Filtering by user when searching entities

105 views

Skip to first unread message

Matt Raible

unread,

Oct 27, 2018, 1:58:24 PM10/27/18

to JHipster dev team

Hey all,

Someone entered a security issue on my 21-Points Health application and it’s totally valid.

https://github.com/mraible/21-points/issues/49

The gist of the issue is that users can see each other’s data. I was able to solve this in my JHipster 5 demo app by using code like the following when creating/editing an entity.

if (!blog.getUser().getLogin().equals(SecurityUtils.getCurrentUserLogin().orElse(""))) {
    return new ResponseEntity<>("error.http.403", HttpStatus.FORBIDDEN);
}

https://github.com/mraible/jhipster5-demo/blob/master/README.adoc#lock-it-down

However, this doesn’t help when Elasticsearch is used on the list screens.

In the blog example, I’m able to change this:

return blogRepository.findAll();

To this:

return blogRepository.findByUserIsCurrentUser();

And then add a new method to the BlogRepository:

public interface BlogRepository extends JpaRepository<Blog, Long> {

    @Query("select blog from Blog blog where blog.user.login = ?#{principal.username}")
    List<Blog> findByUserIsCurrentUser();

}

However, I don’t think this is possible with a *SearchRepository, is it? Here’s what the generated search method looks like:

@GetMapping("/_search/points")
@Timed
public ResponseEntity<List<Points>> searchPoints(@RequestParam String query, Pageable pageable) {
    log.debug("REST request to search for a page of Points for query {}", query);
    Page<Points> page = pointsSearchRepository.search(queryStringQuery(query), pageable);
    HttpHeaders headers = PaginationUtil.generateSearchPaginationHttpHeaders(query, page, "/api/_search/points");
    return new ResponseEntity<>(page.getContent(), headers, HttpStatus.OK);
}

Maybe there’s a way to auto-append a user filter to the query?

Thanks in advance for any advice.

Matt

Reply all

Reply to author

Forward

0 new messages