSON_VALUE)
@PermissionRequired(perms = NamedPermission.MOD_NOTES_AND_FLAGS)
@PermissionRequired(NamedPermission.MOD_NOTES_AND_FLAGS)
public List<HangarProjectFlag> getFlags(@PathVariable long projectId) {
return flagService.getFlags(projectId);
}
@ResponseBody
@GetMapping(path = "/", produces = MediaType.APPLICATION_JSON_VALUE)
@PermissionRequired(perms = NamedPermission.MOD_NOTES_AND_FLAGS)
@PermissionRequired(NamedPermission.MOD_NOTES_AND_FLAGS)
public List<HangarProjectFlag> getFlags() {
return flagService.getFlags();
}

View File

@ -43,7 +43,7 @@ public class ProjectAdminController extends HangarController {
this.projectVisibilityService = projectVisibilityService;
}
@PermissionRequired(perms = NamedPermission.MOD_NOTES_AND_FLAGS)
@PermissionRequired(NamedPermission.MOD_NOTES_AND_FLAGS)
@GetMapping(path = "/notes/{projectId}", produces = MediaType.APPLICATION_JSON_VALUE)
public ResponseEntity<List<HangarProjectNote>> getProjectNotes(@PathVariable long projectId) {
return ResponseEntity.ok(projectNoteService.getNotes(projectId));
@ -51,7 +51,7 @@ public class ProjectAdminController extends HangarController {
@Unlocked
@ResponseStatus(HttpStatus.CREATED)
@PermissionRequired(perms = NamedPermission.MOD_NOTES_AND_FLAGS)
@PermissionRequired(NamedPermission.MOD_NOTES_AND_FLAGS)
@PostMapping(path = "/notes/{projectId}", consumes = MediaType.APPLICATION_JSON_VALUE)
public void addProjectNote(@PathVariable long projectId, @RequestBody @Valid StringContent content) {
projectNoteService.addNote(projectId, content.getContent());
@ -59,7 +59,7 @@ public class ProjectAdminController extends HangarController {
@Unlocked
@ResponseStatus(HttpStatus.OK)
@PermissionRequired(perms = NamedPermission.REVIEWER)
@PermissionRequired(NamedPermission.REVIEWER)
@PostMapping(path = "/visibility/{projectId}", consumes = MediaType.APPLICATION_JSON_VALUE)
public void changeProjectVisibility(@PathVariable long projectId, @Valid @RequestBody VisibilityChangeForm visibilityChangeForm) {
projectVisibilityService.changeVisibility(projectId, visibilityChangeForm.getVisibility(), visibilityChangeForm.getComment());