This is an automated email from the ASF dual-hosted git repository.
solomax pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openmeetings.git
The following commit(s) were added to refs/heads/master by this push:
new e5f6815 [OPENMEETINGS-2639] invitation hash should be generated for
password protected invitations
e5f6815 is described below
commit e5f6815235573ab820f9f5352083a5dfe83002cc
Author: Maxim Solodovnik <[email protected]>
AuthorDate: Tue Aug 10 23:56:29 2021 +0700
[OPENMEETINGS-2639] invitation hash should be generated for password
protected invitations
---
.../db/entity/calendar/Appointment.java | 4 ++
.../openmeetings/db/entity/room/Invitation.java | 4 ++
.../apache/openmeetings/db/entity/room/Room.java | 4 ++
.../apache/openmeetings/web/app/Application.java | 67 ++++++++++------------
.../apache/openmeetings/web/room/RoomPanel.java | 50 +++-------------
.../webservice/CalendarWebService.java | 2 +-
6 files changed, 52 insertions(+), 79 deletions(-)
diff --git
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/calendar/Appointment.java
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/calendar/Appointment.java
index 13cb47e..e592d3b 100644
---
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/calendar/Appointment.java
+++
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/calendar/Appointment.java
@@ -499,6 +499,10 @@ public class Appointment extends HistoricalEntity {
this.etag = etag;
}
+ public boolean isOwner(Long userId) {
+ return owner.getId().equals(userId);
+ }
+
@Override
public String toString() {
return "Appointment [id=" + id + ", title=" + title + ",
start=" + start + ", end=" + end + ", owner=" + owner
diff --git
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Invitation.java
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Invitation.java
index 062600c..76a46c8 100644
---
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Invitation.java
+++
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Invitation.java
@@ -271,4 +271,8 @@ public class Invitation extends HistoricalEntity {
public void setAllowEntry(boolean allowEntry) {
this.allowEntry = allowEntry;
}
+
+ public boolean isOwner(Long userId) {
+ return invitedBy != null && invitedBy.getId().equals(userId);
+ }
}
diff --git
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Room.java
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Room.java
index 4e7f986..30404c5 100644
---
a/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Room.java
+++
b/openmeetings-db/src/main/java/org/apache/openmeetings/db/entity/room/Room.java
@@ -630,6 +630,10 @@ public class Room extends HistoricalEntity {
this.files = files;
}
+ public boolean isOwner(Long userId) {
+ return ownerId != null && ownerId.equals(userId);
+ }
+
@Override
public String toString() {
return "Room [id=" + id + ", name=" + name + ", type=" + type +
"]";
diff --git
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
index a173df2..1c427f2 100644
---
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
+++
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/app/Application.java
@@ -41,6 +41,7 @@ import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
+import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.websocket.WebSocketContainer;
@@ -61,6 +62,7 @@ import org.apache.openmeetings.db.entity.record.Recording;
import org.apache.openmeetings.db.entity.room.Invitation;
import org.apache.openmeetings.db.entity.room.Room;
import org.apache.openmeetings.db.entity.room.RoomGroup;
+import org.apache.openmeetings.db.entity.user.Group;
import org.apache.openmeetings.db.entity.user.GroupUser;
import org.apache.openmeetings.db.entity.user.User;
import org.apache.openmeetings.db.entity.user.User.Type;
