fix: patch user can set any albumId

ShiinaKin · Sep 26, 2024 · efba3ae · efba3ae
1 parent 2019417
commit efba3ae
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 27 deletions.
diff --git a/app/src/main/kotlin/io/sakurasou/exception/controller/param/WrongParameterException.kt b/app/src/main/kotlin/io/sakurasou/exception/controller/param/WrongParameterException.kt
@@ -6,9 +6,14 @@ import io.sakurasou.exception.ServiceThrowable
  * @author Shiina Kin
  * 2024/9/9 10:38
  */
-class WrongParameterException : ServiceThrowable() {
+class WrongParameterException(
+    msg: String? = null
+) : ServiceThrowable() {
     override val code: Int
         get() = 4000
-    override val message: String
-        get() = "Wrong parameter"
+    override var message: String = "Wrong parameter"
+
+    init {
+        msg?.let { message += ", $it" }
+    }
 }
diff --git a/app/src/main/kotlin/io/sakurasou/exception/service/album/AlbumNotFoundException.kt b/app/src/main/kotlin/io/sakurasou/exception/service/album/AlbumNotFoundException.kt
@@ -0,0 +1,14 @@
+package io.sakurasou.exception.service.album
+
+import io.sakurasou.exception.ServiceThrowable
+
+/**
+ * @author Shiina Kin
+ * 2024/9/12 12:57
+ */
+class AlbumNotFoundException : ServiceThrowable() {
+    override val code: Int
+        get() = 404
+    override val message: String
+        get() = "Album Not Found"
+}
diff --git a/app/src/main/kotlin/io/sakurasou/model/dao/album/AlbumDao.kt b/app/src/main/kotlin/io/sakurasou/model/dao/album/AlbumDao.kt
@@ -9,7 +9,7 @@ import io.sakurasou.model.entity.Album
  */
 interface AlbumDao {
     fun listAlbumByUserId(userId: Long): List<Album>
-    fun getAlbumById(albumId: Long): Album?
+    fun findAlbumById(albumId: Long): Album?
     fun saveAlbum(insertDTO: AlbumInsertDTO): Long
     fun initAlbumForUser(userId: Long): Long
 }
diff --git a/app/src/main/kotlin/io/sakurasou/model/dao/album/AlbumDaoImpl.kt b/app/src/main/kotlin/io/sakurasou/model/dao/album/AlbumDaoImpl.kt
@@ -5,6 +5,7 @@ import io.sakurasou.model.entity.Album
 import kotlinx.datetime.Clock
 import kotlinx.datetime.TimeZone
 import kotlinx.datetime.toLocalDateTime
+import org.jetbrains.exposed.sql.ResultRow
 import org.jetbrains.exposed.sql.insertAndGetId
 import org.jetbrains.exposed.sql.selectAll
 
@@ -16,33 +17,13 @@ class AlbumDaoImpl : AlbumDao {
     override fun listAlbumByUserId(userId: Long): List<Album> {
         return Albums.selectAll()
             .where { Albums.userId eq userId }
-            .map {
-                Album(
-                    it[Albums.id].value,
-                    it[Albums.userId],
-                    it[Albums.name],
-                    it[Albums.description],
-                    it[Albums.imageCount],
-                    it[Albums.isUncategorized],
-                    it[Albums.createTime],
-                )
-            }
+            .map { toAlbum(it) }
     }
 
-    override fun getAlbumById(albumId: Long): Album? {
+    override fun findAlbumById(albumId: Long): Album? {
         return Albums.selectAll()
             .where { Albums.id eq albumId }
-            .map {
-                Album(
-                    it[Albums.id].value,
-                    it[Albums.userId],
-                    it[Albums.name],
-                    it[Albums.description],
-                    it[Albums.imageCount],
-                    it[Albums.isUncategorized],
-                    it[Albums.createTime],
-                )
-            }
+            .map { toAlbum(it) }
             .firstOrNull()
     }
 
@@ -70,4 +51,14 @@ class AlbumDaoImpl : AlbumDao {
         )
         return saveAlbum(uncategorizedAlbum)
     }
+
+    private fun toAlbum(it: ResultRow) = Album(
+        it[Albums.id].value,
+        it[Albums.userId],
+        it[Albums.name],
+        it[Albums.description],
+        it[Albums.imageCount],
+        it[Albums.isUncategorized],
+        it[Albums.createTime],
+    )
 }
diff --git a/app/src/main/kotlin/io/sakurasou/service/user/UserServiceImpl.kt b/app/src/main/kotlin/io/sakurasou/service/user/UserServiceImpl.kt
@@ -6,6 +6,8 @@ import io.sakurasou.controller.vo.PageResult
 import io.sakurasou.controller.vo.UserPageVO
 import io.sakurasou.controller.vo.UserVO
 import io.sakurasou.exception.controller.access.SignupNotAllowedException
+import io.sakurasou.exception.controller.param.WrongParameterException
+import io.sakurasou.exception.service.album.AlbumNotFoundException
 import io.sakurasou.exception.service.user.UserDeleteFailedException
 import io.sakurasou.exception.service.user.UserInsertFailedException
 import io.sakurasou.exception.service.user.UserNotFoundException
@@ -120,7 +122,13 @@ class UserServiceImpl(
                 updateTime = now
             )
 
+            val isModifyDefaultAlbum = patchRequest.defaultAlbumId != null
+
             runCatching {
+                if (isModifyDefaultAlbum) {
+                    val album = albumDao.findAlbumById(selfUpdateDTO.defaultAlbumId!!) ?: throw AlbumNotFoundException()
+                    if (album.userId != id) throw WrongParameterException("Album not belong to user")
+                }
                 val influenceRowCnt = userDao.updateSelfById(selfUpdateDTO)
                 if (influenceRowCnt < 1) throw UserNotFoundException()
             }.onFailure {