massbay-cs / cs225-proj4

https://gitter.im/massbay-cs
Other
0 stars 2 forks source link

Add checkPermission to getters/setters for committee table #81

Closed Zenexer closed 8 years ago

Zenexer commented 8 years ago

We need to ensure that the current user has permission to view/modify/create/delete before reading/writing from the database. This will be enforced with auth.Permissions#checkPermission. A call to checkPermission is added to each method; if the user doesn't have permission for the operation, checkPermission throws an auth.AuthorizationException.

There are descriptive Javadoc comments in the auth.Permissions class. Be sure to read them before starting.

Important: This needs to be done on the authorization branch.

Here are a few examples:

Deleting a user

public class UserData_Table extends InitDB implements Interface_UserData {
    ...
    @Override
    // AuthorizationException has been added to the "throws" list
    public void removeUser(int uid) throws DoesNotExistException, AuthorizationException {
        String table = "USERS";
        // The field argument is null because we're operating on an entire row.
        // We pass uid as the last argument because this operation affects another user.
        Permissions.get().checkPermission(table, null, Operation.DELETE, uid);
        ...
    }
    ...
}
public interface Interface_UserData {
    ...
    // AuthorizationException has been added to the "throws" list
    public void removeUser(int uid) throws DoesNotExistException, AuthorizationException;
    ...
}

Setting a task description

public class Tasks_Table extends InitDB implements Interface_TaskData {
    ...
    // AuthorizationException has been added to the "throws" list
    public void setDescription(int uid, String description) throws DoesNotExistException, AuthorizationException {
        // Note that we DON'T pass uid; uid is just the ID of the current user in this case.
        Permissions.get().checkPermission(tableName, "DESCRIPTION", Operation.MODIFY);
        setDBString("DESCRIPTION", tableName, uid, description);
    }
    ...
}
public interface Interface_TaskData {
    ...
    // AuthorizationException has been added to the "throws" list
    public void setDescription(int uid, String description) throws DoesNotExistException, AuthorizationException;
    ...
}

Viewing a task description

public class Tasks_Table extends InitDB implements Interface_TaskData {
    ...
    // AuthorizationException has been added to the "throws" list
    public String getDescription(int uid) throws DoesNotExistException, AuthorizationException {
        // Note that we DON'T pass uid; uid is just the ID of the current user in this case.
        Permissions.get().checkPermission(tableName, "DESCRIPTION", Operation.VIEW);
        return getDBString("DESCRIPTION", tableName, uid, description);
    }
    ...
}
public interface Interface_TaskData {
    ...
    // AuthorizationException has been added to the "throws" list
    public String getDescription(int uid) throws DoesNotExistException, AuthorizationException;
    ...
}