permission checks

code/moya-web/src/main/java/fi/codecrew/moya/rest/UserRestView.java

@@ -37,6 +37,7 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.ResponseBuilder;
 import javax.ws.rs.core.Response.Status;
 
+import fi.codecrew.moya.enums.apps.UserPermission;
 import fi.codecrew.moya.model.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -274,8 +275,13 @@ public class UserRestView {
     @Produces({ MediaType.APPLICATION_JSON })
     @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
     @ApiOperation(value = "Create user", response = EventUserRestPojo.class)
-    public EventUserRestPojo createEventUser() {
-        return null;
+    public Response createEventUser() {
+
+        if (permbean.hasPermission(UserPermission.CREATE_NEW) == false) {
+            return Response.status(Status.FORBIDDEN).build();
+        }
+
+        return Response.status(Status.NOT_IMPLEMENTED).build();
     }
 
 
@@ -286,6 +292,9 @@ public class UserRestView {
     public Response getEventUser(@QueryParam("email") @ApiParam("Email address") String email,
                                  @QueryParam("login") @ApiParam("Username") String userName) {
         try {
+            if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
+                return Response.status(Status.FORBIDDEN).build();
+            }
 
             // If username not given, try to find username by email
             if (userName == null || userName.isEmpty()) {
@@ -315,6 +324,9 @@ public class UserRestView {
     public Response checkPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
                                   @FormParam("password") @ApiParam("Password") String password) {
         try {
+            if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
+                return Response.status(Status.FORBIDDEN).build();
+            }
 
             EventUser user = userbean.findByUserId(userId, true);
             if (user == null) {
@@ -343,6 +355,9 @@ public class UserRestView {
     public Response resetPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
                                   @FormParam("password") @ApiParam("New password") String password) {
         try {
+            if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
+                return Response.status(Status.FORBIDDEN).build();
+            }
             EventUser eventUser = userbean.findByUserId(userId, true);
             User user = eventUser.getUser();
             userbean.resetPassword(user, password);
@@ -367,6 +382,9 @@ public class UserRestView {
     public Response updateUserImage(@Context HttpServletRequest request,
                                     @PathParam("userid") @ApiParam("User ID") Integer userId) throws IOException {
         try {
+            if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
+                return Response.status(Status.FORBIDDEN).build();
+            }
             Part imagePart = request.getPart("image");
             EventUser eventUser = userbean.findByUserId(userId, true);
             UserImage userImage = userbean.uploadImage(eventUser, imagePart.getContentType(),