From 379eda6a42fdba0a6ed7e7ae53e0fbf2acd774b6 Mon Sep 17 00:00:00 2001
From: Danail Dimitrov <danaildimitrov321@gmail.com>
Date: Fri, 26 Feb 2021 23:00:50 +0200
Subject: Adding update layer for rating_system

---
 src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs

(limited to 'src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs')

diff --git a/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs
new file mode 100644
index 0000000..07ba0c3
--- /dev/null
+++ b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs
@@ -0,0 +1,15 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace DevHive.Web.Models.Rating
+{
+	public class UpdateRatingWebModel
+	{
+		public Guid PostId { get; set; }
+
+		public bool IsLike { get; set; }
+	}
+}
-- 
cgit v1.2.3


From 6089bc2e3b14155c334c9fed057383b9ca6e4df6 Mon Sep 17 00:00:00 2001
From: Danail Dimitrov <danaildimitrov321@gmail.com>
Date: Sat, 27 Feb 2021 21:53:14 +0200
Subject: Adding user validation for rating layer

---
 .../DevHive.Services/Interfaces/IRatingService.cs  |  4 ++
 .../DevHive.Services/Services/RatingService.cs     | 67 +++++++++++++++++++++-
 .../Rating/UpdateRatingWebModel.cs                 |  2 +
 .../DevHive.Web/Controllers/RatingController.cs    |  6 ++
 4 files changed, 78 insertions(+), 1 deletion(-)

(limited to 'src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs')

diff --git a/src/Services/DevHive.Services/Interfaces/IRatingService.cs b/src/Services/DevHive.Services/Interfaces/IRatingService.cs
index 601b07e..b9ddc2c 100644
--- a/src/Services/DevHive.Services/Interfaces/IRatingService.cs
+++ b/src/Services/DevHive.Services/Interfaces/IRatingService.cs
@@ -15,5 +15,9 @@ namespace DevHive.Services.Interfaces
 		Task<ReadRatingServiceModel> UpdateRating(UpdateRatingServiceModel updateRatingServiceModel);
 
 		Task<bool> DeleteRating(Guid ratingId);
+
+		Task<bool> ValidateJwtForCreating(Guid userId, string rawTokenData);
+
+		Task<bool> ValidateJwtForRating(Guid commentId, string rawTokenData);
 	}
 }
diff --git a/src/Services/DevHive.Services/Services/RatingService.cs b/src/Services/DevHive.Services/Services/RatingService.cs
index 20080ea..22eeb99 100644
--- a/src/Services/DevHive.Services/Services/RatingService.cs
+++ b/src/Services/DevHive.Services/Services/RatingService.cs
@@ -1,5 +1,8 @@
 using System;
+using System.Collections.Generic;
+using System.IdentityModel.Tokens.Jwt;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using AutoMapper;
 using DevHive.Data.Interfaces;
@@ -78,7 +81,7 @@ namespace DevHive.Services.Services
 		#region Update
 		public async Task<ReadRatingServiceModel> UpdateRating(UpdateRatingServiceModel updateRatingServiceModel)
 		{
-			Rating rating = await this._ratingRepository.GetRatingByUserAndPostId(updateRatingServiceModel.UserId, updateRatingServiceModel.PostId) ??
+			Rating rating = await this._ratingRepository.GetByIdAsync(updateRatingServiceModel.Id) ??
 				throw new ArgumentException("Rating does not exist!");
 