@@ -521,23 +523,17 @@ public class Application extends
AuthenticatedWebApplication implements IApplica
Room r = i.getRoom();
User u = i.getInvitee();
if (r != null) {
- if (r.isAppointment() &&
i.getInvitedBy().getId().equals(u.getId())) {
- link = getRoomUrlFragment(r.getId()).getLink();
- } else {
- boolean allowed = Type.CONTACT != u.getType()
&& Type.EXTERNAL != u.getType();
- if (allowed) {
- allowed = get().isRoomAllowedToUser(r,
u);
- }
- if (allowed) {
- link =
getRoomUrlFragment(r.getId()).getLink();
- } else {
- PageParameters pp = new
PageParameters();
- pp.add(INVITATION_HASH, i.getHash());
- if (u.getLanguageId() > 0) {
- pp.add("language",
u.getLanguageId());
- }
- link = urlForPage(HashPage.class, pp,
baseUrl);
+ if ((i.isPasswordProtected() && !r.isOwner(u.getId()))
// invitation is password-protected and invitee is not owner
+ || Type.CONTACT == u.getType() ||
Type.EXTERNAL == u.getType() || !get().isRoomAllowedToUser(r, u)) // no-access
+ {
+ PageParameters pp = new PageParameters();
+ pp.add(INVITATION_HASH, i.getHash());
+ if (u.getLanguageId() > 0) {
+ pp.add("language", u.getLanguageId());
}
+ link = urlForPage(HashPage.class, pp, baseUrl);
+ } else {
+ link = getRoomUrlFragment(r.getId()).getLink();
}
}
Recording rec = i.getRecording();
@@ -551,30 +547,28 @@ public class Application extends
AuthenticatedWebApplication implements IApplica
if (a == null || a.isDeleted()) {
return false;
}
- if (a.getOwner().getId().equals(u.getId())) {
+ if (a.isOwner(u.getId())) {
log.debug("[isRoomAllowedToUser] appointed room, Owner
entered");
return true;
}
- for (MeetingMember mm : a.getMeetingMembers()) {
- if (mm.getUser().getId().equals(u.getId())) {
- return true;
- }
- }
- return false;
+ return a.getMeetingMembers().stream()
+ .map(MeetingMember::getUser)
+ .map(User::getId)
+ .anyMatch(userId -> userId.equals(u.getId()));
}
private static boolean checkGroups(Room r, User u) {
if (null == r.getGroups()) { //u.getGroupUsers() can't be null
due to user was able to login
return false;
}
- for (RoomGroup ro : r.getGroups()) {
- for (GroupUser ou : u.getGroupUsers()) {
- if
(ro.getGroup().getId().equals(ou.getGroup().getId())) {
- return true;
- }
- }
- }
- return false;
+ Set<Long> roomGroups = r.getGroups().stream()
+ .map(RoomGroup::getGroup)
+ .map(Group::getId)
+ .collect(Collectors.toSet());
+ return u.getGroupUsers().stream()
+ .map(GroupUser::getGroup)
+ .map(Group::getId)
+ .anyMatch(roomGroups::contains);
}
public boolean isRoomAllowedToUser(Room r, User u) {
@@ -584,13 +578,12 @@ public class Application extends
AuthenticatedWebApplication implements IApplica
if (r.isAppointment()) {
Appointment a = appointmentDao.getByRoom(r.getId());
return checkAppointment(a, u);
- } else {
- if (r.getIspublic() || (r.getOwnerId() != null &&
r.getOwnerId().equals(u.getId()))) {
- log.debug("[isRoomAllowedToUser] public ? {} ,
ownedId ? {} ALLOWED", r.getIspublic(), r.getOwnerId());
- return true;
- }
- return checkGroups(r, u);
}
+ if (r.getIspublic() || r.isOwner(u.getId())) {
+ log.debug("[isRoomAllowedToUser] public ? {} , ownedId
? {} ALLOWED", r.getIspublic(), r.getOwnerId());
+ return true;
+ }
+ return checkGroups(r, u);
}
public static boolean isUrlValid(String url) {
diff --git
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/room/RoomPanel.java
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/room/RoomPanel.java
index de66749..ced060d 100644
---
a/openmeetings-web/src/main/java/org/apache/openmeetings/web/room/RoomPanel.java
+++
b/openmeetings-web/src/main/java/org/apache/openmeetings/web/room/RoomPanel.java
@@ -46,20 +46,18 @@ import org.apache.openmeetings.db.dao.file.FileItemDao;
import org.apache.openmeetings.db.dao.user.UserDao;
