diff options
4 files changed, 78 insertions, 1 deletions
diff --git a/src/Services/DevHive.Services/Interfaces/IRatingService.cs b/src/Services/DevHive.Services/Interfaces/IRatingService.cs index 601b07e..b9ddc2c 100644 --- a/src/Services/DevHive.Services/Interfaces/IRatingService.cs +++ b/src/Services/DevHive.Services/Interfaces/IRatingService.cs @@ -15,5 +15,9 @@ namespace DevHive.Services.Interfaces Task<ReadRatingServiceModel> UpdateRating(UpdateRatingServiceModel updateRatingServiceModel); Task<bool> DeleteRating(Guid ratingId); + + Task<bool> ValidateJwtForCreating(Guid userId, string rawTokenData); + + Task<bool> ValidateJwtForRating(Guid commentId, string rawTokenData); } } diff --git a/src/Services/DevHive.Services/Services/RatingService.cs b/src/Services/DevHive.Services/Services/RatingService.cs index 20080ea..22eeb99 100644 --- a/src/Services/DevHive.Services/Services/RatingService.cs +++ b/src/Services/DevHive.Services/Services/RatingService.cs @@ -1,5 +1,8 @@ using System; +using System.Collections.Generic; +using System.IdentityModel.Tokens.Jwt; using System.Linq; +using System.Security.Claims; using System.Threading.Tasks; using AutoMapper; using DevHive.Data.Interfaces; @@ -78,7 +81,7 @@ namespace DevHive.Services.Services #region Update public async Task<ReadRatingServiceModel> UpdateRating(UpdateRatingServiceModel updateRatingServiceModel) { - Rating rating = await this._ratingRepository.GetRatingByUserAndPostId(updateRatingServiceModel.UserId, updateRatingServiceModel.PostId) ?? + Rating rating = await this._ratingRepository.GetByIdAsync(updateRatingServiceModel.Id) ?? throw new ArgumentException("Rating does not exist!"); User user = await this._userRepository.GetByIdAsync(updateRatingServiceModel.UserId) ?? @@ -112,5 +115,67 @@ namespace DevHive.Services.Services return await this._ratingRepository.DeleteAsync(rating); } #endregion + + #region Validations + /// <summary> + /// Checks whether the user Id in the token and the given user Id match + /// </summary> + public async Task<bool> ValidateJwtForCreating(Guid userId, string rawTokenData) + { + User user = await this.GetUserForValidation(rawTokenData); + + return user.Id == userId; + } + + /// <summary> + /// Checks whether the comment, gotten with the commentId, + /// is made by the user in the token + /// or if the user in the token is an admin + /// </summary> + public async Task<bool> ValidateJwtForRating(Guid commentId, string rawTokenData) + { + Rating rating = await this._ratingRepository.GetByIdAsync(commentId) ?? + throw new ArgumentException("Rating does not exist!"); + User user = await this.GetUserForValidation(rawTokenData); + + //If user made the comment + if (rating.User.Id == user.Id) + return true; + //If user is admin + else if (user.Roles.Any(x => x.Name == Role.AdminRole)) + return true; + else + return false; + } + + /// <summary> + /// Returns the user, via their Id in the token + /// </summary> + private async Task<User> GetUserForValidation(string rawTokenData) + { + JwtSecurityToken jwt = new JwtSecurityTokenHandler().ReadJwtToken(rawTokenData.Remove(0, 7)); + + Guid jwtUserId = Guid.Parse(this.GetClaimTypeValues("ID", jwt.Claims).First()); + + User user = await this._userRepository.GetByIdAsync(jwtUserId) ?? + throw new ArgumentException("User does not exist!"); + + return user; + } + + /// <summary> + /// Returns all values from a given claim type + /// </summary> + private List<string> GetClaimTypeValues(string type, IEnumerable<Claim> claims) + { + List<string> toReturn = new(); + + foreach (var claim in claims) + if (claim.Type == type) + toReturn.Add(claim.Value); + + return toReturn; + } + #endregion } } diff --git a/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs index 07ba0c3..425c3e1 100644 --- a/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs +++ b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs @@ -8,6 +8,8 @@ namespace DevHive.Web.Models.Rating { public class UpdateRatingWebModel { + public Guid Id { get; set; } + public Guid PostId { get; set; } public bool IsLike { get; set; } diff --git a/src/Web/DevHive.Web/Controllers/RatingController.cs b/src/Web/DevHive.Web/Controllers/RatingController.cs index 216dc27..33e6992 100644 --- a/src/Web/DevHive.Web/Controllers/RatingController.cs +++ b/src/Web/DevHive.Web/Controllers/RatingController.cs @@ -28,6 +28,9 @@ namespace DevHive.Web.Controllers [HttpPost] public async Task<IActionResult> RatePost(Guid userId, [FromBody] CreateRatingWebModel createRatingWebModel, [FromHeader] string authorization) { + if (!await this._rateService.ValidateJwtForCreating(userId, authorization)) + return new UnauthorizedResult(); + CreateRatingServiceModel ratePostServiceModel = this._mapper.Map<CreateRatingServiceModel>(createRatingWebModel); ratePostServiceModel.UserId = userId; @@ -51,6 +54,9 @@ namespace DevHive.Web.Controllers [HttpPut] public async Task<IActionResult> UpdateRating(Guid userId, [FromBody] UpdateRatingWebModel updateRatingWebModel, [FromHeader] string authorization) { + if (!await this._rateService.ValidateJwtForRating(updateRatingWebModel.Id, authorization)) + return new UnauthorizedResult(); + UpdateRatingServiceModel updateRatingServiceModel = this._mapper.Map<UpdateRatingServiceModel>(updateRatingWebModel); updateRatingServiceModel.UserId = userId; |