Merge pull request #105 from ttthanhf/hotfix/update-account-v2

Hotfix/update account v2
ttthanhf · Nov 13, 2023 · ffde15c · ffde15c
2 parents 8924cb5 + 3ad0960
commit ffde15c
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/src/main/java/housemate/controllers/AccountController.java b/src/main/java/housemate/controllers/AccountController.java
@@ -36,7 +36,7 @@ public ResponseEntity<UserAccount> getInfo(@PathVariable int userId) {
         return  service.getInfo(userId);
     }
 
-    @Operation(summary = "[ADMIN] Update account info")
+    @Operation(summary = "Update account info")
     @PutMapping("/update/{userId}")
     public ResponseEntity<String> updateInfo(HttpServletRequest request, @Valid @RequestBody UpdateAccountDTO updateAccountDTO, @PathVariable int userId) {
         return service.updateInfo(request, updateAccountDTO, userId);

diff --git a/src/main/java/housemate/services/AccountService.java b/src/main/java/housemate/services/AccountService.java
@@ -71,9 +71,11 @@ public ResponseEntity<UserAccount> getInfo(int userId) {
     }
 
     public ResponseEntity<String> updateInfo(HttpServletRequest request, UpdateAccountDTO updateAccountDTO, int userId) {
-        Role role = Role.valueOf(authorizationUtil.getRoleFromAuthorizationHeader(request));
-        if (!role.equals(Role.ADMIN)) {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("You have no permission to access this function");
+        // Check can't update another account
+        Role currentRole = Role.valueOf(authorizationUtil.getRoleFromAuthorizationHeader(request));
+        int currentUserId = authorizationUtil.getUserIdFromAuthorizationHeader(request);
+        if (!currentRole.equals(Role.ADMIN) && userId != currentUserId) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN).body("You can't update another account");
         }
 
         // Get account in database
@@ -101,7 +103,7 @@ public ResponseEntity<String> ban(HttpServletRequest request, int userId) {
         // Change isBanned to true
         account.setAccountStatus(AccountStatus.BANNED);
         userRepository.save(account);
-        return ResponseEntity.status(HttpStatus.OK).body("Deleted successfully!");
+        return ResponseEntity.status(HttpStatus.OK).body("Ban account successfully!");
     }
 
     public ResponseEntity<String> inactive(HttpServletRequest request, int userId) {