diff options
-rw-r--r-- | docs/API_v1.0.md | 2 | ||||
-rw-r--r-- | lib/Controller/CommentApiController.php | 22 | ||||
-rw-r--r-- | lib/Controller/CommentController.php | 2 | ||||
-rw-r--r-- | lib/Exceptions/NotAuthorizedException.php (renamed from lib/Exception/NotAuthorizedException.php) | 8 | ||||
-rw-r--r-- | lib/Model/Acl.php | 16 | ||||
-rw-r--r-- | lib/Service/CommentService.php | 76 |
6 files changed, 72 insertions, 54 deletions
diff --git a/docs/API_v1.0.md b/docs/API_v1.0.md index 193c810e..ccdbc502 100644 --- a/docs/API_v1.0.md +++ b/docs/API_v1.0.md @@ -34,7 +34,7 @@ This will return all comments from poll no. 2 ] ``` -This returns all comments from tzhe poll wich can be called with the token "X3jXHb8WHLMb9MRg" +This returns all comments from the poll which can be called with the token "X3jXHb8WHLMb9MRg" # Comments diff --git a/lib/Controller/CommentApiController.php b/lib/Controller/CommentApiController.php index 31d4d8bc..83cbb16e 100644 --- a/lib/Controller/CommentApiController.php +++ b/lib/Controller/CommentApiController.php @@ -31,6 +31,7 @@ use OCP\AppFramework\ApiController; use OCP\AppFramework\OCS\OCSException; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; +use OCA\Polls\Exceptions\NotAuthorizedException; use OCA\Polls\Service\CommentService; @@ -69,7 +70,11 @@ class CommentApiController extends ApiController { * @return DataResponse */ public function get($pollId, $token = '') { - return new DataResponse($this->commentService->get($pollId, $token), Http::STATUS_OK); + try { + return new DataResponse($this->commentService->get($pollId, $token), Http::STATUS_OK); + } catch (NotAuthorizedException $e) { + return new DataResponse($e, Http::STATUS_FORBIDDEN); + } } /** @@ -82,7 +87,11 @@ class CommentApiController extends ApiController { * @return DataResponse */ public function getByToken($token) { - return new DataResponse($this->commentService->get(0, $token), Http::STATUS_OK); + try { + return new DataResponse($this->commentService->get(0, $token), Http::STATUS_OK); + } catch (NotAuthorizedException $e) { + return new DataResponse($e, Http::STATUS_FORBIDDEN); + } } /** @@ -99,8 +108,8 @@ class CommentApiController extends ApiController { public function add($message, $pollId, $token) { try { return new DataResponse($this->commentService->add($message, $pollId, $token), Http::STATUS_OK); - } catch (Exception $e) { - return new OCSForbiddenException($e); + } catch (NotAuthorizedException $e) { + return new DataResponse($e, Http::STATUS_FORBIDDEN); } } @@ -117,10 +126,9 @@ class CommentApiController extends ApiController { public function delete($commentId, $token) { try { return new DataResponse($this->commentService->delete($commentId, $token), Http::STATUS_OK); - } catch (Exception $e) { - return new DataResponse($e, Http::STATUS_UNAUTHORIZED); + } catch (NotAuthorizedException $e) { + return new DataResponse($e, Http::STATUS_FORBIDDEN); } - } } diff --git a/lib/Controller/CommentController.php b/lib/Controller/CommentController.php index 17d0de94..8e5f8680 100644 --- a/lib/Controller/CommentController.php +++ b/lib/Controller/CommentController.php @@ -37,6 +37,8 @@ use OCA\Polls\Service\CommentService; class CommentController extends Controller { + private $commentService; + /** * CommentController constructor. * @param string $appName diff --git a/lib/Exception/NotAuthorizedException.php b/lib/Exceptions/NotAuthorizedException.php index fb4a89a4..9486790f 100644 --- a/lib/Exception/NotAuthorizedException.php +++ b/lib/Exceptions/NotAuthorizedException.php @@ -21,7 +21,9 @@ * */ -namespace OCA\Polls; +namespace OCA\Polls\Exceptions; + +use OCP\AppFramework\Http; class NotAuthorizedException extends \Exception { /** @@ -31,4 +33,8 @@ class NotAuthorizedException extends \Exception { public function __construct($e = 'Unauthorized') { parent::__construct($e); } + public function getStatus() { + return Http::STATUS_FORBIDDEN; + } + } diff --git a/lib/Model/Acl.php b/lib/Model/Acl.php index 2c42980a..4072f81f 100644 --- a/lib/Model/Acl.php +++ b/lib/Model/Acl.php @@ -136,6 +136,22 @@ class Acl implements JsonSerializable { } } + + /** + * @NoAdminRequired + * @return boolean + */ + public function checkAuthorize($pollId = 0, $token = '') { + + if ($token && !