diff --git a/server/src/main/java/org/eclipse/openvsx/UserAPI.java b/server/src/main/java/org/eclipse/openvsx/UserAPI.java index eade9a7c..2666cff4 100644 --- a/server/src/main/java/org/eclipse/openvsx/UserAPI.java +++ b/server/src/main/java/org/eclipse/openvsx/UserAPI.java @@ -241,10 +241,15 @@ public List getOwnNamespaces() { produces = MediaType.APPLICATION_JSON_VALUE ) public ResponseEntity updateNamespaceDetails(@RequestBody NamespaceDetailsJson details) { + var user = users.findLoggedInUser(); + if (user == null) { + throw new ResponseStatusException(HttpStatus.FORBIDDEN); + } + try { return ResponseEntity.ok() .cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic()) - .body(users.updateNamespaceDetails(details)); + .body(users.updateNamespaceDetails(details, user)); } catch (NotFoundException exc) { var json = NamespaceDetailsJson.error("Namespace not found: " + details.getName()); return new ResponseEntity<>(json, HttpStatus.NOT_FOUND); @@ -262,10 +267,15 @@ public ResponseEntity updateNamespaceDetailsLogo( @PathVariable String namespace, @RequestParam MultipartFile file ) { + var user = users.findLoggedInUser(); + if (user == null) { + throw new ResponseStatusException(HttpStatus.FORBIDDEN); + } + try { return ResponseEntity.ok() .cacheControl(CacheControl.maxAge(10, TimeUnit.MINUTES).cachePublic()) - .body(users.updateNamespaceDetailsLogo(namespace, file)); + .body(users.updateNamespaceDetailsLogo(namespace, file, user)); } catch (ErrorResultException exc) { return exc.toResponseEntity(ResultJson.class); } diff --git a/server/src/main/java/org/eclipse/openvsx/UserService.java b/server/src/main/java/org/eclipse/openvsx/UserService.java index f78f6290..420f2746 100644 --- a/server/src/main/java/org/eclipse/openvsx/UserService.java +++ b/server/src/main/java/org/eclipse/openvsx/UserService.java @@ -207,11 +207,14 @@ public ResultJson addNamespaceMember(Namespace namespace, UserData user, String @Transactional(rollbackOn = { ErrorResultException.class, NotFoundException.class }) @CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#details.name") - public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) { + public ResultJson updateNamespaceDetails(NamespaceDetailsJson details, UserData user) { var namespace = repositories.findNamespace(details.getName()); if (namespace == null) { throw new NotFoundException(); } + if (!repositories.isNamespaceOwner(user, namespace)) { + throw new ErrorResultException("You must be an owner of this namespace."); + } var issues = validator.validateNamespaceDetails(details); if (!issues.isEmpty()) { @@ -243,11 +246,14 @@ public ResultJson updateNamespaceDetails(NamespaceDetailsJson details) { @Transactional @CacheEvict(value = { CACHE_NAMESPACE_DETAILS_JSON }, key="#namespaceName") - public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file) { + public ResultJson updateNamespaceDetailsLogo(String namespaceName, MultipartFile file, UserData user) { var namespace = repositories.findNamespace(namespaceName); if (namespace == null) { throw new NotFoundException(); } + if (!repositories.isNamespaceOwner(user, namespace)) { + throw new ErrorResultException("You must be an owner of this namespace."); + } var oldNamespace = SerializationUtils.clone(namespace); try (