Fixing some access control.

Author: klakegg

src/main/java/no/java/submit/controller/TalkController.java

@@ -20,6 +20,7 @@
 import no.java.submit.service.TimelineService;
 import no.java.submit.util.UserHelper;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
+import org.jboss.resteasy.reactive.ClientWebApplicationException;
 
 import java.util.ArrayList;
 import java.util.Collections;
@@ -67,12 +68,17 @@ public TemplateInstance all() {
     @Path("{sessionId}")
     public TemplateInstance view(@PathParam("sessionId") String sessionId, @Context SecurityIdentity securityIdentity) {
         var email = UserHelper.getEmail(securityIdentity);
-        var session = talksService.getSession(email, sessionId);
 
-        if (!session.containsEmail(email))
-            throw new NotAllowedException("Not allowed to view this session");
+        try {
+            var session = talksService.getSession(email, sessionId);
 
-        return talk.data("session", session);
+            if (!session.containsEmail(email))
+                throw new NotAuthorizedException("Not allowed to view this session");
+
+            return talk.data("session", session);
+        } catch (ClientWebApplicationException e) {
+            throw new NotAuthorizedException("Not allowed to view this session", e);
+        }
     }
 
     @GET
@@ -135,18 +141,22 @@ public Object newSessionPost(SessionForm form, @Context SecurityIdentity securit
     public TemplateInstance editSession(@PathParam("sessionId") String sessionId, @Context SecurityIdentity securityIdentity) {
         var email = UserHelper.getEmail(securityIdentity);
 
-        var session = talksService.getSession(email, sessionId);
+        try {
+            var session = talksService.getSession(email, sessionId);
 
-        if (!session.containsEmail(email))
-            throw new NotAllowedException("Not allowed to view this session");
+            if (!session.containsEmail(email))
+                throw new NotAuthorizedException("Not allowed to view this session");
 
-        if (!conferenceService.current().id.equals(session.conferenceId))
-            throw new NotFoundException();
+            if (!conferenceService.current().id.equals(session.conferenceId))
+                throw new NotFoundException();
 
-        return sessionForm
-                .data("form", SessionForm.parse(session))
-                .data("val", Collections.emptyMap())
-                .data("sessionId", sessionId);
+            return sessionForm
+                    .data("form", SessionForm.parse(session))
+                    .data("val", Collections.emptyMap())
+                    .data("sessionId", sessionId);
+        } catch (ClientWebApplicationException e) {
+            throw new NotAuthorizedException("Not allowed to view this session", e);
+        }
     }
 
     @POST

src/main/java/no/java/submit/template/NotAuthorizedExceptionMapper.java

@@ -0,0 +1,26 @@
+package no.java.submit.template;
+
+import io.quarkus.qute.Template;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.NotAuthorizedException;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.ext.ExceptionMapper;
+import jakarta.ws.rs.ext.Provider;
+
+@Provider
+public class NotAuthorizedExceptionMapper implements ExceptionMapper<NotAuthorizedException> {
+
+    @Inject
+    Template noAccess;
+
+    @Override
+    public Response toResponse(NotAuthorizedException e) {
+        return Response
+                .status(401)
+                .header("Content-Type", "text/html")
+                .entity(noAccess
+                        .data("title", "Sorry, no access")
+                        .data("message", e.getMessage()))
+                .build();
+    }
+}

src/main/resources/templates/noAccess.html

@@ -0,0 +1,7 @@
+{#include partial/centered}
+<div class="front">
+    <h1>{title}</h1>
+
+    <p>{message}</p>
+</div>
+{/include}