From 08528696c719a7ff8c782de2cf31765cecaff11d Mon Sep 17 00:00:00 2001
From: Gauthier LO <lo.gauthier.glo@gmail.com>
Date: Fri, 20 Dec 2024 17:15:29 +0100
Subject: [PATCH] feat: export details secure access

---
 .../shippingInvoice/InvoiceController.java    | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/business/controller/admin/shippingInvoice/InvoiceController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/business/controller/admin/shippingInvoice/InvoiceController.java
index c0139b0e9..6433d9058 100644
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/business/controller/admin/shippingInvoice/InvoiceController.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/business/controller/admin/shippingInvoice/InvoiceController.java
@@ -11,7 +11,6 @@ import freemarker.template.TemplateException;
 import io.swagger.annotations.Api;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.shiro.SecurityUtils;
-import org.jeecg.common.api.dto.message.TemplateMessageDTO;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.query.QueryGenerator;
@@ -626,11 +625,27 @@ public class InvoiceController {
                                                          @RequestParam("type") String type
     ) throws IOException, UserException {
         log.info("Request for downloading invoice detail by client and period : \nclient : {} \nshops : {}\nstart date : {}\nend date :  {}\ntype : {}", clientId, shopIds, startDate, endDate, type);
-        List<FactureDetail> invoiceDetails = shippingInvoiceService.getInvoiceDetailByShopsAndPeriod(shopIds, startDate, endDate, type);
+        boolean isEmployee = securityService.checkIsEmployee();
         Client client = clientService.getById(clientId);
+        Client currentClient;
+        if(client == null) {
+            log.error("Client {} not found", clientId);
+            return new byte[0];
+        }
+        if (!isEmployee) {
+            currentClient = clientService.getCurrentClient();
+            if (currentClient == null) {
+                log.error("Client is not registered as a user : {}", clientId);
+                return new byte[0];
+            }
+            if(!clientId.equals(currentClient.getId())) {
+                log.error("Client {} is not authorized to download invoice detail for client {}", currentClient.getInternalCode(), client.getInternalCode());
+                return new byte[0];
+            }
+        }
+        List<FactureDetail> invoiceDetails = shippingInvoiceService.getInvoiceDetailByShopsAndPeriod(shopIds, startDate, endDate, type);
         String period = startDate + "-" + endDate;
         return shippingInvoiceService.exportToExcel(invoiceDetails, Collections.emptyList(), Collections.emptyList(), period, client.getInvoiceEntity(), client.getInternalCode());
-
     }
     @GetMapping(value = "/downloadInvoiceInventory")
     public byte[] downloadInvoiceInventory(@RequestParam("invoiceCode") String invoiceCode, @RequestParam("internalCode") String internalCode, @RequestParam("invoiceEntity") String invoiceEntity) throws IOException {