chore: add user ownership check

halo-dev · Nov 27, 2023 · ffef498 · ffef498
1 parent 5309e94
commit ffef498
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/application/src/main/java/run/halo/app/notification/DefaultNotificationService.java b/application/src/main/java/run/halo/app/notification/DefaultNotificationService.java
@@ -5,6 +5,7 @@
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Component;
 import org.springframework.util.Assert;
+import org.springframework.web.server.ServerWebInputException;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.notification.Notification;
@@ -50,8 +51,15 @@ public Flux<String> markSpecifiedAsRead(String username, List<String> names) {
     }
 
     @Override
-    public Mono<Notification> deleteByName(String name) {
+    public Mono<Notification> deleteByName(String username, String name) {
         return client.get(Notification.class, name)
+            .doOnNext(notification -> {
+                var recipient = notification.getSpec().getRecipient();
+                if (!username.equals(recipient)) {
+                    throw new ServerWebInputException(
+                        "You have no permission to delete this notification.");
+                }
+            })
             .flatMap(client::delete);
     }
 

diff --git a/application/src/main/java/run/halo/app/notification/UserNotificationService.java b/application/src/main/java/run/halo/app/notification/UserNotificationService.java
@@ -38,5 +38,5 @@ public interface UserNotificationService {
      */
     Flux<String> markSpecifiedAsRead(String username, List<String> names);
 
-    Mono<Notification> deleteByName(String name);
+    Mono<Notification> deleteByName(String username, String name);
 }
diff --git a/application/src/main/java/run/halo/app/notification/endpoint/UserNotificationEndpoint.java b/application/src/main/java/run/halo/app/notification/endpoint/UserNotificationEndpoint.java
@@ -129,7 +129,8 @@ Supplier<RouterFunction<ServerResponse>> userspaceScopedApis() {
 
     private Mono<ServerResponse> deleteNotification(ServerRequest request) {
         var name = request.pathVariable("name");
-        return notificationService.deleteByName(name)
+        var username = request.pathVariable("username");
+        return notificationService.deleteByName(username, name)
             .flatMap(notification -> ServerResponse.ok().bodyValue(notification));
     }