use of check access for event

alfio-event · May 12, 2023 · f1bce9d · f1bce9d
1 parent 7e8e51a
commit f1bce9d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/src/main/java/alfio/controller/api/admin/CheckInApiController.java b/src/main/java/alfio/controller/api/admin/CheckInApiController.java
@@ -16,6 +16,7 @@
  */
 package alfio.controller.api.admin;
 
+import alfio.manager.AccessService;
 import alfio.manager.CheckInManager;
 import alfio.manager.EventManager;
 import alfio.manager.support.CheckInStatistics;
@@ -57,6 +58,7 @@ public class CheckInApiController {
     private final CheckInManager checkInManager;
     private final EventManager eventManager;
     private final ConfigurationManager configurationManager;
+    private final AccessService accessService;
 
     @Data
     public static class TicketCode {
@@ -162,6 +164,7 @@ public TicketAndCheckInResult confirmOnSitePayment(@PathVariable("eventName") St
 
     @GetMapping("/check-in/event/{eventName}/statistics")
     public CheckInStatistics getStatistics(@PathVariable("eventName") String eventName, Principal principal) {
+        accessService.checkEventAccess(principal, eventName);
         return checkInManager.getStatistics(eventName, principal.getName());
     }
 
@@ -177,6 +180,7 @@ public List<Integer> findAllIdentifiersForAdminCheckIn(@PathVariable("eventId")
                                                @RequestParam(value = "changedSince", required = false) Long changedSince,
                                                HttpServletResponse response,
                                                Principal principal) {
+        accessService.checkEventAccess(principal, eventId);
         response.setHeader(ALFIO_TIMESTAMP_HEADER, Long.toString(new Date().getTime()));
         return checkInManager.getAttendeesIdentifiers(eventId, changedSince == null ? new Date(0) : new Date(changedSince), principal.getName());
     }
@@ -205,6 +209,7 @@ public List<FullTicketInfo> findAllTicketsForAdminCheckIn(@PathVariable("eventId
 
     @GetMapping("/check-in/{eventName}/label-layout")
     public ResponseEntity<LabelLayout> getLabelLayoutForEvent(@PathVariable("eventName") String eventName, Principal principal) {
+        accessService.checkEventAccess(principal, eventName);
         return eventManager.getOptionalEventAndOrganizationIdByName(eventName, principal.getName())
             .filter(checkInManager.isOfflineCheckInAndLabelPrintingEnabled())
             .map(this::parseLabelLayout)
@@ -216,6 +221,7 @@ public List<Integer> getOfflineIdentifiers(@PathVariable("eventName") String eve
                                               @RequestParam(value = "changedSince", required = false) Long changedSince,
                                               HttpServletResponse resp,
                                               Principal principal) {
+        accessService.checkEventAccess(principal, eventName);
         Date since = changedSince == null ? new Date(0) : DateUtils.addSeconds(new Date(changedSince), -1);
         Optional<List<Integer>> ids = eventManager.getOptionalEventAndOrganizationIdByName(eventName, principal.getName())
             .filter(checkInManager.isOfflineCheckInEnabled())

diff --git a/src/main/java/alfio/controller/api/admin/ConfigurationApiController.java b/src/main/java/alfio/controller/api/admin/ConfigurationApiController.java
@@ -18,6 +18,7 @@
 
 import alfio.controller.api.support.TicketHelper;
 import alfio.job.executor.AssignTicketToSubscriberJobExecutor;
+import alfio.manager.AccessService;
 import alfio.manager.BillingDocumentManager;
 import alfio.manager.EventManager;
 import alfio.manager.system.AdminJobExecutor;
@@ -61,6 +62,7 @@ public class ConfigurationApiController {
     private final EventManager eventManager;
     private final ClockProvider clockProvider;
     private final UserManager userManager;
+    private final AccessService accessService;
 
     @GetMapping(value = "/load")
     public Map<ConfigurationKeys.SettingCategory, List<Configuration>> loadConfiguration(Principal principal) {
@@ -87,6 +89,7 @@ public boolean updateConfiguration(@RequestBody Map<ConfigurationKeys.SettingCat
 
     @GetMapping(value = "/organizations/{organizationId}/load")
     public Map<ConfigurationKeys.SettingCategory, List<Configuration>> loadOrganizationConfiguration(@PathVariable("organizationId") int organizationId, Principal principal) {
+        accessService.checkOrganizationAccess(principal, organizationId);
         return configurationManager.loadOrganizationConfig(organizationId, principal.getName());
     }
 
