ClaytonWWilson/Listify
1
0
Fork 0
mirror of https://github.com/ClaytonWWilson/Listify.git synced 2025-12-17 02:58:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
954b52dc0a
Listify/Lambdas/Lists/List/src/ListDeleter.java
NMerz 954b52dc0a Stricter access checking 
Properly restrict access to list actions to only authorized users.
2020-11-14 14:29:48 -05:00

62 lines
2.8 KiB
Java
Raw Blame History

import java.security.AccessControlException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.HashMap;
import java.util.Map;
public class ListDeleter implements CallHandler {
private final Connection connection;
private final String cognitoID;
private final String GET_LISTS = "SELECT * FROM List WHERE (owner = ? AND listID = ?);";
private final String DELETE_LIST = "DELETE FROM List WHERE listID = ?;";
private final String DELETE_REQUESTOR_ACCESS = "DELETE FROM ListSharee where listID = ? AND userID = ?;";
private final String DELETE_LIST_ACCESS = "DELETE FROM ListSharee where listID = ?;";
private final String DELETE_LIST_ENTRIES = "DELETE FROM ListProduct where listID = ?;";
public ListDeleter(Connection connection, String cognitoID) {
this.connection = connection;
this.cognitoID = cognitoID;
}
@Override
public Object conductAction(Map<String, Object> bodyMap, HashMap<String, String> queryMap, String cognitoID) throws SQLException {
Integer listID = Integer.parseInt(queryMap.get("id"));
PreparedStatement cleanRequestorAccess = connection.prepareStatement(DELETE_REQUESTOR_ACCESS);
cleanRequestorAccess.setInt(1, listID);
cleanRequestorAccess.setString(2, cognitoID);
System.out.println(cleanRequestorAccess);
cleanRequestorAccess.executeUpdate();
PreparedStatement accessCheck = connection.prepareStatement(GET_LISTS);
accessCheck.setString(1, cognitoID);
accessCheck.setInt(2, listID);
System.out.println(accessCheck);
ResultSet userLists = accessCheck.executeQuery();
if (!userLists.next()) {
throw new AccessControlException("User does not have access to list");
} else {
Integer permissionLevel = userLists.getInt("permissionLevel");
if (!ListPermissions.hasPermission(permissionLevel, "Delete")) {
throw new AccessControlException("User " + cognitoID + " does not have permission to delete list " + listID);
}
}
PreparedStatement cleanAccess = connection.prepareStatement(DELETE_LIST_ACCESS);
cleanAccess.setInt(1, listID);
System.out.println(cleanAccess);
cleanAccess.executeUpdate();
PreparedStatement deleteEntries = connection.prepareStatement(DELETE_LIST_ENTRIES);
deleteEntries.setInt(1, listID);
System.out.println(deleteEntries);
deleteEntries.executeUpdate();
PreparedStatement cleanList = connection.prepareStatement(DELETE_LIST);
cleanList.setInt(1, listID);
System.out.println(cleanList);
cleanList.executeUpdate();
connection.commit();
return null;
}
}
Reference in New Issue View Git Blame Copy Permalink