garrettmills/commafeed
1
0
Fork 0
forked from Archives/Athou_commafeed
Code Pull Requests Activity

make sure the user owns the modified data

Browse Source
This commit is contained in:
Athou
2013-04-10 22:07:44 +02:00
parent b3edfb955f
commit 013922b96d
4 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/main/java/com/commafeed/backend/dao/FeedSubscriptionService.java
View File

@@ -100,6 +100,16 @@ public class FeedSubscriptionService extends GenericDAO<FeedSubscription> {
return criteria.getResultList();
}
public List<FeedSubscription> findByCategory(User user,
FeedCategory category) {
EasyCriteria<FeedSubscription> criteria = EasyCriteriaFactory
.createQueryCriteria(em, getType());
criteria.andEquals(MF.i(proxy().getUser()), user);
criteria.andEquals(MF.i(proxy().getCategory()), category);
return criteria.getResultList();
}
public List<FeedSubscription> findWithoutCategories(User user) {
EasyCriteria<FeedSubscription> criteria = EasyCriteriaFactory
.createQueryCriteria(em, getType());

25
src/main/java/com/commafeed/frontend/rest/resources/SubscriptionsREST.java
View File

@@ -81,8 +81,14 @@ public class SubscriptionsREST extends AbstractREST {
@GET
@Path("unsubscribe")
public Response unsubscribe(@QueryParam("id") Long subscriptionId) {
feedSubscriptionService.deleteById(subscriptionId);
return Response.ok(Status.OK).build();
FeedSubscription sub = feedSubscriptionService.findById(getUser(),
subscriptionId);
if (sub != null) {
feedSubscriptionService.delete(sub);
return Response.ok(Status.OK).build();
} else {
return Response.status(Status.NOT_FOUND).build();
}
}
@GET
@@ -137,8 +143,19 @@ public class SubscriptionsREST extends AbstractREST {
@GET
@Path("deleteCategory")
public Response deleteCategory(@QueryParam("id") Long id) {
feedCategoryService.deleteById(id);
return Response.ok().build();
FeedCategory cat = feedCategoryService.findById(getUser(), id);
if (cat != null) {
List<FeedSubscription> subs = feedSubscriptionService
.findByCategory(getUser(), cat);
for (FeedSubscription sub : subs) {
sub.setCategory(null);
}
feedSubscriptionService.update(subs);
feedCategoryService.delete(cat);
return Response.ok().build();
} else {
return Response.status(Status.NOT_FOUND).build();
}
}
@POST