Merge pull request #172 from bounswe/add-authentication-for-creating-…

…program Added validation and authentication for creating and deleting programs
bounswe · Oct 21, 2024 · 00fbbc8 · 00fbbc8
2 parents 927c724 + c7a2936
commit 00fbbc8
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 27 deletions.
diff --git a/backend/demo-group7/src/main/java/com/group7/demo/controllers/TrainingProgramController.java b/backend/demo-group7/src/main/java/com/group7/demo/controllers/TrainingProgramController.java
@@ -3,6 +3,7 @@
 import com.group7.demo.dtos.TrainingProgramRequest;
 import com.group7.demo.dtos.TrainingProgramResponse;
 import com.group7.demo.services.TrainingProgramService;
+import jakarta.servlet.http.HttpServletRequest;
 import lombok.AllArgsConstructor;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -19,9 +20,14 @@ public class TrainingProgramController {
 
     // Endpoint to create a new training program
     @PostMapping
-    public ResponseEntity<TrainingProgramResponse> createTrainingProgram(@RequestBody TrainingProgramRequest request) {
-        TrainingProgramResponse createdProgram = trainingProgramService.createTrainingProgram(request);
-        return ResponseEntity.status(HttpStatus.CREATED).body(createdProgram);
+    public ResponseEntity<TrainingProgramResponse> createTrainingProgram(@RequestBody TrainingProgramRequest trainingProgramRequest, HttpServletRequest request) throws IllegalAccessException {
+        try {
+            TrainingProgramResponse createdProgram = trainingProgramService.createTrainingProgram(trainingProgramRequest, request);
+            return ResponseEntity.status(HttpStatus.CREATED).body(createdProgram);
+        } catch (IllegalAccessException e) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
+
     }
 
     // Optional: Endpoint to fetch a list of training programs
@@ -40,8 +46,12 @@ public ResponseEntity<TrainingProgramResponse> getTrainingProgramById(@PathVaria
 
     // Optional: Endpoint to delete a training program by ID
     @DeleteMapping("/{id}")
-    public ResponseEntity<Void> deleteTrainingProgram(@PathVariable Long id) {
-        trainingProgramService.deleteTrainingProgram(id);
-        return ResponseEntity.noContent().build();
+    public ResponseEntity<Void> deleteTrainingProgram(@PathVariable Long id, HttpServletRequest request) throws Exception {
+        try {
+            trainingProgramService.deleteTrainingProgram(id, request);
+            return ResponseEntity.noContent().build();
+        } catch (IllegalAccessException e) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }
     }
 }
diff --git a/backend/demo-group7/src/main/java/com/group7/demo/dtos/TrainingProgramRequest.java b/backend/demo-group7/src/main/java/com/group7/demo/dtos/TrainingProgramRequest.java
@@ -20,5 +20,4 @@ public class TrainingProgramRequest {
     private LocationType locationType;
     private List<ExerciseRequest> exercises;
     private String description;
-    private Long trainerId;  // The ID of the trainer creating the program
 }
diff --git a/backend/demo-group7/src/main/java/com/group7/demo/services/TrainingProgramService.java b/backend/demo-group7/src/main/java/com/group7/demo/services/TrainingProgramService.java
@@ -8,16 +8,14 @@
 import com.group7.demo.models.ExerciseDetail;
 import com.group7.demo.models.TrainingProgram;
 import com.group7.demo.models.User;
-import com.group7.demo.repository.ExerciseRepository;
 import com.group7.demo.repository.TrainingProgramRepository;
-import com.group7.demo.repository.UserRepository;
 import jakarta.persistence.EntityNotFoundException;
+import jakarta.servlet.http.HttpServletRequest;
 import jakarta.transaction.Transactional;
 import lombok.AllArgsConstructor;
 import org.springframework.stereotype.Service;
 
 import java.util.List;
-import java.util.Optional;
 import java.util.stream.Collectors;
 
 @Service
@@ -26,26 +24,25 @@ public class TrainingProgramService {
 
     private final TrainingProgramRepository trainingProgramRepository;
 
-    private final UserRepository userRepository;
-
-    private final ExerciseRepository exerciseRepository;
+    private final AuthenticationService authenticationService;
     @Transactional
-    public TrainingProgramResponse createTrainingProgram(TrainingProgramRequest request) {
-        // Find the trainer by ID (you should have a Trainer/User repository)
-        User trainer = userRepository.findById(request.getTrainerId())
-                .orElseThrow(() -> new EntityNotFoundException("Trainer not found"));
+    public TrainingProgramResponse createTrainingProgram(TrainingProgramRequest trainingProgramRequest, HttpServletRequest request) throws IllegalAccessException {
+        User user = authenticationService.getAuthenticatedUserInternal(request);
+        if (!user.getRole().name().equals("TRAINER")) {
+            throw new IllegalAccessException("Only trainers can create training programs.");
+        }
 
         // Create the training program
         TrainingProgram trainingProgram = TrainingProgram.builder()
-                .title(request.getTitle())
-                .programType(request.getProgramType())
-                .locationType(request.getLocationType())
-                .description(request.getDescription())
-                .trainer(trainer)
+                .title(trainingProgramRequest.getTitle())
+                .programType(trainingProgramRequest.getProgramType())
+                .locationType(trainingProgramRequest.getLocationType())
+                .description(trainingProgramRequest.getDescription())
+                .trainer(user)
                 .build();
 
-        // Map exercises from request to entity
-        List<Exercise> exercises = request.getExercises().stream()
+        // Map exercises from trainingProgramRequest to entity
+        List<Exercise> exercises = trainingProgramRequest.getExercises().stream()
                 .map(exerciseRequest -> {
                     // Create exercise
                     Exercise exercise = Exercise.builder()
@@ -55,8 +52,8 @@ public TrainingProgramResponse createTrainingProgram(TrainingProgramRequest requ
 
                     // Create exercise detail (assuming `ExerciseRequest` has `getSets()` and `getRepetitions()` methods)
                     ExerciseDetail exerciseDetail = ExerciseDetail.builder()
-                            .sets(exerciseRequest.getSets())  // Make sure this retrieves the sets from the request
-                            .repetitions(exerciseRequest.getRepetitions())  // Retrieves repetitions from the request
+                            .sets(exerciseRequest.getSets())  // Make sure this retrieves the sets from the trainingProgramRequest
+                            .repetitions(exerciseRequest.getRepetitions())  // Retrieves repetitions from the trainingProgramRequest
                             .exercise(exercise)
                             .build();
 
@@ -121,11 +118,16 @@ public TrainingProgramResponse getTrainingProgramById(Long id) {
     }
 
     @Transactional
-    public void deleteTrainingProgram(Long id) {
+    public void deleteTrainingProgram(Long id, HttpServletRequest request) throws Exception {
         // Find the training program by ID, or throw an exception if not found
         TrainingProgram trainingProgram = trainingProgramRepository.findById(id)
                 .orElseThrow(() -> new EntityNotFoundException("Training program not found with id: " + id));
 
+        User user = authenticationService.getAuthenticatedUserInternal(request);
+        if (!trainingProgram.getTrainer().equals(user)) {
+            throw new IllegalAccessException("You can't delete a program you don't own");
+        }
+
         // Delete the training program
         trainingProgramRepository.delete(trainingProgram);
     }