[sling-org-apache-sling-app-cms] 02/03: Combining the publish into security filter to resolve challenges around previewing non-published files.

[dklco]

This is an automated email from the ASF dual-hosted git repository.

dklco pushed a commit to branch master
in repository 
https://gitbox.apache.org/repos/asf/sling-org-apache-sling-app-cms.git

commit 3f42e206943f37dfe24c9328232decbb201ebb77
Author: Dan Klco <dk...@apache.org>
AuthorDate: Mon Nov 18 03:06:13 2019 -0500

    Combining the publish into security filter to resolve challenges around
    previewing non-published files.
---
 .../core/internal/filters/CMSSecurityFilter.java   | 14 +++--
 .../internal/filters/CMSSecurityFilterConfig.java  | 15 +++--
 .../cms/core/internal/filters/PublishFilter.java   | 71 ----------------------
 3 files changed, 17 insertions(+), 83 deletions(-)

diff --git 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
 
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
index 97cf1ee..f58d207 100644
--- 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
+++ 
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilter.java
@@ -41,6 +41,8 @@ import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.User;
 import org.apache.jackrabbit.api.security.user.UserManager;
 import org.apache.sling.api.SlingHttpServletRequest;
+import org.apache.sling.cms.CMSConstants;
+import org.apache.sling.cms.CMSUtils;
 import org.osgi.service.component.annotations.Activate;
 import org.osgi.service.component.annotations.Component;
 import org.osgi.service.component.annotations.ConfigurationPolicy;
@@ -64,6 +66,8 @@ public class CMSSecurityFilter implements Filter {
 
     private List<Pattern> patterns = new ArrayList<>();
 
+    private static final String[] VALID_METHODS = new String[] { "GET", "HEAD" 
};
+
     @Modified
     @Activate
     public void activate(CMSSecurityFilterConfig config) {
@@ -116,7 +120,6 @@ public class CMSSecurityFilter implements Filter {
                         allowed = true;
                     }
                 }
-
             }
 
             // permission checked failed, so return an unauthorized error
@@ -126,10 +129,13 @@ public class CMSSecurityFilter implements Filter {
                 ((HttpServletResponse) response).sendError(401);
                 return;
             }
-        } else {
-            log.trace("Not filtering request to host {}", 
request.getServerName());
+        } else if (ArrayUtils.contains(VALID_METHODS, 
slingRequest.getMethod())) {
+            Object editEnabled = 
slingRequest.getAttribute(CMSConstants.ATTR_EDIT_ENABLED);
+            if (!"true".equals(editEnabled) && 
!CMSUtils.isPublished(slingRequest.getResource())) {
+                ((HttpServletResponse) response).sendError(404);
+                return;
+            }
         }
-
         chain.doFilter(request, response);
     }
 
diff --git 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
 
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
index d2c1d13..5c95f36 100644
--- 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
+++ 
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/CMSSecurityFilterConfig.java
@@ -19,21 +19,20 @@ package org.apache.sling.cms.core.internal.filters;
 import org.osgi.service.metatype.annotations.AttributeDefinition;
 import org.osgi.service.metatype.annotations.ObjectClassDefinition;
 
-
 /**
  * Configuration for the CMSSecurityFilter
  */
 @ObjectClassDefinition(name = "%cms.security.filter.name", description = 
"%cms.security.filter.description", localization = "OSGI-INF/l10n/bundle")
 public @interface CMSSecurityFilterConfig {
 
-       @AttributeDefinition(name = "%hostDomains.name", description = 
"%hostDomains.description")
-       String[] hostDomains();
+    @AttributeDefinition(name = "%hostDomains.name", description = 
"%hostDomains.description")
+    String[] hostDomains() default "localhost";
 
-       @AttributeDefinition(name = "%allowedPatterns.name", description = 
"%allowedPatterns.description")
-       String[] allowedPatterns() default { "^\\/content\\/starter/.*$", 
"^\\/static/.*$",
-                       "^\\/system\\/sling\\/form\\/login$" };
+    @AttributeDefinition(name = "%allowedPatterns.name", description = 
"%allowedPatterns.description")
+    String[] allowedPatterns() default { "^\\/content\\/starter/.*$", 
"^\\/static/.*$",
+            "^\\/system\\/sling\\/form\\/login$" };
 
-       @AttributeDefinition(name = "%group.name", description = 
"%group.description")
-       String group();
+    @AttributeDefinition(name = "%group.name", description = 
"%group.description")
+    String group();
 
 }
diff --git 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/PublishFilter.java
 
b/core/src/main/java/org/apache/sling/cms/core/internal/filters/PublishFilter.java
deleted file mode 100644
index 8e20b28..0000000
--- 
a/core/src/main/java/org/apache/sling/cms/core/internal/filters/PublishFilter.java
+++ /dev/null
@@ -1,71 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sling.cms.core.internal.filters;
-
-import java.io.IOException;
-
-import javax.servlet.Filter;
-import javax.servlet.FilterChain;
-import javax.servlet.FilterConfig;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.lang3.ArrayUtils;
-import org.apache.sling.api.SlingHttpServletRequest;
-import org.apache.sling.cms.CMSConstants;
-import org.apache.sling.cms.CMSUtils;
-import org.osgi.service.component.annotations.Component;
-
-/**
- * Denies requests to sling:Page and sling:File resources and children which 
are
- * not set to publish=true
- */
-@Component(service = { Filter.class }, property = { 
"sling.filter.scope=request",
-        "service.ranking=" + Integer.MAX_VALUE, 
"sling.filter.pattern=/content/.+" })
-public class PublishFilter implements Filter {
-
-    private static final String[] VALID_METHODS = new String[] { "GET", "HEAD" 
};
-
-    @Override
-    public void init(FilterConfig filterConfig) throws ServletException {
-        // Nothing required
-    }
-
-    @Override
-    public void doFilter(ServletRequest request, ServletResponse response, 
FilterChain chain)
-            throws IOException, ServletException {
-        if (request instanceof SlingHttpServletRequest) {
-            SlingHttpServletRequest slingRequest = (SlingHttpServletRequest) 
request;
-            if (ArrayUtils.contains(VALID_METHODS, slingRequest.getMethod())) {
-                Object editEnabled = 
slingRequest.getAttribute(CMSConstants.ATTR_EDIT_ENABLED);
-                if (!"true".equals(editEnabled) && 
!CMSUtils.isPublished(slingRequest.getResource())) {
-                    ((HttpServletResponse) response).sendError(404);
-                    return;
-                }
-            }
-        }
-        chain.doFilter(request, response);
-    }
-
-    @Override
-    public void destroy() {
-        // Nothing required
-    }
-
-}