From 0d79467e0b45af5c3b9117555ff759c363c517e7 Mon Sep 17 00:00:00 2001
From: Christoph <churl100@hhu.de>
Date: Fri, 17 Apr 2020 17:36:24 +0200
Subject: [PATCH] make tag-search safe

---
 .../gruppen2/domain/model/group/Group.java    |  2 +-
 .../domain/service/SearchService.java         | 20 ++++++++--
 .../controller/SearchAndInviteController.java | 37 ++++++++++++++++---
 src/main/resources/templates/search.html      | 22 +++++------
 4 files changed, 58 insertions(+), 23 deletions(-)

diff --git a/src/main/java/mops/gruppen2/domain/model/group/Group.java b/src/main/java/mops/gruppen2/domain/model/group/Group.java
index 0ab9ae8..628bb3a 100644
--- a/src/main/java/mops/gruppen2/domain/model/group/Group.java
+++ b/src/main/java/mops/gruppen2/domain/model/group/Group.java
@@ -303,7 +303,7 @@ public class Group {
     }
 
     public String format() {
-        return type + ": " + title + " - " + description;
+        return title + " - " + description;
     }
 
     @Override
diff --git a/src/main/java/mops/gruppen2/domain/service/SearchService.java b/src/main/java/mops/gruppen2/domain/service/SearchService.java
index 528069b..06b65f3 100644
--- a/src/main/java/mops/gruppen2/domain/service/SearchService.java
+++ b/src/main/java/mops/gruppen2/domain/service/SearchService.java
@@ -4,10 +4,12 @@ import lombok.RequiredArgsConstructor;
 import lombok.extern.log4j.Log4j2;
 import mops.gruppen2.domain.exception.EventException;
 import mops.gruppen2.domain.model.group.Group;
+import mops.gruppen2.domain.model.group.Type;
 import mops.gruppen2.infrastructure.GroupCache;
 import org.springframework.stereotype.Service;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.List;
 import java.util.stream.Collectors;
 
@@ -29,7 +31,7 @@ public class SearchService {
      *
      * @throws EventException Projektionsfehler
      */
-    public List<Group> search(String search, String principal) {
+    public List<Group> searchString(String search, String principal) {
         List<Group> groups = new ArrayList<>();
         groups.addAll(groupCache.publics());
         groups.addAll(groupCache.lectures());
@@ -40,14 +42,24 @@ public class SearchService {
         }
 
         log.debug("Es wurde gesucht nach: {}", search);
-
-        // Die Suche nach Typ (LECTURE, PUBLIC), ist nicht wirklich sicher,
-        // da im gesamtstring danach gesucht wird
         return groups.stream()
                      .filter(group -> group.format().toLowerCase().contains(search.toLowerCase()))
                      .collect(Collectors.toList());
     }
 
+    public List<Group> searchType(Type type, String principal) {
+        log.debug("Es wurde gesucht nach: {}", type);
+
+        if (type == Type.LECTURE) {
+            return removeUserGroups(groupCache.lectures(), principal);
+        }
+        if (type == Type.PUBLIC) {
+            return removeUserGroups(groupCache.publics(), principal);
+        }
+
+        return Collections.emptyList();
+    }
+
     private static List<Group> removeUserGroups(List<Group> groups, String principal) {
         return groups.stream()
                      .filter(group -> !group.isMember(principal))
diff --git a/src/main/java/mops/gruppen2/infrastructure/controller/SearchAndInviteController.java b/src/main/java/mops/gruppen2/infrastructure/controller/SearchAndInviteController.java
index 1c96f01..35ae56c 100644
--- a/src/main/java/mops/gruppen2/infrastructure/controller/SearchAndInviteController.java
+++ b/src/main/java/mops/gruppen2/infrastructure/controller/SearchAndInviteController.java
@@ -41,13 +41,40 @@ public class SearchAndInviteController {
     }
 
     @RolesAllowed({"ROLE_orga", "ROLE_studentin"})
-    @PostMapping("/search")
-    public String postSearch(KeycloakAuthenticationToken token,
-                             Model model,
-                             @RequestParam("string") String search) {
+    @PostMapping("/search/string")
+    public String postSearchString(KeycloakAuthenticationToken token,
+                                   Model model,
+                                   @RequestParam("string") String search) {
 
         String principal = token.getName();
-        List<Group> groups = searchService.search(search, principal);
+        List<Group> groups = searchService.searchString(search, principal);
+
+        model.addAttribute("groups", groups);
+
+        return "search";
+    }
+
+    @RolesAllowed({"ROLE_orga", "ROLE_studentin"})
+    @GetMapping("/search/all")
+    public String getSearchAll(KeycloakAuthenticationToken token,
+                               Model model) {
+
+        String principal = token.getName();
+        List<Group> groups = searchService.searchString("", principal);
+
+        model.addAttribute("groups", groups);
+
+        return "search";
+    }
+
+    @RolesAllowed({"ROLE_orga", "ROLE_studentin"})
+    @GetMapping("/search/type/{type}")
+    public String getSearchType(KeycloakAuthenticationToken token,
+                                Model model,
+                                @PathVariable("type") Type type) {
+
+        String principal = token.getName();
+        List<Group> groups = searchService.searchType(type, principal);
 
         model.addAttribute("groups", groups);
 
diff --git a/src/main/resources/templates/search.html b/src/main/resources/templates/search.html
index c8d7fd6..70163e9 100644
--- a/src/main/resources/templates/search.html
+++ b/src/main/resources/templates/search.html
@@ -8,6 +8,9 @@
 
 <body>
 
+<!--/*@thymesVar id="LECTURE" type="mops.gruppen2.domain.model.group.Type"*/-->
+<!--/*@thymesVar id="PUBLIC" type="mops.gruppen2.domain.model.group.Type"*/-->
+
 <main th:fragment="bodycontent">
     <div class="container-fluid">
 
@@ -15,7 +18,7 @@
 
         <!--Suchfilter-->
         <div class="content top">
-            <form method="post" th:action="@{/gruppen2/search}">
+            <form method="post" th:action="@{/gruppen2/search/string}">
                 <div class="row mb-3">
                     <div class="input-group col mr-2">
                         <div class="input-group-prepend">
@@ -29,22 +32,15 @@
             </form>
 
             <div class="row">
-                <form method="post" th:action="@{/gruppen2/search}">
-                    <input type="hidden" name="string" value="">
-                    <button class="btn btn-info" type="submit">Alle Anzeigen</button>
-                </form>
+                <a class="btn btn-info" th:href="@{/gruppen2/search/all}">Alle Anzeigen</a>
 
                 <!--spacer-->
                 <span class="col"></span>
 
-                <form method="post" th:action="@{/gruppen2/search}">
-                    <input type="hidden" name="string" value="LECTURE">
-                    <button class="btn btn-info mr-2" type="submit">Vorlesungen</button>
-                </form>
-                <form method="post" th:action="@{/gruppen2/search}">
-                    <input type="hidden" name="string" value="PUBLIC">
-                    <button class="btn btn-info" type="submit">Öffentliche Gruppen</button>
-                </form>
+                <a class="btn btn-info mr-2"
+                   th:href="@{/gruppen2/search/type/{type}(type=${LECTURE})}">Vorlesungen</a>
+                <a class="btn btn-info" type="submit"
+                   th:href="@{/gruppen2/search/type/{type}(type=${PUBLIC})}">Öffentliche Gruppen</a>
             </div>
         </div>