Permission checking submission controller endpoints

src/main/java/gov/cabinetoffice/gap/applybackend/repository/SubmissionRepository.java

@@ -4,10 +4,11 @@
 import org.springframework.data.jpa.repository.JpaRepository;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
 public interface SubmissionRepository extends JpaRepository<Submission, UUID> {
-
     List<Submission> findByApplicantId(long applicantId);
 
+    Optional<Submission> findByIdAndApplicant_UserId(UUID id, UUID userId);
 }

src/main/java/gov/cabinetoffice/gap/applybackend/service/GrantApplicantService.java

@@ -16,7 +16,7 @@ public class GrantApplicantService {
 
     private final GrantApplicantRepository grantApplicantRepository;
 
-    public GrantApplicant getApplicantById(UUID applicantId) {
+    public GrantApplicant getApplicantById(final UUID applicantId) {
         return grantApplicantRepository
                 .findByUserId(applicantId)
                 .orElseThrow(() -> new NotFoundException(String.format("No Grant Applicant with ID %s was found", applicantId.toString())));

src/main/java/gov/cabinetoffice/gap/applybackend/service/GrantApplicationService.java

@@ -12,13 +12,13 @@
 public class GrantApplicationService {
     private final GrantApplicationRepository grantApplicationRepository;
 
-    public GrantApplication getGrantApplicationById(int applicationId) {
+    public GrantApplication getGrantApplicationById(final int applicationId) {
         return grantApplicationRepository
                 .findById(applicationId)
                 .orElseThrow(() -> new NotFoundException(String.format("No Application with ID %s was found", applicationId)));
     }
 
-    public boolean isGrantApplicationPublished(int applicationId) {
+    public boolean isGrantApplicationPublished(final int applicationId) {
         return getGrantApplicationById(applicationId).getApplicationStatus().equals(GrantApplicantStatus.PUBLISHED);
     }
 }

src/main/java/gov/cabinetoffice/gap/applybackend/service/SubmissionService.java

@@ -7,6 +7,7 @@
 import gov.cabinetoffice.gap.applybackend.dto.api.CreateQuestionResponseDto;
 import gov.cabinetoffice.gap.applybackend.dto.api.CreateSubmissionResponseDto;
 import gov.cabinetoffice.gap.applybackend.dto.api.GetNavigationParamsDto;
+import gov.cabinetoffice.gap.applybackend.dto.api.JwtPayload;
 import gov.cabinetoffice.gap.applybackend.enums.GrantApplicantStatus;
 import gov.cabinetoffice.gap.applybackend.enums.SubmissionSectionStatus;
 import gov.cabinetoffice.gap.applybackend.enums.SubmissionStatus;
@@ -54,22 +55,21 @@ public class SubmissionService {
     private final GovNotifyClient notifyClient;
 
     private final Clock clock;
-    private final UuidProvider uuidProvider;
     private final EnvironmentProperties envProperties;
 
-    public Submission getSubmissionFromDatabaseBySubmissionId(final UUID submissionId) {
+    public Submission getSubmissionFromDatabaseBySubmissionId(final UUID userId, final UUID submissionId) {
         Submission submission = submissionRepository
-                .findById(submissionId)
+                .findByIdAndApplicant_UserId(submissionId, userId)
                 .orElseThrow(() -> new NotFoundException(
                         String.format("No Submission with ID %s was found", submissionId)));
 
-        populateEssentialInformation(submission);
+        populateEssentialInformation(userId, submission);
         return submission;
     }
 
-    public SubmissionSection getSectionBySectionId(final UUID submissionId, String sectionId) {
+    public SubmissionSection getSectionBySectionId(final UUID userId, final UUID submissionId, String sectionId) {
         return submissionRepository
-                .findById(submissionId)
+                .findByIdAndApplicant_UserId(submissionId, userId)
                 .orElseThrow(() -> new NotFoundException(
                         String.format("No Submission with ID %s was found", submissionId)))
                 .getDefinition()
@@ -80,8 +80,8 @@ public SubmissionSection getSectionBySectionId(final UUID submissionId, String s
                         String.format("No Section with ID %s was found", sectionId)));
     }
 
-    public SubmissionQuestion getQuestionByQuestionId(final UUID submissionId, String questionId) {
-        return this.getSubmissionFromDatabaseBySubmissionId(submissionId)
+    public SubmissionQuestion getQuestionByQuestionId(final UUID userId, final UUID submissionId, String questionId) {
+        return this.getSubmissionFromDatabaseBySubmissionId(userId, submissionId)
                 .getDefinition()
                 .getSections()
                 .stream()
@@ -96,9 +96,9 @@ public Submission saveSubmission(final Submission submission) {
         return this.submissionRepository.save(submission);
     }
 