\OC::$server->getUserSession()->isLoggedIn()) { + $this->setToken($token); + } elseif ($pollId) { + $this->setPollId($pollId); + } + + return ($this->userId && $this->poll->getId()); + } + /** * @NoAdminRequired * @return string diff --git a/lib/Service/CommentService.php b/lib/Service/CommentService.php index a417ea12..c92bb80d 100644 --- a/lib/Service/CommentService.php +++ b/lib/Service/CommentService.php @@ -23,41 +23,36 @@ namespace OCA\Polls\Service; -use Exception; +use \Exception; use OCP\AppFramework\Db\DoesNotExistException; -use OCA\Polls\Exceptions\NotAuthorizedException; -use OCP\IRequest; +use OCP\IGroupManager; use OCP\ILogger; -use OCP\AppFramework\Controller; -use OCP\AppFramework\Http; -use OCP\AppFramework\Http\DataResponse; -use OCP\IGroupManager; +use OCA\Polls\Exceptions\NotAuthorizedException; -use OCA\Polls\Db\Poll; -use OCA\Polls\Db\PollMapper; use OCA\Polls\Db\Comment; use OCA\Polls\Db\CommentMapper; -use OCA\Polls\Service\AnonymizeService; +use OCA\Polls\Db\Poll; +use OCA\Polls\Db\PollMapper; use OCA\Polls\Model\Acl; +use OCA\Polls\Service\AnonymizeService; class CommentService { private $userId; + private $comment; private $commentMapper; private $logger; - private $groupManager; private $pollMapper; private $anonymizer; private $acl; - private $comment; /** - * CommentController constructor. + * CommentService constructor. * @param string $appName * @param $UserId * @param CommentMapper $commentMapper @@ -70,7 +65,6 @@ class CommentService { public function __construct( string $appName, $userId, - IRequest $request, ILogger $logger, CommentMapper $commentMapper, IGroupManager $groupManager, @@ -87,7 +81,6 @@ class CommentService { $this->acl = $acl; } - /** * get * Read all comments of a poll based on the poll id and return list as array @@ -97,15 +90,13 @@ class CommentService { * @return Array */ public function get($pollId = 0, $token = '') { - $this->logger->alert('call commentService->get(' . $pollId . ', '. $token . ')'); + $this->logger->debug('call commentService->get(' . $pollId . ', '. $token . ')'); - try { - if ($token && !\OC::$server->getUserSession()->isLoggedIn()) { - $this->acl->setToken($token); - } else { - $this->acl->setPollId($pollId); - } + if (!$this->acl->checkAuthorize($pollId, $token)) { + throw new NotAuthorizedException; + } + try { if (!$this->acl->getAllowSeeUsernames()) { $this->anonymizer->set($this->acl->getPollId(), $this->acl->getUserId()); return $this->anonymizer->getComments(); @@ -113,7 +104,7 @@ class CommentService { return $this->commentMapper->findByPoll($this->acl->getPollId()); } - } catch (Exception $e) { + } catch (\Exception $e) { $this->logger->alert('Error reading comments for pollId ' . $pollId . ': '. $e); throw new DoesNotExistException($e); } @@ -130,13 +121,12 @@ class CommentService { */ public function add($message, $pollId = 0, $token = '') { $this->logger->debug('call commentService->write("' . $message . '", ' .$pollId . ', "' .$token . '")'); - try { - if ($token && !\OC::$server->getUserSession()->isLoggedIn()) { - $this->acl->setToken($token); - } else { - $this->acl->setPollId($pollId); - } + if (!$this->acl->checkAuthorize($pollId, $token)) { + throw new NotAuthorizedException; + } + + try { if ($this->acl->getAllowComment()) { $this->comment = new Comment(); $this->comment->setPollId($this->acl->getPollId()); @@ -149,9 +139,9 @@ class CommentService { throw new NotAuthorizedException; } - } catch (Exception $e) { - $this->logger->alert('Error wrinting comment for pollId ' . $pollId . ': '. $e); - throw new Exception($e); + } catch (\Exception $e) { + $this->logger->alert('Error writing comment for pollId ' . $pollId . ': '. $e); + throw new NotAuthorizedException($e); } } @@ -165,24 +155,20 @@ class CommentService { */ public function delete($commentId, $token = '') { $this->logger->debug('call commentService->delete(' . $commentId . ', "' .$token . '")'); + try { $this->comment = $this->commentMapper->find($commentId); + } catch (DoesNotExistException $e) { + return new DoesNotExistException($e); + } - if ($token && !\OC::$server->getUserSession()->isLoggedIn()) { - $this->acl->setToken($token); - } else { - $this->acl->setPollId($this->comment->getPollId()); - } - - if ($this->comment->getUserId() === $this->acl->getUserId()) { - $this->commentMapper->delete($this->comment); - return $this->comment; - } else { - throw new NotAuthorizedException; - } - } catch (\Exception $e) { + if (!$this->acl->checkAuthorize($this->comment->getPollId(), $token) || $this->comment->getUserId() !== $this->acl->getUserId()) { throw new NotAuthorizedException; } + + $this->commentMapper->delete($this->comment); + return $this->comment; + } } |