Stricter access checking

Properly restrict access to list actions to only authorized users.

Lambdas/Lists/List/src/ListAdder.java

@@ -9,7 +9,7 @@ public class ListAdder implements CallHandler {
     private String cognitoID;
 
     private final String LIST_CREATE = "INSERT INTO List (name, owner, lastUpdated) VALUES (?, ?, ?);";
-    private final String LIST_ACCESS_GRANT = "INSERT INTO ListSharee(listID, userID) VALUES(?, ?);";
+    private final String LIST_ACCESS_GRANT = "INSERT INTO ListSharee(listID, userID, permissionLevel) VALUES(?, ?, ?);";
 
     public ListAdder(Connection connection, String cognitoID) {
         this.connection = connection;
@@ -31,6 +31,7 @@ public class ListAdder implements CallHandler {
         PreparedStatement accessGrant = connection.prepareStatement(LIST_ACCESS_GRANT);
         accessGrant.setInt(1, newID);
         accessGrant.setString(2, cognitoID);
+        accessGrant.setInt(3, ListPermissions.getAll());
         System.out.println(accessGrant);
         accessGrant.executeUpdate();
         connection.commit();

Lambdas/Lists/List/src/ListDeleter.java

@@ -37,6 +37,11 @@ public class ListDeleter implements CallHandler {
         ResultSet userLists = accessCheck.executeQuery();
         if (!userLists.next()) {
             throw new AccessControlException("User does not have access to list");
+        } else {
+            Integer permissionLevel = userLists.getInt("permissionLevel");
+            if (!ListPermissions.hasPermission(permissionLevel, "Delete")) {
+                throw new AccessControlException("User " + cognitoID + " does not have permission to delete list " + listID);
+            }
         }
         PreparedStatement cleanAccess = connection.prepareStatement(DELETE_LIST_ACCESS);
         cleanAccess.setInt(1, listID);

Lambdas/Lists/List/src/ListGetter.java

@@ -1,3 +1,4 @@
+import java.security.AccessControlException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
@@ -40,7 +41,14 @@ public class ListGetter implements CallHandler{
         System.out.println(checkAccess);
         ResultSet accessResults = checkAccess.executeQuery();
         int sharees = 0;
-        while (sharees < 2 && accessResults.next()) {
+        boolean verifiedAccess = false;
+        while ((sharees < 2 && accessResults.next()) || !verifiedAccess) {
+            if (accessResults.getString("userID").equals(cognitoID)) {
+                verifiedAccess = true;
+                if (!ListPermissions.hasPermission(accessResults.getInt("permissionLevel"), "Read")) {
+                    throw new AccessControlException("User " + cognitoID + " does not have permission to read list " + id);
+                }
+            }
             sharees++;
         }
         boolean shared = false;

Lambdas/Lists/List/src/ListPermissions.java

@@ -0,0 +1,41 @@
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class ListPermissions {
+    private static final Map<Integer, String> keysToPerms;
+    static {
+        //All keys should be a prime number > 1
+        //All keys need to be maintained here and in ListShare object in data on the client side
+        HashMap<Integer, String> keysToPermsTemp = new HashMap<>();
+        keysToPermsTemp.put(2, "read");
+        keysToPermsTemp.put(3, "write");
+        keysToPermsTemp.put(5, "delete");
+        keysToPermsTemp.put(7, "share");
+        keysToPerms = Collections.unmodifiableMap(keysToPermsTemp);
+    }
+
+    public static Integer getAll() {
+        Integer toReturn = 1;
+        for (Integer key : keysToPerms.keySet()) {
+            toReturn *= key;
+        }
+        return toReturn;
+    }
+
+    public static boolean hasPermission(Integer level, String permission) {
+        return level % getKeyForPermission(permission) == 0;
+    }
+
+    public static Integer getKeyForPermission(String permissionRaw) {
+        String permission = permissionRaw.toLowerCase();
+        for (Map.Entry<Integer, String> entry : keysToPerms.entrySet()) {
+            if (entry.getValue().equals(permission)) {
+                return entry.getKey();
+            }
+        }
+        System.out.println("Tried to get key for invalid permission: " + permission);
+        return -1;
+    }
+
+}