ClaytonWWilson/Listify
1
0
Fork 0
mirror of https://github.com/ClaytonWWilson/Listify.git synced 2026-03-10 18:55:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Stricter access checking

Browse Source 
Properly restrict access to list actions to only authorized users.
This commit is contained in:
NMerz
2020-11-14 14:29:48 -05:00
parent 82272a9a29
commit 954b52dc0a
11 changed files with 132 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Lambdas/Lists/ListShare/src/ListSharer.java
View File

@@ -22,7 +22,7 @@ public class ListSharer implements CallHandler {
}
final private String CHECK_ACCESS = "SELECT * from ListSharee WHERE listID = ? AND userID = ?;";
final private String SHARE_LIST = "INSERT INTO ListSharee(listID, userID, permissionLevel) VALUES(?, ?, ?);";
final private String SHARE_LIST = "REPLACE INTO ListSharee(listID, userID, permissionLevel) VALUES(?, ?, ?);";
public Object conductAction(Map<String, Object> bodyMap, HashMap<String, String> queryString, String cognitoID) throws SQLException {
PreparedStatement checkAccess = connection.prepareStatement(CHECK_ACCESS);
@@ -30,8 +30,12 @@ public class ListSharer implements CallHandler {
checkAccess.setInt(1, listID);
checkAccess.setString(2, cognitoID);
ResultSet checkAccessRS = checkAccess.executeQuery();
if (!checkAccessRS.next()) {
throw new AccessControlException("The requesting user does not have access to the requested list");
if (checkAccessRS.next()) {
if (!ListPermissions.hasPermission(checkAccessRS.getInt("permissionLevel"), "Share")) {
throw new AccessControlException("User " + cognitoID + " does not have share permissions for list " + listID);
}
} else {
throw new AccessControlException("User " + cognitoID + " does not have any permissions to access list " + listID);
}
InvokeRequest invokeRequest = new InvokeRequest();
invokeRequest.setFunctionName("UserGET");