Only site admin can add comment to series.

Fix #120

Author: php-coder

Diff for: src/main/java/ru/mystamps/web/controller/SeriesController.java

@@ -18,6 +18,7 @@
 package ru.mystamps.web.controller;
 
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
 import javax.validation.groups.Default;
 
 import java.util.Calendar;
@@ -46,6 +47,7 @@
 import ru.mystamps.web.entity.Series;
 import ru.mystamps.web.service.CountryService;
 import ru.mystamps.web.service.SeriesService;
+import ru.mystamps.web.support.spring.security.SecurityContextUtils;
 import ru.mystamps.web.util.CatalogUtils;
 
 @Controller
@@ -105,13 +107,16 @@ public AddSeriesForm showForm() {
 	public String processInput(
 		@Validated({Default.class, ImageChecks.class}) AddSeriesForm form,
 		BindingResult result,
+		HttpServletRequest request,
 		User currentUser) {
 
 		if (result.hasErrors()) {
 			return null;
 		}
 
-		Series series = seriesService.add(form, currentUser);
+		boolean userCanAddComments =
+			SecurityContextUtils.hasAuthority(request, "ADD_COMMENTS_TO_SERIES");
+		Series series = seriesService.add(form, currentUser, userCanAddComments);
 
 		String dstUrl = UriComponentsBuilder.fromUriString(Url.INFO_SERIES_PAGE)
 			.buildAndExpand(series.getId())

Diff for: src/main/java/ru/mystamps/web/entity/User.java

@@ -21,10 +21,13 @@
 
 import javax.persistence.Column;
 import javax.persistence.Entity;
+import javax.persistence.Enumerated;
 import javax.persistence.GeneratedValue;
 import javax.persistence.Id;
 import javax.persistence.Table;
 
+import static javax.persistence.EnumType.STRING;
+
 import lombok.Getter;
 import lombok.Setter;
 
@@ -35,6 +38,7 @@
 public class User {
 
 	public static final int LOGIN_LENGTH = 15;
+	public static final int ROLE_LENGTH  = 5;
 	public static final int NAME_LENGTH  = 100;
 	public static final int HASH_LENGTH  = 40;
 	public static final int SALT_LENGTH  = 10;
@@ -46,6 +50,10 @@ public class User {
 	@Column(length = LOGIN_LENGTH, unique = true, nullable = false)
 	private String login;
 
+	@Column(length = ROLE_LENGTH, nullable = false)
+	@Enumerated(STRING)
+	private Role role;
+	
 	@Column(length = NAME_LENGTH, nullable = false)
 	private String name;
 
@@ -64,4 +72,12 @@ public class User {
 	@Column(length = SALT_LENGTH, nullable = false)
 	private String salt;
 
+	public boolean isAdmin() {
+		return role == Role.ADMIN;
+	}
+	
+	public enum Role {
+		USER, ADMIN
+	};
+	
 }

Diff for: src/main/java/ru/mystamps/web/service/SeriesService.java

@@ -22,5 +22,5 @@
 import ru.mystamps.web.service.dto.AddSeriesDto;
 
 public interface SeriesService {
-	Series add(AddSeriesDto dto, User user);
+	Series add(AddSeriesDto dto, User user, boolean userCanAddComments);
 }

Diff for: src/main/java/ru/mystamps/web/service/SeriesServiceImpl.java

@@ -60,7 +60,7 @@ public SeriesServiceImpl(SeriesDao seriesDao, ImageService imageService) {
 	@Override
 	@Transactional
 	@PreAuthorize("hasAuthority('CREATE_SERIES')")
-	public Series add(AddSeriesDto dto, User user) {
+	public Series add(AddSeriesDto dto, User user, boolean userCanAddComments) {
 		Validate.isTrue(dto != null, "DTO must be non null");
 		Validate.isTrue(dto.getQuantity() != null, "Stamps quantity must be non null");
 		Validate.isTrue(
@@ -104,7 +104,7 @@ public Series add(AddSeriesDto dto, User user) {
 
 		series.setImageUrl(imageUrl);
 
-		if (dto.getComment() != null) {
+		if (userCanAddComments && dto.getComment() != null) {
 			Validate.isTrue(
 				!dto.getComment().trim().isEmpty(),
 				"Comment must be non empty"

Diff for: src/main/java/ru/mystamps/web/service/UserServiceImpl.java

@@ -39,6 +39,8 @@
 import ru.mystamps.web.service.dto.ActivateAccountDto;
 import ru.mystamps.web.service.dto.RegisterAccountDto;
 
