Update of
/var/cvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets
In directory
james.mmbase.org:/tmp/cvs-serv3952/cmsc/portlets/src/java/com/finalist/cmsc/portlets
Modified Files:
Tag: v1_3
CmscPortlet.java
Log Message:
CMSC-1138 There was no way at all to authorize access to portlet editing modi.
See also:
http://cvs.mmbase.org/viewcvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets
See also: http://www.mmbase.org/jira/browse/CMSC-1138
Index: CmscPortlet.java
===================================================================
RCS file:
/var/cvs/contributions/CMSContainer/cmsc/portlets/src/java/com/finalist/cmsc/portlets/CmscPortlet.java,v
retrieving revision 1.10.2.2
retrieving revision 1.10.2.3
diff -u -b -r1.10.2.2 -r1.10.2.3
--- CmscPortlet.java 22 Oct 2007 09:22:25 -0000 1.10.2.2
+++ CmscPortlet.java 6 Nov 2008 12:37:16 -0000 1.10.2.3
@@ -19,6 +19,7 @@
import org.mmbase.bridge.*;
import org.mmbase.security.UserContext;
+import com.finalist.cmsc.beans.om.Portlet;
import com.finalist.cmsc.beans.om.PortletParameter;
import com.finalist.cmsc.beans.om.View;
import com.finalist.cmsc.portalImpl.PortalConstants;
@@ -42,6 +43,52 @@
}
/**
+ * Answers whether the given [EMAIL PROTECTED] PortletMode} is restricted
for this [EMAIL PROTECTED] Portlet} instance.
+ * If a certain mode is restricted, an authorized user is required to
continue the request.
+ *
+ * @param mode the mode to check
+ * @return <code>true</code> if the given mode is restricted,
<code>false</code> otherwise.
+ */
+ protected boolean isRestrictedPortletMode(PortletMode mode) {
+ return mode == null || PortletMode.EDIT.equals(mode)
+ || CmscPortletMode.EDIT_DEFAULTS.equals(mode);
+ }
+
+ /**
+ * Answers whether the given [EMAIL PROTECTED] PortletRequest} is allowed.
A request is allowed if:
+ * <ol>
+ * <li>it's [EMAIL PROTECTED] PortletMode} is not restricted. See also
+ * [EMAIL PROTECTED] #isRestrictedPortletMode(PortletMode)}.</li>
+ * <li>it's [EMAIL PROTECTED] PortletMode} is restricted and the current
user is allowed to request the
+ * portlet in that mode.</li>
+ * </ol>
+ * Subclasses may override this method for different behavior.
+ *
+ * @param request
+ * the request to check
+ * @return <code>true</code> if the request is allowed, <code>false</code>
otherwise.
+ */
+ protected boolean isRequestAllowed(PortletRequest request) {
+ // TODO Move to a service?
+
+ PortletMode mode = request.getPortletMode();
+ if (isRestrictedPortletMode(mode)) {
+
+ Cloud cloud = CloudUtil.getCloudFromThread();
+ if (cloud != null) {
+ Node userNode = SecurityUtil.getUserNode(cloud);
+ if (userNode != null) {
+ return SecurityUtil.isLoggedInUser(cloud, userNode);
+ }
+ }
+
+ return false;
+ }
+
+ return true;
+ }
+
+ /*
* @see
javax.portlet.GenericPortlet#processAction(javax.portlet.ActionRequest,
javax.portlet.ActionResponse)
*/
@Override
@@ -49,6 +96,8 @@
if (getLogger().isDebugEnabled()) {
getLogger().debug("===> process " + getPortletName() + " mode = "
+ req.getPortletMode());
}
+
+ if (isRequestAllowed(req)) {
PortletMode mode = req.getPortletMode();
if (mode.equals(PortletMode.VIEW)) {
@@ -79,6 +128,10 @@
throw new PortletException(mode.toString());
}
}
+ else {
+ getLogger().warn("Prevented unauthorised access to portlet: " +
getPortletName());
+ }
+ }
public void processPrint(ActionRequest req, ActionResponse res) throws
PortletException, IOException {
//convenience method
@@ -130,17 +183,18 @@
}
- /**
+ /*
* @see
javax.portlet.GenericPortlet#doDispatch(javax.portlet.RenderRequest,
javax.portlet.RenderResponse)
*/
@Override
- protected void doDispatch(RenderRequest req, RenderResponse res)
- throws IOException, PortletException {
+ protected void doDispatch(RenderRequest req, RenderResponse res) throws
IOException, PortletException {
if (getLogger().isDebugEnabled()) {
getLogger().debug("===> " + getPortletName() + " mode = " +
req.getPortletMode() + " window = " + req.getWindowState());
}
+ if (isRequestAllowed(req)) {
+
WindowState state = req.getWindowState();
if (!state.equals(WindowState.MINIMIZED)) {
@@ -175,6 +229,10 @@
}
}
}
+ else {
+ getLogger().warn("Prevented unauthorised access to portlet: " +
getPortletName());
+ }
+ }
protected List<Locale> getLocales(RenderRequest request) {
PortletMode mode = request.getPortletMode();
_______________________________________________
Cvs mailing list
[email protected]
http://lists.mmbase.org/mailman/listinfo/cvs
