juick-api: all controllers are using spring-security and @RequestParam

1 files changed, 19 insertions, 55 deletions

diff --git a/juick-api/src/main/java/com/juick/api/controllers/Messages.java b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
index 0f8e7e07..f30a7687 100644
--- a/juick-api/src/main/java/com/juick/api/controllers/Messages.java
+++ b/juick-api/src/main/java/com/juick/api/controllers/Messages.java
@@ -25,7 +25,6 @@ import rocks.xmpp.addr.Jid;
 import rocks.xmpp.core.stanza.model.Message;
 
 import javax.inject.Inject;
-import javax.servlet.http.HttpServletRequest;
 import java.security.Principal;
 import java.util.Collections;
 import java.util.List;
@@ -77,23 +76,15 @@ public class Messages {
 
     @RequestMapping("/messages")
     public ResponseEntity<List<com.juick.Message>> getMessages(
-            HttpServletRequest request,
-            @RequestParam(required = false) String hash,
+            Principal principal,
             @RequestParam(required = false) String uname,
             @RequestParam(defaultValue = "0") int before_mid,
             @RequestParam(required = false) String popular,
             @RequestParam(required = false) String media,
             @RequestParam(required = false) String tag) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1)
-            return FORBIDDEN;
-
-        if (vuid == 0) {
-            if (hash != null && hash.length() == 16)
-                vuid = userService.getUIDbyHash(hash);
-        }
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
 
         List<Integer> mids;
         if (!StringUtils.isEmpty(uname)) {
@@ -135,20 +126,11 @@ public class Messages {
 
     @RequestMapping("/thread")
     public ResponseEntity<List<com.juick.Message>> getThread(
-            HttpServletRequest request,
+            Principal principal,
             @RequestParam(defaultValue = "0") int mid) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            return FORBIDDEN;
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid = userService.getUIDbyHash(hash);
-            }
-        }
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         com.juick.Message msg = messagesService.getMessage(mid);
         if (msg != null) {
             if (!messagesService.canViewThread(mid, vuid)) {
@@ -164,20 +146,11 @@ public class Messages {
 
     @RequestMapping("/messages/recommended")
     public ResponseEntity<List<com.juick.Message>> doGetRecommended(
-            HttpServletRequest request,
+            Principal principal,
             @RequestParam(defaultValue = "0") int before_mid) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            return FORBIDDEN;
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid = userService.getUIDbyHash(hash);
-            }
-        }
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         if (vuid == 0) {
             return FORBIDDEN;
         }
@@ -195,29 +168,20 @@ public class Messages {
 
     @RequestMapping("/messages/set_privacy")
     @ResponseBody
-    public Status doSetPrivacy(
-            HttpServletRequest request,
+    public ResponseEntity<Status> doSetPrivacy(
+            Principal principal,
             @RequestParam(defaultValue = "0") int mid) {
-        // TODO: use spring-security
-        String auth = request.getHeader("Authorization");
-        int vuid = userService.getUIDByHttpAuth(auth);
-        if (vuid == -1) {
-            throw new HttpForbiddenException();
-        }
-        if (vuid == 0) {
-            String hash = request.getParameter("hash");
-            if (hash != null && hash.length() == 16) {
-                vuid = userService.getUIDbyHash(hash);
-            }
-        }
+        String name = UserUtils.getUsername(principal, null);
+        User visitor = userService.getUserByName(name);
+        int vuid = visitor.getUid();
         if (vuid == 0) {
             throw new HttpForbiddenException();
         }
         com.juick.User user = messagesService.getMessageAuthor(mid);
         if (user != null && user.getUid() == vuid && messagesService.setMessagePrivacy(mid)) {
-            return Status.OK;
+            return ResponseEntity.ok(Status.OK);
         }
-        throw new HttpBadRequestException();
+        throw new HttpForbiddenException();
     }
 
     @RequestMapping("/messages/set_popular")