mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-17 11:45:05 +02:00
Harden shared signature endpoints (#5806)
This commit is contained in:
+18
@@ -48,11 +48,19 @@ public class SignatureController {
|
||||
* requirements.
|
||||
*/
|
||||
@PostMapping
|
||||
@PreAuthorize("isAuthenticated() && !hasAuthority('ROLE_DEMO_USER')")
|
||||
public ResponseEntity<SavedSignatureResponse> saveSignature(
|
||||
@RequestBody SavedSignatureRequest request) {
|
||||
try {
|
||||
String username = userService.getCurrentUsername();
|
||||
|
||||
if ("shared".equals(request.getScope()) && !userService.isCurrentUserAdmin()) {
|
||||
log.warn(
|
||||
"User {} attempted to create shared signature without admin role",
|
||||
username);
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
|
||||
}
|
||||
|
||||
// Validate request
|
||||
if (request.getDataUrl() == null || request.getDataUrl().isEmpty()) {
|
||||
log.warn("User {} attempted to save signature without dataUrl", username);
|
||||
@@ -76,6 +84,7 @@ public class SignatureController {
|
||||
* signatures.
|
||||
*/
|
||||
@GetMapping
|
||||
@PreAuthorize("isAuthenticated() && !hasAuthority('ROLE_DEMO_USER')")
|
||||
public ResponseEntity<List<SavedSignatureResponse>> listSignatures() {
|
||||
try {
|
||||
String username = userService.getCurrentUsername();
|
||||
@@ -98,12 +107,21 @@ public class SignatureController {
|
||||
try {
|
||||
String username = userService.getCurrentUsername();
|
||||
String newLabel = body.get("label");
|
||||
boolean isAdmin = userService.isCurrentUserAdmin();
|
||||
|
||||
if (newLabel == null || newLabel.trim().isEmpty()) {
|
||||
log.warn("Invalid label update request");
|
||||
return ResponseEntity.badRequest().build();
|
||||
}
|
||||
|
||||
if (signatureService.isSharedSignature(signatureId) && !isAdmin) {
|
||||
log.warn(
|
||||
"User {} attempted to update shared signature {} without admin role",
|
||||
username,
|
||||
signatureId);
|
||||
return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
|
||||
}
|
||||
|
||||
signatureService.updateSignatureLabel(username, signatureId, newLabel);
|
||||
log.info("User {} updated label for signature {}", username, signatureId);
|
||||
return ResponseEntity.noContent().build();
|
||||
|
||||
+6
@@ -249,6 +249,12 @@ public class SignatureService implements PersonalSignatureServiceInterface {
|
||||
throw new FileNotFoundException("Signature metadata not found");
|
||||
}
|
||||
|
||||
public boolean isSharedSignature(String signatureId) {
|
||||
validateFileName(signatureId);
|
||||
Path sharedFolder = Paths.get(SIGNATURE_BASE_PATH, ALL_USERS_FOLDER);
|
||||
return Files.exists(sharedFolder.resolve(signatureId + ".json"));
|
||||
}
|
||||
|
||||
private void updateMetadataLabel(Path metadataPath, String newLabel) throws IOException {
|
||||
String metadataJson = Files.readString(metadataPath, StandardCharsets.UTF_8);
|
||||
SavedSignatureResponse sig =
|
||||
|
||||
Reference in New Issue
Block a user