Added grouping for the Accessible in order to improve security.

j.bebendorf · j.bebendorf · commit 75d8596202b6 · 2022-03-21T16:35:38.000+01:00
diff --git a/src/main/java/org/javawebstack/orm/Accessible.java b/src/main/java/org/javawebstack/orm/Accessible.java
@@ -1,7 +1,8 @@
 package org.javawebstack.orm;
 
 import org.javawebstack.orm.query.Query;
+import org.javawebstack.orm.query.QueryGroup;
 
 public interface Accessible {
-    <T extends Model> Query<T> access(Query<T> query, Object accessor);
+    <T extends Model> QueryGroup<T> access(Query<T> query, QueryGroup<T> accessChecks, Object accessor);
 }
diff --git a/src/main/java/org/javawebstack/orm/Repo.java b/src/main/java/org/javawebstack/orm/Repo.java
@@ -73,11 +73,11 @@ public Query<T> whereId(Object right) {
     }
 
     public Query<T> accessible(Object accessor) {
-        return accessible(query(), accessor);
+        return query().accessible(accessor);
     }
 
-    public Query<T> accessible(Query<T> query, Object accessor) {
-        return accessible == null ? query : accessible.access(query, accessor);
+    public Accessible getAccessible() {
+        return accessible;
     }
 
     public void save(T entry) {
diff --git a/src/main/java/org/javawebstack/orm/query/Query.java b/src/main/java/org/javawebstack/orm/query/Query.java
@@ -30,6 +30,8 @@ public class Query<T extends Model> {
     private boolean withDeleted = false;
     private final List<QueryColumn> groupBy = new ArrayList<>();
     private QueryGroup<T> having;
+    private boolean applyAccessible = false;
+    private Object accessor;
 
     public Query(Class<T> model) {
         this(Repo.get(model), model);
@@ -53,6 +55,14 @@ public boolean isWithDeleted() {
         return withDeleted;
     }
 
+    public boolean shouldApplyAccessible() {
+        return applyAccessible;
+    }
+
+    public Object getAccessor() {
+        return accessor;
+    }
+
     public QueryGroup<T> getWhereGroup() {
         return where;
     }
@@ -318,7 +328,9 @@ public Query<T> has(Query<?> relation) {
     }
 
     public Query<T> accessible(Object accessor) {
-        return repo.accessible(this, accessor);
+        this.applyAccessible = true;
+        this.accessor = accessor;
+        return this;
     }
 
     public Query<T> filter(Map<String, String> filter) {
diff --git a/src/main/java/org/javawebstack/orm/wrapper/builder/MySQLQueryStringBuilder.java b/src/main/java/org/javawebstack/orm/wrapper/builder/MySQLQueryStringBuilder.java
@@ -1,10 +1,12 @@
 package org.javawebstack.orm.wrapper.builder;
 
-import org.javawebstack.orm.Repo;
-import org.javawebstack.orm.SQLMapper;
-import org.javawebstack.orm.TableInfo;
+import org.javawebstack.orm.*;
+import org.javawebstack.orm.exception.ORMQueryException;
 import org.javawebstack.orm.query.*;
 
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.sql.Timestamp;
 import java.time.Instant;
 import java.util.*;
@@ -15,6 +17,16 @@ public class MySQLQueryStringBuilder implements QueryStringBuilder {
 
     public static final MySQLQueryStringBuilder INSTANCE = new MySQLQueryStringBuilder();
 
+    private static Method accessibleAccessMethod;
+
+    static {
+        try {
+            accessibleAccessMethod = Accessible.class.getDeclaredMethod("access", Query.class, QueryGroup.class, Object.class);
+        } catch (NoSuchMethodException e) {
+            e.printStackTrace();
+        }
+    }
+
     public SQLQueryString buildInsert(TableInfo info, Map<String, Object> values) {
         List<Object> params = new ArrayList<>();
         StringBuilder sb = new StringBuilder("INSERT INTO `");
@@ -48,6 +60,18 @@ public SQLQueryString buildQuery(Query<?> query) {
                 .append('`');
         QueryGroup<?> where = query.getWhereGroup();
         checkWithDeleted(repo, query.isWithDeleted(), where);
+        if(query.shouldApplyAccessible()) {
+            QueryGroup<?> actualWhere = where;
+            where = new QueryGroup<>()
+                    .and(q -> (QueryGroup<Model>) actualWhere)
+                    .and(q -> {
+                        try {
+                            return (QueryGroup<Model>) accessibleAccessMethod.invoke(repo.getAccessible(), query, q, query.getAccessor());
+                        } catch (IllegalAccessException | InvocationTargetException e) {
+                            throw new ORMQueryException(e);
+                        }
+                    });
+        }
         if (!where.getQueryElements().isEmpty()) {
             SQLQueryString qs = convertGroup(repo.getInfo(), where);
             sb.append(" WHERE ").append(qs.getQuery());

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,8 @@`
`1`	`1`	`package org.javawebstack.orm;`
`2`	`2`
`3`	`3`	`import org.javawebstack.orm.query.Query;`
	`4`	`+import org.javawebstack.orm.query.QueryGroup;`
`4`	`5`
`5`	`6`	`public interface Accessible {`
`6`		`- <T extends Model> Query<T> access(Query<T> query, Object accessor);`
	`7`	`+ <T extends Model> QueryGroup<T> access(Query<T> query, QueryGroup<T> accessChecks, Object accessor);`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -73,11 +73,11 @@ public Query<T> whereId(Object right) {`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`public Query<T> accessible(Object accessor) {`
`76`		`- return accessible(query(), accessor);`
	`76`	`+ return query().accessible(accessor);`
`77`	`77`	`}`
`78`	`78`
`79`		`- public Query<T> accessible(Query<T> query, Object accessor) {`
`80`		`- return accessible == null ? query : accessible.access(query, accessor);`
	`79`	`+ public Accessible getAccessible() {`
	`80`	`+ return accessible;`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`public void save(T entry) {`