import org.apache.openmeetings.db.entity.basic.Client;
import org.apache.openmeetings.db.entity.calendar.Appointment;
-import org.apache.openmeetings.db.entity.calendar.MeetingMember;
import org.apache.openmeetings.db.entity.file.BaseFileItem;
import org.apache.openmeetings.db.entity.room.Room;
import org.apache.openmeetings.db.entity.room.Room.Right;
import org.apache.openmeetings.db.entity.room.Room.RoomElement;
import org.apache.openmeetings.db.entity.room.RoomGroup;
import org.apache.openmeetings.db.entity.server.SOAPLogin;
-import org.apache.openmeetings.db.entity.user.GroupUser;
-import org.apache.openmeetings.db.entity.user.User;
import org.apache.openmeetings.db.util.AuthLevelUtil;
import org.apache.openmeetings.db.util.ws.RoomMessage;
import org.apache.openmeetings.db.util.ws.RoomMessage.Type;
import org.apache.openmeetings.db.util.ws.TextRoomMessage;
import org.apache.openmeetings.util.NullStringer;
+import org.apache.openmeetings.web.app.Application;
import org.apache.openmeetings.web.app.ClientManager;
import org.apache.openmeetings.web.app.QuickPollManager;
import org.apache.openmeetings.web.app.TimerService;
@@ -332,47 +330,17 @@ public class RoomPanel extends BasePanel {
} else if (r.getId().equals(WebSession.get().getRoomId())) {
// secureHash/invitationHash, already checked
} else {
- boolean allowed = false;
+ boolean allowed =
Application.get().isRoomAllowedToUser(r, c.getUser());
String deniedMessage = null;
if (r.isAppointment()) {
Appointment a = apptDao.getByRoom(r.getId());
- if (a != null && !a.isDeleted()) {
- boolean isOwner =
a.getOwner().getId().equals(getUserId());
- allowed = isOwner;
- log.debug("appointed room, isOwner ?
{}", isOwner);
- if (!allowed) {
- for (MeetingMember mm :
a.getMeetingMembers()) {
- if
(getUserId().equals(mm.getUser().getId())) {
- allowed = true;
- break;
- }
- }
- }
- if (allowed) {
- Calendar cal =
WebSession.getCalendar();
- if (isOwner ||
cal.getTime().after(allowedStart(a.getStart())) &&
cal.getTime().before(a.getEnd())) {
- eventDetail = new
EventDetailDialog(EVENT_DETAILS_ID, a);
- } else {
- allowed = false;
- deniedMessage =
String.format("%s %s - %s", getString("error.hash.period"),
getDateFormat().format(a.getStart()), getDateFormat().format(a.getEnd()));
- }
- }
- }
- } else {
- allowed = r.getIspublic() || (r.getOwnerId() !=
null && r.getOwnerId().equals(getUserId()));
- log.debug("public ? {}, ownedId ? {} {}",
r.getIspublic(), r.getOwnerId(), allowed);
- if (!allowed) {
- User u = c.getUser();
- for (RoomGroup ro : r.getGroups()) {
- for (GroupUser ou :
u.getGroupUsers()) {
- if
(ro.getGroup().getId().equals(ou.getGroup().getId())) {
- allowed = true;
- break;
- }
- }
- if (allowed) {
- break;
- }
+ if (allowed) {
+ Calendar cal = WebSession.getCalendar();
+ if (a.isOwner(getUserId()) ||
cal.getTime().after(allowedStart(a.getStart())) &&
cal.getTime().before(a.getEnd())) {
+ eventDetail = new
EventDetailDialog(EVENT_DETAILS_ID, a);
+ } else {
+ allowed = false;
+ deniedMessage =
String.format("%s %s - %s", getString("error.hash.period"),
getDateFormat().format(a.getStart()), getDateFormat().format(a.getEnd()));
}
}
}
diff --git
a/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
b/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
index a75a6d8..08aa687 100644
---
a/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
+++
b/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
@@ -288,7 +288,7 @@ public class CalendarWebService extends BaseWebService {
return true;
// fine
}
- if (AuthLevelUtil.hasUserLevel(rights) &&
a.getOwner().getId().equals(sd.getUserId())) {
+ if (AuthLevelUtil.hasUserLevel(rights) &&
a.isOwner(sd.getUserId())) {
return true;
}
return false;
