make sure the user owns the modified data

2013-04-10 22:07:44 +02:00
parent b3edfb955f
commit 013922b96d
4 changed files with 34 additions and 5 deletions
--- a/src/main/java/com/commafeed/backend/dao/FeedSubscriptionService.java
+++ b/src/main/java/com/commafeed/backend/dao/FeedSubscriptionService.java
@@ -100,6 +100,16 @@ public class FeedSubscriptionService extends GenericDAO<FeedSubscription> {
 		return criteria.getResultList();
 	}

+	public List<FeedSubscription> findByCategory(User user,
+			FeedCategory category) {
+		EasyCriteria<FeedSubscription> criteria = EasyCriteriaFactory
+				.createQueryCriteria(em, getType());
+		criteria.andEquals(MF.i(proxy().getUser()), user);
+		criteria.andEquals(MF.i(proxy().getCategory()), category);
+		return criteria.getResultList();
+
+	}
+
 	public List<FeedSubscription> findWithoutCategories(User user) {
 		EasyCriteria<FeedSubscription> criteria = EasyCriteriaFactory
 				.createQueryCriteria(em, getType());
--- a/src/main/java/com/commafeed/frontend/rest/resources/SubscriptionsREST.java
+++ b/src/main/java/com/commafeed/frontend/rest/resources/SubscriptionsREST.java
@@ -81,8 +81,14 @@ public class SubscriptionsREST extends AbstractREST {
 	@GET
 	@Path("unsubscribe")
 	public Response unsubscribe(@QueryParam("id") Long subscriptionId) {
-		feedSubscriptionService.deleteById(subscriptionId);
-		return Response.ok(Status.OK).build();
+		FeedSubscription sub = feedSubscriptionService.findById(getUser(),
+				subscriptionId);
+		if (sub != null) {
+			feedSubscriptionService.delete(sub);
+			return Response.ok(Status.OK).build();
+		} else {
+			return Response.status(Status.NOT_FOUND).build();
+		}
 	}

 	@GET
@@ -137,8 +143,19 @@ public class SubscriptionsREST extends AbstractREST {
 	@GET
 	@Path("deleteCategory")
 	public Response deleteCategory(@QueryParam("id") Long id) {
-		feedCategoryService.deleteById(id);
-		return Response.ok().build();
+		FeedCategory cat = feedCategoryService.findById(getUser(), id);
+		if (cat != null) {
+			List<FeedSubscription> subs = feedSubscriptionService
+					.findByCategory(getUser(), cat);
+			for (FeedSubscription sub : subs) {
+				sub.setCategory(null);
+			}
+			feedSubscriptionService.update(subs);
+			feedCategoryService.delete(cat);
+			return Response.ok().build();
+		} else {
+			return Response.status(Status.NOT_FOUND).build();
+		}
 	}

 	@POST
--- a/src/main/webapp/directives/category.html
+++ b/src/main/webapp/directives/category.html
@@ -1,5 +1,5 @@
 <li>
-	<div ng-mouseenter="hovered=node" ng-mouseleave="hovered=null" class="pointer">
+	<div ng-mouseenter="hovered=node && node.id != 'all'" ng-mouseleave="hovered=null" class="pointer">
 		<div class="dropdown pull-right">
 			<a dropdown-toggle class="pull-right">
 				<i ng-show="hovered==node" class="icon icon-chevron-down"></i>
--- a/src/main/webapp/js/directives.js
+++ b/src/main/webapp/js/directives.js
@@ -149,6 +149,8 @@ module.directive('category', function($compile) {
 							if (result == 'ok') {
 								SubscriptionService.deleteCategory({
 									id : category.id
+								}, function() {
+									SubscriptionService.init();
 								});
 							}
 						});