-    public void saveQuestionResponse(final CreateQuestionResponseDto questionResponse, final UUID submissionId, final String sectionId) {
+    public void saveQuestionResponse(final CreateQuestionResponseDto questionResponse, final UUID userId, final UUID submissionId, final String sectionId) {
 
-        final Submission submission = this.getSubmissionFromDatabaseBySubmissionId(submissionId);
+        final Submission submission = this.getSubmissionFromDatabaseBySubmissionId(userId, submissionId);
         final SubmissionSection submissionSection = submission.getDefinition()
                 .getSections()
                 .stream()
@@ -141,9 +141,9 @@ public void saveQuestionResponse(final CreateQuestionResponseDto questionRespons
         submissionRepository.save(submission);
     }
 
-    public GetNavigationParamsDto getNextNavigation(final UUID submissionId, final String sectionId, final String questionId, final boolean saveAndExit) {
+    public GetNavigationParamsDto getNextNavigation(final UUID userId, final UUID submissionId, final String sectionId, final String questionId, final boolean saveAndExit) {
 
-        final SubmissionSection section = this.getSectionBySectionId(submissionId, sectionId);
+        final SubmissionSection section = this.getSectionBySectionId(userId, submissionId, sectionId);
         final Map<String, Object> nextNavigation = this.buildNextNavigationMap(section, questionId, saveAndExit);
 
         return GetNavigationParamsDto.builder()
@@ -180,8 +180,8 @@ private Optional<String> getNextQuestionIdInSection(SubmissionSection section, S
         return nextQuestionId;
     }
 
-    public boolean isSubmissionReadyToBeSubmitted(UUID submissionId) {
-        final Submission submission = getSubmissionFromDatabaseBySubmissionId(submissionId);
+    public boolean isSubmissionReadyToBeSubmitted(final UUID userId, final UUID submissionId) {
+        final Submission submission = getSubmissionFromDatabaseBySubmissionId(userId, submissionId);
         GrantApplication grantApplication = submission.getApplication();
         if (!grantApplication.getApplicationStatus().equals(GrantApplicantStatus.PUBLISHED)) {
             return false;
@@ -206,9 +206,9 @@ public boolean isSubmissionReadyToBeSubmitted(UUID submissionId) {
     }
 
     @Transactional
-    public void submit(final Submission submission, final String emailAddress) {
+    public void submit(final Submission submission, final UUID userId, final String emailAddress) {
 
-        if (!isSubmissionReadyToBeSubmitted(submission.getId())) {
+        if (!isSubmissionReadyToBeSubmitted(userId, submission.getId())) {
             throw new SubmissionNotReadyException(String
                     .format("Submission %s is not ready to be submitted.", submission.getId()));
         }
@@ -351,8 +351,8 @@ private boolean containsLocation(String[] locations, String locationToFind) {
         return Arrays.asList(locations).contains(locationToFind);
     }
 
-    public boolean hasSubmissionBeenSubmitted(UUID submissionId) {
-        return !this.getSubmissionFromDatabaseBySubmissionId(submissionId)
+    public boolean hasSubmissionBeenSubmitted(final UUID userId, final UUID submissionId) {
+        return !this.getSubmissionFromDatabaseBySubmissionId(userId, submissionId)
                 .getStatus().equals(SubmissionStatus.IN_PROGRESS);
     }
 
@@ -364,8 +364,9 @@ public boolean doesSubmissionExist(GrantApplicant grantApplicant, GrantApplicati
     }
 
 
-    public CreateSubmissionResponseDto createSubmissionFromApplication(GrantApplicant grantApplicant,
-                                                                       GrantApplication grantApplication) throws JsonProcessingException {
+    public CreateSubmissionResponseDto createSubmissionFromApplication(final UUID userId,
+                                                                       final GrantApplicant grantApplicant,
+                                                                       final GrantApplication grantApplication) throws JsonProcessingException {
         final GrantScheme grantScheme = grantApplication.getGrantScheme();
         final int version = grantApplication.getVersion();
         final String applicationName = grantApplication.getApplicationName();
@@ -395,17 +396,17 @@ public CreateSubmissionResponseDto createSubmissionFromApplication(GrantApplican
                 .submissionId(submissionId)
                 .build();
 
