shuber 2004/08/18 18:28:49 CEST
Modified files:
core/src/conf/java JahiaMessageResources.properties
JahiaMessageResources_en.properties
JahiaMessageResources_fr.properties
core/src/java/org/jahia/engines/users
NewUserRegistration_Engine.java
Log:
- Security fix : made it impossible to register new users into the groups :
administrators, users and guest.
Revision Changes Path
1.6 +1 -0 jahia/core/src/conf/java/JahiaMessageResources.properties
http://jahia.mine.nu:8080/cgi-bin/cvsweb.cgi/jahia/core/src/conf/java/JahiaMessageResources.properties.diff?r1=1.5&r2=1.6&f=h
1.6 +1 -0 jahia/core/src/conf/java/JahiaMessageResources_en.properties
http://jahia.mine.nu:8080/cgi-bin/cvsweb.cgi/jahia/core/src/conf/java/JahiaMessageResources_en.properties.diff?r1=1.5&r2=1.6&f=h
1.6 +1 -0 jahia/core/src/conf/java/JahiaMessageResources_fr.properties
http://jahia.mine.nu:8080/cgi-bin/cvsweb.cgi/jahia/core/src/conf/java/JahiaMessageResources_fr.properties.diff?r1=1.5&r2=1.6&f=h
1.4 +24 -0
jahia/core/src/java/org/jahia/engines/users/NewUserRegistration_Engine.java
http://jahia.mine.nu:8080/cgi-bin/cvsweb.cgi/jahia/core/src/java/org/jahia/engines/users/NewUserRegistration_Engine.java.diff?r1=1.3&r2=1.4&f=h
Index: JahiaMessageResources.properties
===================================================================
RCS file: /cvs/jahia/core/src/conf/java/JahiaMessageResources.properties,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JahiaMessageResources.properties 17 Aug 2004 08:09:01 -0000 1.5
+++ JahiaMessageResources.properties 18 Aug 2004 16:28:48 -0000 1.6
@@ -248,3 +248,4 @@
org.jahia.engines.users.newuserregistration.passwordTooShort
= Password too short (mininum 6 characters)
org.jahia.engines.users.newuserregistration.userNameAlreadyExists
= User name already exists
org.jahia.engines.users.newuserregistration.errorWhileCreatingUser
= Error while creating user
+org.jahia.engines.users.newuserregistration.unauthorizedGroup
= User tried to register into unauthorized group {0}
\ No newline at end of file
Index: JahiaMessageResources_en.properties
===================================================================
RCS file: /cvs/jahia/core/src/conf/java/JahiaMessageResources_en.properties,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JahiaMessageResources_en.properties 17 Aug 2004 08:09:01 -0000 1.5
+++ JahiaMessageResources_en.properties 18 Aug 2004 16:28:48 -0000 1.6
@@ -248,3 +248,4 @@
org.jahia.engines.users.newuserregistration.passwordTooShort
= Password too short (mininum 6 characters)
org.jahia.engines.users.newuserregistration.userNameAlreadyExists
= User name already exists
org.jahia.engines.users.newuserregistration.errorWhileCreatingUser
= Error while creating user
+org.jahia.engines.users.newuserregistration.unauthorizedGroup
= User tried to register into unauthorized group {0}
\ No newline at end of file
Index: JahiaMessageResources_fr.properties
===================================================================
RCS file: /cvs/jahia/core/src/conf/java/JahiaMessageResources_fr.properties,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JahiaMessageResources_fr.properties 17 Aug 2004 08:09:01 -0000 1.5
+++ JahiaMessageResources_fr.properties 18 Aug 2004 16:28:48 -0000 1.6
@@ -226,3 +226,4 @@
org.jahia.engines.users.newuserregistration.passwordTooShort
= Mot de passe trop court (mininum 6 caractères)
org.jahia.engines.users.newuserregistration.userNameAlreadyExists
= Ce nom d'utilisateur existe déjà
org.jahia.engines.users.newuserregistration.errorWhileCreatingUser
= Erreur lors de la création de l'utilisateur.
+org.jahia.engines.users.newuserregistration.unauthorizedGroup
= Tentative d'ajout d'un utilisateur à un group
interdit ({0})
\ No newline at end of file
Index: NewUserRegistration_Engine.java
===================================================================
RCS file:
/cvs/jahia/core/src/java/org/jahia/engines/users/NewUserRegistration_Engine.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- NewUserRegistration_Engine.java 6 Aug 2004 19:39:30 -0000 1.3
+++ NewUserRegistration_Engine.java 18 Aug 2004 16:28:49 -0000 1.4
@@ -226,6 +226,29 @@
}
if (allValuesValid) {
+ // now let's check that the group list doesn't contain
+ // invalid groups
+ if (groupList != null) {
+ for (int i = 0; i < groupList.length; i++) {
+ String curGroupName = groupList[i];
+ if (JahiaGroupManagerService.ADMINISTRATORS_GROUPNAME.
+ equals(curGroupName) ||
+ JahiaGroupManagerService.GUEST_GROUPNAME.equals(
+ curGroupName) ||
+ JahiaGroupManagerService.USERS_GROUPNAME.equals(
+ curGroupName)) {
+ allValuesValid = false;
+ EngineMessage errorMessage = new EngineMessage(
+
"org.jahia.engines.users.newuserregistration.unauthorizedGroup",
+ curGroupName);
+ resultMessages.add("newUserRegistration",
+ errorMessage);
+ }
+ }
+ }
+ }
+
+ if (allValuesValid) {
JahiaUser newUser = ServicesRegistry.getInstance().
getJahiaUserManagerService().
createUser(userName,
@@ -284,6 +307,7 @@
Map groupMap =
ServicesRegistry.getInstance().getJahiaSiteGroupManagerService().getGroups(jParams.getSiteID());
groupMap.remove(JahiaGroupManagerService.ADMINISTRATORS_GROUPNAME);
groupMap.remove(JahiaGroupManagerService.GUEST_GROUPNAME);
+ groupMap.remove(JahiaGroupManagerService.USERS_GROUPNAME);
Set groupNameSet = groupMap.keySet();
engineMap.put("groupList", groupNameSet);
