booklore-app/booklore
1
0
Fork 0
mirror of https://github.com/booklore-app/booklore.git synced 2026-02-18 00:17:53 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: enforce shelf ownership validation in assignShelvesToBooks

Browse Source 
- Added user ownership validation for shelves before assigning or unassigning.
- Replaced exceptions with ApiError for consistency.
- Ensured unauthorized users cannot modify shelves they do not own.
This commit is contained in:
aditya.chandel
2025-02-17 05:15:36 -07:00
parent 4f2abcd4b3
commit 44be62d942
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
booklore-api/src/main/java/com/adityachandel/booklore/service/BooksService.java
View File

@@ -19,6 +19,7 @@ import org.springframework.core.io.UrlResource;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
@@ -97,10 +98,25 @@ public class BooksService {
@Transactional
public List<Book> assignShelvesToBooks(Set<Long> bookIds, Set<Long> shelfIdsToAssign, Set<Long> shelfIdsToUnassign) {
BookLoreUser user = authenticationService.getAuthenticatedUser();
BookLoreUserEntity userEntity = userRepository.findById(user.getId()).orElseThrow(() -> ApiError.USER_NOT_FOUND.createException(user.getId()));
Set<Long> userShelfIds = userEntity.getShelves().stream()
.map(ShelfEntity::getId)
.collect(Collectors.toSet());
if (!userShelfIds.containsAll(shelfIdsToAssign)) {
throw ApiError.UNAUTHORIZED.createException("Cannot assign shelves that do not belong to the user.");
}
if (!userShelfIds.containsAll(shelfIdsToUnassign)) {
throw ApiError.UNAUTHORIZED.createException("Cannot unassign shelves that do not belong to the user.");
}
List<BookEntity> bookEntities = bookRepository.findAllById(bookIds);
List<ShelfEntity> shelvesToAssign = shelfRepository.findAllById(shelfIdsToAssign);
for (BookEntity bookEntity : bookEntities) {
bookEntity.getShelves().removeIf(shelf -> shelfIdsToUnassign.contains(shelf.getId()));
for (ShelfEntity shelf : shelvesToAssign) {
if (!bookEntity.getShelves().contains(shelf)) {
bookEntity.getShelves().add(shelf);