Skip to content

Commit

Permalink
Add PreAuthorize
Browse files Browse the repository at this point in the history
  • Loading branch information
niyatanya committed Aug 30, 2024
1 parent fdea480 commit cbc165d
Showing 1 changed file with 11 additions and 11 deletions.
22 changes: 11 additions & 11 deletions src/main/java/hexlet/code/controller/api/UserController.java
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
import org.springframework.http.HttpStatus;

import org.springframework.http.ResponseEntity;
//import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
Expand Down Expand Up @@ -77,25 +77,25 @@ private UserDTO create(@Valid @RequestBody UserCreateDTO dto) {
@PutMapping(path = "/{id}")
//value = "@userService.findById(#id).getEmail() == authentication.name"
//"@userRepository.findById(#id).getEmail() == authentication.principal.username"
// @PreAuthorize(value = "@userRepository.findById(#id).getEmail() == authentication.name")
@PreAuthorize(value = "@userRepository.findById(#id).getEmail() == authentication.name")
private UserDTO update(@Valid @RequestBody UserUpdateDTO dto,
@PathVariable long id) throws AccessDeniedException {
User currentUser = userUtils.getCurrentUser();
if (currentUser.getId() != id) {
throw new AccessDeniedException("Access denied.");
}
// User currentUser = userUtils.getCurrentUser();
// if (currentUser.getId() != id) {
// throw new AccessDeniedException("Access denied.");
// }

return userService.updateUser(dto, id);
}

@DeleteMapping(path = "/{id}")
@ResponseStatus(HttpStatus.NO_CONTENT)
// @PreAuthorize(value = "@userRepository.findById(#id).getEmail() == authentication.principal.username")
@PreAuthorize(value = "@userRepository.findById(#id).getEmail() == authentication.principal.username")
private void delete(@PathVariable long id) throws AccessDeniedException {
User currentUser = userUtils.getCurrentUser();
if (currentUser.getId() != id) {
throw new AccessDeniedException("Access denied.");
}
// User currentUser = userUtils.getCurrentUser();
// if (currentUser.getId() != id) {
// throw new AccessDeniedException("Access denied.");
// }
userRepository.deleteById(id);
}
}

0 comments on commit cbc165d

Please sign in to comment.