diff options
Diffstat (limited to 'juick-server')
3 files changed, 55 insertions, 0 deletions
diff --git a/juick-server/src/main/java/com/juick/server/api/Messages.java b/juick-server/src/main/java/com/juick/server/api/Messages.java index d7c07391..db6463dd 100644 --- a/juick-server/src/main/java/com/juick/server/api/Messages.java +++ b/juick-server/src/main/java/com/juick/server/api/Messages.java @@ -24,10 +24,12 @@ import com.juick.server.Utils; import com.juick.server.component.MessageReadEvent; import com.juick.server.helpers.CommandResult; import com.juick.server.util.HttpBadRequestException; +import com.juick.server.util.HttpNotFoundException; import com.juick.server.util.UserUtils; import com.juick.service.MessagesService; import com.juick.service.TagService; import com.juick.service.UserService; +import com.juick.service.security.entities.JuickUser; import org.apache.commons.io.IOUtils; import org.springframework.context.ApplicationEventPublisher; import org.springframework.http.HttpStatus; @@ -167,6 +169,10 @@ public class Messages { if (!messagesService.canViewThread(mid, visitor.getUid())) { return FORBIDDEN; } else { + JuickUser juickUser = new JuickUser(userService.getUserByName(msg.getUser().getName())); + if (!juickUser.isEnabled()) { + throw new HttpNotFoundException(); + } msg.setRecommendations(new HashSet<>(messagesService.getMessageRecommendations(msg.getMid()))); List<com.juick.Message> replies = messagesService.getReplies(visitor, mid); if (!visitor.isAnonymous()) { diff --git a/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java b/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java index 807f4a9d..125e4f63 100644 --- a/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java +++ b/juick-server/src/main/java/com/juick/service/MessagesServiceImpl.java @@ -20,6 +20,8 @@ package com.juick.service; import com.juick.*; import com.juick.server.helpers.PrivacyOpts; import com.juick.server.helpers.ResponseReply; +import com.juick.server.util.HttpNotFoundException; +import com.juick.service.security.entities.JuickUser; import com.juick.util.MessageUtils; import org.apache.commons.collections4.CollectionUtils; import org.apache.commons.lang3.StringUtils; @@ -649,6 +651,11 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ .addValue("privacy", privacy) .addValue("before", before); + JuickUser juickUser = new JuickUser(userService.getUserByUID(uid).orElseThrow(IllegalStateException::new)); + if (!juickUser.isEnabled()) { + throw new HttpNotFoundException(); + } + return getNamedParameterJdbcTemplate().queryForList( "SELECT message_id FROM messages WHERE user_id = :uid" + (before > 0 ? @@ -667,6 +674,11 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ .addValue("privacy", privacy) .addValue("before", before); + JuickUser juickUser = new JuickUser(userService.getUserByUID(uid).orElseThrow(IllegalStateException::new)); + if (!juickUser.isEnabled()) { + throw new HttpNotFoundException(); + } + return getNamedParameterJdbcTemplate().queryForList( "SELECT messages.message_id FROM messages_tags INNER JOIN messages " + " USING (message_id) WHERE messages.user_id = :uid AND messages_tags.tag_id = :tid " + @@ -685,6 +697,11 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ .addValue("privacy", privacy) .addValue("daysback", daysback); + JuickUser juickUser = new JuickUser(userService.getUserByUID(uid).orElseThrow(IllegalStateException::new)); + if (!juickUser.isEnabled()) { + throw new HttpNotFoundException(); + } + return getNamedParameterJdbcTemplate().queryForList( "SELECT message_id FROM messages WHERE user_id = :uid" + (daysback > 0 ? @@ -703,6 +720,11 @@ public class MessagesServiceImpl extends BaseJdbcService implements MessagesServ .addValue("privacy", privacy) .addValue("before", before); + JuickUser juickUser = new JuickUser(userService.getUserByUID(uid).orElseThrow(IllegalStateException::new)); + if (!juickUser.isEnabled()) { + throw new HttpNotFoundException(); + } + return getNamedParameterJdbcTemplate().queryForList( "SELECT message_id FROM " + "(SELECT message_id FROM favorites " + diff --git a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java index 9f573e82..88cdd24c 100644 --- a/juick-server/src/test/java/com/juick/server/tests/ServerTests.java +++ b/juick-server/src/test/java/com/juick/server/tests/ServerTests.java @@ -1225,6 +1225,7 @@ public class ServerTests { assertThat(getStatus.get().getInbound().size(), is(0)); ConnectionIn test = new ConnectionIn(server, new Socket("localhost", server.getServerPort())); test.from.add(Jid.of("test")); + server.getInConnections().clear(); server.addConnectionIn(test); assertThat(getStatus.get().getInbound().size(), is(1)); } @@ -1255,4 +1256,30 @@ public class ServerTests { // uid, name, xmlns, xmlns:user assertThat(attrs.getLength(), is(4)); } + @Test + public void bannedUserBlogandPostShouldReturn404() throws Exception { + String userName = "isilmine"; + String userPassword = "secret"; + String msgText = "автор этого поста был забанен"; + + User isilmine = userService.getUserByUID(userService.createUser(userName, userPassword)).orElseThrow(IllegalStateException::new); + int mid = messagesService.createMessage(isilmine.getUid(), msgText, null, null); + mockMvc.perform(get(String.format("/thread?mid=%d", mid)).with(httpBasic(ugnichName, ugnichPassword))) + .andExpect(status().isOk()); + jdbcTemplate.update("UPDATE users SET banned=1 WHERE id=?", isilmine.getUid()); + mockMvc.perform(get(String.format("/thread?mid=%d", mid)).with(httpBasic(ugnichName, ugnichPassword))) + .andExpect(status().isNotFound()); + mockMvc.perform(get("/messages?uname=isilmine").with(httpBasic(ugnichName, ugnichPassword))) + .andExpect(status().isNotFound()); + } + + @Test + public void emptyPasswordMeansUserIsDisabled() throws Exception { + String userName = "oldschooluser"; + String userPassword = ""; + + userService.createUser(userName, userPassword); + + mockMvc.perform(get("/auth").with(httpBasic(userName, userPassword))).andExpect(status().isUnauthorized()); + } } |