+import static ru.mystamps.web.entity.User.Role.USER;
+
 public class UserServiceImpl implements UserService {
 
 	private static final Logger LOG = LoggerFactory.getLogger(UserService.class);
@@ -117,6 +119,7 @@ public void registerUser(ActivateAccountDto dto) {
 
 		User user = new User();
 		user.setLogin(login);
+		user.setRole(USER);
 		user.setName(finalName);
 		user.setEmail(email);
 		user.setRegisteredAt(registrationDate);

Diff for: src/main/java/ru/mystamps/web/support/spring/security/CustomUserDetailsService.java

@@ -36,6 +36,7 @@
 import org.apache.commons.lang3.Validate;
 
 import ru.mystamps.web.entity.User;
+import ru.mystamps.web.entity.User.Role;
 import ru.mystamps.web.service.UserService;
 
 /**
@@ -67,13 +68,18 @@ public UserDetails loadUserByUsername(String login) {
 
 		LOG.debug("User '{}' found", login);
 
-		return new CustomUserDetails(user, getAuthorities());
+		return new CustomUserDetails(user, getAuthorities(user));
 	}
 
-	private static Collection<? extends GrantedAuthority> getAuthorities() {
+	private static Collection<? extends GrantedAuthority> getAuthorities(User user) {
 		List<SimpleGrantedAuthority> authorities = new LinkedList<SimpleGrantedAuthority>();
 		authorities.add(new SimpleGrantedAuthority("CREATE_COUNTRY"));
 		authorities.add(new SimpleGrantedAuthority("CREATE_SERIES"));
+		
+		if (user.isAdmin()) {
+			authorities.add(new SimpleGrantedAuthority("ADD_COMMENTS_TO_SERIES"));
+		}
+		
 		return authorities;
 	}
 

Diff for: src/main/java/ru/mystamps/web/support/spring/security/SecurityContextUtils.java

@@ -0,0 +1,16 @@
+package ru.mystamps.web.support.spring.security;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestWrapper;
+
+public final class SecurityContextUtils {
+	
+	private SecurityContextUtils() {
+	}
+	
+	public static boolean hasAuthority(HttpServletRequest request, String authority) {
+		return new SecurityContextHolderAwareRequestWrapper(request, null).isUserInRole(authority);
+	}
+	
+}

Diff for: src/main/resources/liquibase/initial-state.xml

@@ -36,6 +36,9 @@
 			<column name="login" type="VARCHAR(15)">
 				<constraints nullable="false" unique="true" />
 			</column>
+			<column name="role" type="VARCHAR(5)">
+				<constraints nullable="false" />
+			</column>
 			<column name="name" type="VARCHAR(100)">
 				<constraints nullable="false" />
 			</column>
@@ -413,6 +416,10 @@
 			<column name="name" value="AuthenticationFailed" />
 		</insert>
 	</changeSet>
+
+	<changeSet id="create-user-admin" author="php-coder" context="test-data">
+		<sqlFile path="sql/test-user-admin.sql" relativeToChangelogFile="true" />
+	</changeSet>
 
 	<changeSet id="create-user-coder" author="php-coder" context="test-data">
 		<sqlFile path="sql/test-user-coder.sql" relativeToChangelogFile="true" />

Diff for: src/main/resources/liquibase/sql/test-country-italy.sql

@@ -3,8 +3,8 @@
 --
 
 -- Used below as country's owner
-INSERT INTO users(id, login, name, registered_at, activated_at, hash, salt, email) VALUES
-	(2, 'test0', '@valid_country_name@ Country Owner', NOW(), NOW(), '@valid_user_password_hash@', '@valid_user_password_salt@', '[email protected]');
+INSERT INTO users(id, login, role, name, registered_at, activated_at, hash, salt, email) VALUES
+	(3, 'test0', 'USER', '@valid_country_name@ Country Owner', NOW(), NOW(), '@valid_user_password_hash@', '@valid_user_password_salt@', '[email protected]');
 
 -- Used only in WhenUserAddCountry
 INSERT INTO countries(name, created_at, created_by, updated_at, updated_by) VALUES

Diff for: src/main/resources/liquibase/sql/test-user-admin.sql

@@ -0,0 +1,6 @@
+--
+-- Auto-generated by Maven, based on values from src/main/resources/test/spring/test-data.properties
+--
+
+INSERT INTO users(id, login, role, name, registered_at, activated_at, hash, salt, email) VALUES
+	(1, '@valid_admin_login@', 'ADMIN', 'Site Admin', NOW(), NOW(), '@valid_admin_password_hash@', '@valid_admin_password_salt@', 'admin@localhost');

