Merge branch 'rolecheck' into 'master'

Add some sanity checks to role fetching. See merge request !429

Merge branch 'rolecheck' into 'master'
Add some sanity checks to role fetching. See merge request !429
Tuukka Kivilahti
Commit 327aa8cc authored Jan 31, 2019 by Tuukka Kivilahti
Showing with 17 additions and 2 deletions
code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
code/moya-beans/ejbModule/fi/codecrew/moya/beans/UserBean.java
code/moya-beans/ejbModule/fi/codecrew/moya/facade/RoleFacade.java
--- a/code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
+++ b/code/moya-beans/ejbModule/fi/codecrew/moya/beans/PlaceBean.java
@@ -400,7 +400,6 @@ public class PlaceBean implements PlaceBeanLocal {
 			if (prod.getProductFlags().contains(ProductFlag.CREATE_NEW_PLACE_WHEN_BOUGHT)) {
 				freePlace = new Place();
 				freePlace.setProduct(prod);
-				freePlace.setProvidesRole(prod.getProvides());
 				freePlace.setName("-");
 				placeFacade.create(freePlace);


--- a/code/moya-beans/ejbModule/fi/codecrew/moya/beans/UserBean.java
+++ b/code/moya-beans/ejbModule/fi/codecrew/moya/beans/UserBean.java
@@ -281,6 +281,20 @@ public class UserBean implements UserBeanLocal {
 			}

 		}
+
+		// double check that we are handling only roles for this event
+		// It is not trivial to create checks in db to verify validity of event matches for example:
+		// place -> provided_role -> event_id == place -> product -> event_id
+
+		// We do have checks in place in code for these, but this is a precaution for
+		// accidental and malicious db changes.
+		for (Role r: checkedRoles.keySet()){
+			if(!r.getEvent().equals(event)){
+				logger.warn("Tried to return roles for a wrong event. Role {}, expected event {}, got event: {}", r, r.getEvent(), event);
+				throw new EJBAccessException("Trying to return roles for a wrong avent!");
+			}
+		}
+
 		// currentEventuser = u;
 		// currentEventuserRoles = new ArrayList<Role>(checkedRoles);
 		// logger.debug("Returning parsed eventUser roles for user {}:  {} ", u,

--- a/code/moya-beans/ejbModule/fi/codecrew/moya/facade/RoleFacade.java
+++ b/code/moya-beans/ejbModule/fi/codecrew/moya/facade/RoleFacade.java
@@ -57,7 +57,9 @@ public class RoleFacade extends IntegerPkGenericFacade<Role> {
 		CriteriaBuilder cb = getEm().getCriteriaBuilder();
 		CriteriaQuery<Role> cq = cb.createQuery(Role.class);
 		Root<Role> root = cq.from(Role.class);
-		cq.where(cb.equal(root.get(Role_.event), user.getEvent()), cb.isMember(user, root.get(Role_.users)));
+		cq.where(
+			cb.equal(root.get(Role_.event), user.getEvent()),
+			cb.isMember(user, root.get(Role_.users)));

 		return getEm().createQuery(cq).getResultList();
 	}