Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to prevent changes of entity relationships?

Tags:

java

spring

jpa

spring-boot

I am using spring boot for to store complex json-structures via JPA in our database.

The root of the json-structure represents a "House" object. A "House" object contains several "Furnitures". For example:

House ID: 4711
|- Furniture: ID 4712 (with confidential information)

Users have read/write permissions for certain Houses, and all their "Furnitures".

My problem is, that through the REST-API, the user can "steal" Furnitures from other Houses, if he knows their primary keys; with request like this one:

POST http://localhost:8080/house

{
    houseId: 99991337,
    furnitures: [{
        furnitureId: 4712,
        ...
    }]
}

This leads to:

House ID: 4711
|- empty!

House ID: 99991337
|- Furniture 4712 (with confidential information)

Althought the user did not have permission to House 4711, he "unlinked" Furniture 4712 from House 4711 and instead linked it to House 99991337.

How can I prohibit the change of the House of a Furniture?

In the JPA-Entities, there is a bidirectional OneToMany-Relationship from House to Furniture. I thought of maybe searching in the database any Furniture of incoming requests, check all permissions on all of them. But I would prefer to only have to check the permission on the House (because in real life, I have many more entities like Furniture)

like image 888
slartidan Avatar asked May 20 '18 12:05

slartidan

2 Answers

If my understanding is correct, just search the permissions table by userId and houseId that was provided in the request. If there is a match, then the user has permissions to change the houseId.

Depending on the permissions you can either set or not set houseId to the object that you are about to save to the database.

If you still want the user to change the furniture data then you can save only furniture entity by providing furnitureId and text for the new Furniture() object.

like image 89
htshame Avatar answered Oct 05 '22 23:10

htshame

First of all your request structure is incorrect. For secure reasons like this you could not ask to user for his userid, houseid etc.. You need to handle it in background without relying to user request.

But for this situation you can simply change the insert statement with a select insert. Join the permission table to select statement to check given id is attached to related user. If nothing inserted user tries to insert illegal id.

like image 35
Burak Akyıldız Avatar answered Oct 06 '22 00:10

Burak Akyıldız
Sign in to Comment

Related questions

IllegalArgumentException exception from Nashorn - Is it a bug in Java 8?
Is there a way to "alias" one class in Java for another?
Using TransactionProxyFactoryBean with Spring and Hibernate
Spring boot multi module servletDispatchers
Birt Runtime maven artifact issue
Unexplainable lack of performance improvement using RxJava Observables in Web Applications
When is generic return value of function casted after type erasure?
Java: Safe to "leak" this-reference in constructor for final class via _happens-before_ relation?
Spark: Read an inputStream instead of File
Android, apk installation INSTALL_FAILED_POLICY_REJECTED_PERMISSION
How to get the first element when filter in jsonpath?
Android draw ball trail
Disable Maven dependency mediation
In OpenJdk how do I set font dir with appendedfontpath property
Alternative Java Selector Implementations
WebSocket: OnClose() is never called
Google +1 button error on android app there was a temporary
Spring Global Exception Handler - Not MVC
How to create async stacktraces?
GenericFilterBean vs OncePerRequestFilter when to use each?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!