 			User user = await this._userRepository.GetByIdAsync(updateRatingServiceModel.UserId) ??
@@ -112,5 +115,67 @@ namespace DevHive.Services.Services
 			return await this._ratingRepository.DeleteAsync(rating);
 		}
 		#endregion
+
+		#region Validations
+		/// <summary>
+		/// Checks whether the user Id in the token and the given user Id match
+		/// </summary>
+		public async Task<bool> ValidateJwtForCreating(Guid userId, string rawTokenData)
+		{
+			User user = await this.GetUserForValidation(rawTokenData);
+
+			return user.Id == userId;
+		}
+
+		/// <summary>
+		/// Checks whether the comment, gotten with the commentId,
+		/// is made by the user in the token
+		/// or if the user in the token is an admin
+		/// </summary>
+		public async Task<bool> ValidateJwtForRating(Guid commentId, string rawTokenData)
+		{
+			Rating rating = await this._ratingRepository.GetByIdAsync(commentId) ??
+				throw new ArgumentException("Rating does not exist!");
+			User user = await this.GetUserForValidation(rawTokenData);
+
+			//If user made the comment
+			if (rating.User.Id == user.Id)
+				return true;
+			//If user is admin
+			else if (user.Roles.Any(x => x.Name == Role.AdminRole))
+				return true;
+			else
+				return false;
+		}
+
+		/// <summary>
+		/// Returns the user, via their Id in the token
+		/// </summary>
+		private async Task<User> GetUserForValidation(string rawTokenData)
+		{
+			JwtSecurityToken jwt = new JwtSecurityTokenHandler().ReadJwtToken(rawTokenData.Remove(0, 7));
+
+			Guid jwtUserId = Guid.Parse(this.GetClaimTypeValues("ID", jwt.Claims).First());
+
+			User user = await this._userRepository.GetByIdAsync(jwtUserId) ??
+				throw new ArgumentException("User does not exist!");
+
+			return user;
+		}
+
+		/// <summary>
+		/// Returns all values from a given claim type
+		/// </summary>
+		private List<string> GetClaimTypeValues(string type, IEnumerable<Claim> claims)
+		{
+			List<string> toReturn = new();
+
+			foreach (var claim in claims)
+				if (claim.Type == type)
+					toReturn.Add(claim.Value);
+
+			return toReturn;
+		}
+		#endregion
 	}
 }
diff --git a/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs
index 07ba0c3..425c3e1 100644
--- a/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs
+++ b/src/Web/DevHive.Web.Models/Rating/UpdateRatingWebModel.cs
@@ -8,6 +8,8 @@ namespace DevHive.Web.Models.Rating
 {
 	public class UpdateRatingWebModel
 	{
+		public Guid Id { get; set; }
+
 		public Guid PostId { get; set; }
 
 		public bool IsLike { get; set; }
diff --git a/src/Web/DevHive.Web/Controllers/RatingController.cs b/src/Web/DevHive.Web/Controllers/RatingController.cs
index 216dc27..33e6992 100644
--- a/src/Web/DevHive.Web/Controllers/RatingController.cs
+++ b/src/Web/DevHive.Web/Controllers/RatingController.cs
@@ -28,6 +28,9 @@ namespace DevHive.Web.Controllers
 		[HttpPost]
 		public async Task<IActionResult> RatePost(Guid userId, [FromBody] CreateRatingWebModel createRatingWebModel, [FromHeader] string authorization)
 		{
+			if (!await this._rateService.ValidateJwtForCreating(userId, authorization))
+				return new UnauthorizedResult();
+
 			CreateRatingServiceModel ratePostServiceModel = this._mapper.Map<CreateRatingServiceModel>(createRatingWebModel);
 			ratePostServiceModel.UserId = userId;
 
@@ -51,6 +54,9 @@ namespace DevHive.Web.Controllers
 		[HttpPut]
 		public async Task<IActionResult> UpdateRating(Guid userId, [FromBody] UpdateRatingWebModel updateRatingWebModel, [FromHeader] string authorization)
 		{
+			if (!await this._rateService.ValidateJwtForRating(updateRatingWebModel.Id, authorization))
+				return new UnauthorizedResult();
+
 			UpdateRatingServiceModel updateRatingServiceModel =
 				this._mapper.Map<UpdateRatingServiceModel>(updateRatingWebModel);
 			updateRatingServiceModel.UserId = userId;
-- 
cgit v1.2.3