@@ -100,13 +103,15 @@ public boolean updateOrganizationConfiguration(@PathVariable("organizationId") i
     @GetMapping(value = "/events/{eventId}/load")
     public Map<ConfigurationKeys.SettingCategory, List<Configuration>> loadEventConfiguration(@PathVariable("eventId") int eventId,
                                                                                               Principal principal) {
+        accessService.checkEventAccess(principal, eventId);
         return configurationManager.loadEventConfig(eventId, principal.getName());
     }
 
     @GetMapping("/events/{eventName}/single/{key}")
     public ResponseEntity<String> getSingleConfigForEvent(@PathVariable("eventName") String eventShortName,
                                                          @PathVariable("key") String key,
                                                          Principal principal) {
+        accessService.checkEventAccess(principal, eventShortName);
 
         var optionalEvent = eventManager.getOptionalByName(eventShortName, principal.getName());
 
@@ -126,6 +131,7 @@ public ResponseEntity<String> getSingleConfigForEvent(@PathVariable("eventName")
     public ResponseEntity<String> getSingleConfigForOrganization(@PathVariable("organizationId") int organizationId,
                                                                  @PathVariable("key") String key,
                                                                  Principal principal) {
+        accessService.checkOrganizationAccess(principal, organizationId);
 
         String config = configurationManager.getSingleConfigForOrganization(organizationId, key, principal.getName());
         if(config == null) {
@@ -155,12 +161,14 @@ public Map<ConfigurationKeys.SettingCategory, List<Configuration>> loadCategoryC
 
     @DeleteMapping(value = "/organization/{organizationId}/key/{key}")
     public boolean deleteOrganizationLevelKey(@PathVariable("organizationId") int organizationId, @PathVariable("key") ConfigurationKeys key, Principal principal) {
+        accessService.checkOrganizationAccess(principal, organizationId);
         configurationManager.deleteOrganizationLevelByKey(key.getValue(), organizationId, principal.getName());
         return true;
     }
 
     @DeleteMapping(value = "/event/{eventId}/key/{key}")
     public boolean deleteEventLevelKey(@PathVariable("eventId") int eventId, @PathVariable("key") ConfigurationKeys key, Principal principal) {
+        accessService.checkEventAccess(principal, eventId);
         configurationManager.deleteEventLevelByKey(key.getValue(), eventId, principal.getName());
         return true;
     }
@@ -189,7 +197,8 @@ public InstanceSettings loadInstanceSettings() {
     }
 
     @GetMapping(value = "/platform-mode/status/{organizationId}")
-    public Map<String, Boolean> loadPlatformModeStatus(@PathVariable("organizationId") int organizationId) {
+    public Map<String, Boolean> loadPlatformModeStatus(@PathVariable("organizationId") int organizationId, Principal principal) {
+        accessService.checkOrganizationAccess(principal, organizationId);
         Map<String, Boolean> result = new HashMap<>();
         boolean platformModeEnabled = configurationManager.getForSystem(PLATFORM_MODE_ENABLED).getValueAsBooleanOrDefault();
         result.put("enabled", platformModeEnabled);
@@ -208,6 +217,7 @@ public Collection<ConfigurationKeys.SettingCategory> getSettingCategories() {
 
     @GetMapping(value = "/event/{eventId}/invoice-first-date")
     public ResponseEntity<ZonedDateTime> getFirstInvoiceDate(@PathVariable("eventId") Integer eventId, Principal principal) {
+        accessService.checkEventAccess(principal, eventId);
         return ResponseEntity.of(optionally(() -> eventManager.getSingleEventById(eventId, principal.getName()))
             .map(event -> billingDocumentManager.findFirstInvoiceDate(event.getId()).orElseGet(() -> ZonedDateTime.now(clockProvider.getClock().withZone(event.getZoneId())))));
     }
@@ -217,6 +227,7 @@ public ResponseEntity<List<Integer>> getMatchingInvoicesForEvent(@PathVariable("
                                                                      @RequestParam("from") long fromInstant,
                                                                      @RequestParam("to") long toInstant,
                                                                      Principal principal) {
+        accessService.checkEventAccess(principal, eventId);
         var eventOptional = optionally(() -> eventManager.getSingleEventById(eventId, principal.getName()));
         if(eventOptional.isEmpty()) {
             return ResponseEntity.badRequest().build();