Diff for: src/main/resources/liquibase/sql/test-user-coder.sql

@@ -2,5 +2,5 @@
 -- Auto-generated by Maven, based on values from src/main/resources/test/spring/test-data.properties
 --
 
-INSERT INTO users(id, login, name, registered_at, activated_at, hash, salt, email) VALUES
-	(1, '@valid_user_login@', '@valid_user_name@', NOW(), NOW(), '@valid_user_password_hash@', '@valid_user_password_salt@', '[email protected]');
+INSERT INTO users(id, login, role, name, registered_at, activated_at, hash, salt, email) VALUES
+	(2, '@valid_user_login@', 'USER', '@valid_user_name@', NOW(), NOW(), '@valid_user_password_hash@', '@valid_user_password_salt@', '[email protected]');

Diff for: src/main/resources/test/spring/test-data.properties

@@ -24,3 +24,11 @@ not_activated_user2_act_key = 4444477777
 # this country should always exist
 # (used only in WhenUserAddCountry)
 valid_country_name = Italy
+
+# this privileged user should always exist
+valid_admin_login = admin
+valid_admin_password = test
+
+# Auto-calculated by SELECT SHA1(CONCAT('${salt}', '{', '${password}', '}'));
+valid_admin_password_salt = cEjinQJY3v
+valid_admin_password_hash = 27e04fc489395d3167d8dd71fc47e466ee190aee

Diff for: src/main/webapp/WEB-INF/tags/elem/field.tag

@@ -5,22 +5,25 @@
 <%@ attribute name="path" required="true" rtexprvalue="true" %>
 <%@ attribute name="label" required="true" rtexprvalue="true" %>
 <%@ attribute name="required" required="false" rtexprvalue="true" type="java.lang.Boolean" %>
+<%@ attribute name="render" required="false" rtexprvalue="true" type="java.lang.Boolean" %>
 
-<spring:bind path="${path}">
-	<c:set var="hasError" value="${status.error}" />
-	
-	<div class="control-group ${hasError ? 'error' : ''}">
-		<form:label path="${path}" cssClass="control-label">
-			<span class="field-label">
-				<spring:message code="${label}" />
-			</span>
-			<c:if test="${required}">
-				<span id="${path}.required" class="required_field">*</span>
-			</c:if>
-		</form:label>
-		<div class="controls">
-			<jsp:doBody />
-			<form:errors path="${path}" cssClass="help-inline" />
+<c:if test="${empty render or render}">
+	<spring:bind path="${path}">
+		<c:set var="hasError" value="${status.error}" />
+		
+		<div class="control-group ${hasError ? 'error' : ''}">
+			<form:label path="${path}" cssClass="control-label">
+				<span class="field-label">
+					<spring:message code="${label}" />
+				</span>
+				<c:if test="${required}">
+					<span id="${path}.required" class="required_field">*</span>
+				</c:if>
+			</form:label>
+			<div class="controls">
+				<jsp:doBody />
+				<form:errors path="${path}" cssClass="help-inline" />
+			</div>
 		</div>
-	</div>
-</spring:bind>
+	</spring:bind>
+</c:if>

Diff for: src/main/webapp/WEB-INF/tiles/body/series/add.jsp

@@ -1,6 +1,7 @@
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
 <%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
+<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
 <%@ taglib tagdir="/WEB-INF/tags/elem" prefix="elem" %>
 <%@ page import="ru.mystamps.web.validation.ValidationRules" %>
 
@@ -127,7 +128,8 @@
 			</div>
 		</div>
 
-		<elem:field path="comment" label="t_comment">
+		<sec:authorize var="userCanAddComments" access="hasAuthority('ADD_COMMENTS_TO_SERIES')" />
+		<elem:field path="comment" label="t_comment" render="${userCanAddComments}">
 			<form:textarea path="comment" cssClass="span6" cols="22" rows="3" />
 		</elem:field>
 

Diff for: src/main/webapp/WEB-INF/tiles/body/series/info.jsp

@@ -1,6 +1,7 @@
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
 <%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
+<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
 <%@ taglib tagdir="/WEB-INF/tags/elem" prefix="elem" %>
 
 <div class="row-fluid">
@@ -92,7 +93,8 @@
 					/>
 				</dd>
 			</c:if>
-			<c:if test="${not empty series.comment}">
+			<sec:authorize var="userCanAddComments" access="hasAuthority('ADD_COMMENTS_TO_SERIES')" />
+			<c:if test="${userCanAddComments and not empty series.comment}">
 				<dt>
 					<spring:message code="t_comment" />
 				</dt>