Update of
/var/cvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets
In directory
james.mmbase.org:/tmp/cvs-serv32574/cmsc/portlets/src/java/com/finalist/cmsc/portlets
Modified Files:
Tag: b1_4
CmscPortlet.java
Log Message:
CMSC-1138 There was no way at all to authorize access to portlet editing modi.
See also:
http://cvs.mmbase.org/viewcvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets
See also: http://www.mmbase.org/jira/browse/CMSC-1138
Index: CmscPortlet.java
===================================================================
RCS file:
/var/cvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets/CmscPortlet.java,v
retrieving revision 1.16.2.3
retrieving revision 1.16.2.4
diff -u -b -r1.16.2.3 -r1.16.2.4
--- CmscPortlet.java 9 Jun 2008 19:31:12 -0000 1.16.2.3
+++ CmscPortlet.java 6 Nov 2008 08:51:10 -0000 1.16.2.4
@@ -16,10 +16,9 @@
import org.apache.commons.logging.LogFactory;
import org.apache.pluto.core.CoreUtils;
import org.apache.pluto.core.InternalPortletRequest;
-import org.apache.pluto.om.portlet.ContentType;
import org.mmbase.bridge.*;
-import org.mmbase.security.UserContext;
+import com.finalist.cmsc.beans.om.Portlet;
import com.finalist.cmsc.beans.om.PortletParameter;
import com.finalist.cmsc.beans.om.View;
import com.finalist.cmsc.portalImpl.PortalConstants;
@@ -30,15 +29,14 @@
import com.finalist.pluto.portalImpl.aggregation.PortletFragment;
import com.finalist.pluto.portalImpl.core.*;
[EMAIL PROTECTED]("unused")
public class CmscPortlet extends GenericPortlet {
+
private static final String CONTENT_TYPE = "contenttype";
private static final String CONTENT_TYPE_DEFAULT = "text/html";
private Log log;
-
protected Log getLogger() {
if (log == null) {
log = LogFactory.getLog(this.getClass());
@@ -46,16 +44,65 @@
return log;
}
+ /**
+ * Answers whether the given [EMAIL PROTECTED] PortletMode} is restricted
for this [EMAIL PROTECTED] Portlet} instance.
+ * If a certain mode is restricted, an authorized user is required to
continue the request.
+ *
+ * @param mode
+ * the mode to check
+ * @return <code>true</code> if the given mode is restricted,
<code>false</code> otherwise.
+ */
+ protected boolean isRestrictedPortletMode(PortletMode mode) {
+ return mode == null || PortletMode.EDIT.equals(mode)
+ || CmscPortletMode.EDIT_DEFAULTS.equals(mode);
+ }
/**
- * @see
javax.portlet.GenericPortlet#processAction(javax.portlet.ActionRequest,
- * javax.portlet.ActionResponse)
+ * Answers whether the given [EMAIL PROTECTED] PortletRequest} is allowed.
A request is allowed if:
+ * <ol>
+ * <li>it's [EMAIL PROTECTED] PortletMode} is not restricted. See also
+ * [EMAIL PROTECTED] #isRestrictedPortletMode(PortletMode)}.</li>
+ * <li>it's [EMAIL PROTECTED] PortletMode} is restricted and the current
user is allowed to request the
+ * portlet in that mode.</li>
+ * </ol>
+ * Subclasses may override this method for different behavior.
+ *
+ * @param request
+ * the request to check
+ * @return <code>true</code> if the request is allowed, <code>false</code>
otherwise.
+ */
+ protected boolean isRequestAllowed(PortletRequest request) {
+ // TODO Move to a service?
+
+ PortletMode mode = request.getPortletMode();
+ if (isRestrictedPortletMode(mode)) {
+
+ Cloud cloud = CloudUtil.getCloudFromThread();
+ if (cloud != null) {
+ Node userNode = SecurityUtil.getUserNode(cloud);
+ if (userNode != null) {
+ return SecurityUtil.isLoggedInUser(cloud, userNode);
+ }
+ }
+
+ return false;
+ }
+
+ return true;
+ }
+
+
+ /*
+ * @see
javax.portlet.GenericPortlet#processAction(javax.portlet.ActionRequest,
javax.portlet.ActionResponse)
*/
@Override
public void processAction(ActionRequest req, ActionResponse res) throws
PortletException, IOException {
if (getLogger().isDebugEnabled()) {
getLogger().debug("===> process " + getPortletName() + " mode = " +
req.getPortletMode());
}
+
+ if (isRequestAllowed(req)) {
+
PortletMode mode = req.getPortletMode();
if (mode.equals(PortletMode.VIEW)) {
@@ -86,6 +133,10 @@
throw new PortletException(mode.toString());
}
}
+ else {
+ getLogger().warn("Prevented unauthorised access to portlet: " +
getPortletName());
+ }
+ }
public void processPrint(ActionRequest req, ActionResponse res) throws
PortletException, IOException {
@@ -146,9 +197,8 @@
}
- /**
- * @see javax.portlet.GenericPortlet#doDispatch(javax.portlet.RenderRequest,
- * javax.portlet.RenderResponse)
+ /*
+ * @see
javax.portlet.GenericPortlet#doDispatch(javax.portlet.RenderRequest,
javax.portlet.RenderResponse)
*/
@Override
protected void doDispatch(RenderRequest req, RenderResponse res) throws
IOException, PortletException {
@@ -158,8 +208,9 @@
"===> " + getPortletName() + " mode = " + req.getPortletMode()
+ " window = " + req.getWindowState());
}
- WindowState state = req.getWindowState();
+ if (isRequestAllowed(req)) {
+ WindowState state = req.getWindowState();
if (!state.equals(WindowState.MINIMIZED)) {
PortletMode mode = req.getPortletMode();
@@ -192,6 +243,10 @@
}
}
}
+ else {
+ getLogger().warn("Prevented unauthorised access to portlet: " +
getPortletName());
+ }
+ }
protected List<Locale> getLocales(RenderRequest request) {
_______________________________________________
Cvs mailing list
[email protected]
http://lists.mmbase.org/mailman/listinfo/cvs