-        populateEssentialInformation(submission);
+        populateEssentialInformation(userId, submission);
 
         return submissionResponseDto;
     }
 
-    private void populateEssentialInformation(Submission submission) {
+    private void populateEssentialInformation(final UUID userId, final Submission submission) {
         GrantApplicantOrganisationProfile grantApplicantOrgProfile = submission.getApplicant().getOrganisationProfile();
 
         if (grantApplicantOrgProfile != null) {
 
-            final SubmissionSection section = getSectionBySectionId(submission.getId(), ESSENTIAL_SECTION_ID);
+            final SubmissionSection section = getSectionBySectionId(userId, submission.getId(), ESSENTIAL_SECTION_ID);
             for (SubmissionQuestion question : section.getQuestions()) {
                 if (question.getQuestionId().equals(APPLICANT_ORG_ADDRESS)) {
                     getMultiResponseForEssentialInfo(question, section, grantApplicantOrgProfile);
@@ -429,8 +430,8 @@ private void populateEssentialInformation(Submission submission) {
         }
     }
 
-    public void deleteQuestionResponse(final UUID submissionId, final String questionId) {
-        final Submission submission = this.getSubmissionFromDatabaseBySubmissionId(submissionId);
+    public void deleteQuestionResponse(final UUID userId, final UUID submissionId, final String questionId) {
+        final Submission submission = this.getSubmissionFromDatabaseBySubmissionId(userId, submissionId);
         submission.getDefinition()
                 .getSections()
                 .stream()
@@ -469,8 +470,11 @@ private void getMultiResponseForEssentialInfo(SubmissionQuestion question, Submi
     }
 
 
-    public SubmissionSectionStatus handleSectionReview(UUID submissionId, String sectionId, boolean isComplete) {
-        final Submission submission = getSubmissionFromDatabaseBySubmissionId(submissionId);
+    public SubmissionSectionStatus handleSectionReview(final UUID userId,
+                                                       final UUID submissionId,
+                                                       final String sectionId,
+                                                       final boolean isComplete) {
+        final Submission submission = getSubmissionFromDatabaseBySubmissionId(userId, submissionId);
         final SubmissionSectionStatus sectionStatus = isComplete ? SubmissionSectionStatus.COMPLETED : SubmissionSectionStatus.IN_PROGRESS;
         submission.getDefinition()
                 .getSections()

src/main/java/gov/cabinetoffice/gap/applybackend/validation/validators/QuestionResponseValidator.java

@@ -2,6 +2,7 @@
 
 import gov.cabinetoffice.gap.applybackend.constants.ValidationConstants;
 import gov.cabinetoffice.gap.applybackend.dto.api.CreateQuestionResponseDto;
+import gov.cabinetoffice.gap.applybackend.dto.api.JwtPayload;
 import gov.cabinetoffice.gap.applybackend.enums.SubmissionQuestionResponseType;
 import gov.cabinetoffice.gap.applybackend.model.SubmissionQuestion;
 import gov.cabinetoffice.gap.applybackend.model.SubmissionQuestionValidation;
@@ -11,12 +12,14 @@
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.util.Strings;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 import java.time.Month;
 import java.time.Year;
 import java.util.Map;
+import java.util.UUID;
 import java.util.stream.Stream;
 
 
@@ -28,6 +31,7 @@ public class QuestionResponseValidator implements ConstraintValidator<ValidQuest
 
     @Override
     public boolean isValid(Object value, ConstraintValidatorContext constraintValidatorContext) {
+        final JwtPayload jwtPayload = (JwtPayload) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
 
         constraintValidatorContext.disableDefaultConstraintViolation();
         CreateQuestionResponseDto submittedQuestion = (CreateQuestionResponseDto) value;
@@ -57,7 +61,9 @@ private SubmissionQuestion getQuestionFromDatabase(CreateQuestionResponseDto sub
             throw new IllegalArgumentException("Question ID must not be null.");
         }
 
-        return submissionService.getQuestionByQuestionId(submittedQuestion.getSubmissionId(), submittedQuestion.getQuestionId());
+        final JwtPayload jwtPayload = (JwtPayload) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        final UUID applicantId = UUID.fromString(jwtPayload.getSub());
+        return submissionService.getQuestionByQuestionId(applicantId, submittedQuestion.getSubmissionId(), submittedQuestion.getQuestionId());
     }
 
     private ValidationResult validate(CreateQuestionResponseDto submittedQuestion, SubmissionQuestion question) {