ajax AjaxServlet.java

Xavier Lawrence Mon, 08 Aug 2005 01:21:24 -0700

xlawrence    2005/08/08 10:21:17 CEST


  Modified files:
    core/src/java/org/jahia/ajax AjaxServlet.java 
  Log:
  Added security check to prevent malicious use of the AJAX servlet
  
  Revision  Changes    Path
  1.2       +32 -20    jahia/core/src/java/org/jahia/ajax/AjaxServlet.java
http://jahia.mine.nu:8080/cgi-bin/cvsweb.cgi/jahia/core/src/java/org/jahia/ajax/AjaxServlet.java.diff?r1=1.1&r2=1.2&f=h
  
  
  
  Index: AjaxServlet.java
  ===================================================================
  RCS file: 
/home/cvs/repository/jahia/core/src/java/org/jahia/ajax/AjaxServlet.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- AjaxServlet.java  5 Aug 2005 13:50:38 -0000       1.1
  +++ AjaxServlet.java  8 Aug 2005 08:21:16 -0000       1.2
  @@ -47,7 +47,6 @@
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   import org.jahia.bin.Jahia;
  -import org.jahia.content.ContentPageKey;
   import org.jahia.data.beans.ActionURIBean;
   import org.jahia.data.beans.ContainerBean;
   import org.jahia.data.beans.ContainerListBean;
  @@ -64,9 +63,9 @@
   import org.jahia.params.ProcessingContext;
   import org.jahia.params.ProcessingContextFactory;
   import org.jahia.registries.ServicesRegistry;
  -import org.jahia.resourcebundle.JahiaResourceBundle;
  -import org.jahia.services.pages.ContentPage;
  +import org.jahia.services.acl.JahiaBaseACL;
   import org.jahia.services.pages.JahiaPage;
  +import org.jahia.services.usermanager.JahiaUser;
   import org.jahia.services.version.EntryLoadRequest;
   import org.springframework.beans.factory.BeanFactory;
   
  @@ -134,6 +133,33 @@
               final HttpServletResponse response )
       throws IOException, ServletException {
           try {
  +            // Create the ProcessingContext
  +            final BeanFactory bf = Jahia.getConfigBeanFactory();
  +            final ProcessingContextFactory pcf = (ProcessingContextFactory) 
bf.
  +                    getBean(ProcessingContextFactory.class.getName());
  +            final ProcessingContext jParams = pcf.getContext(request, 
response,
  +                    super.getServletContext());
  +            
  +            final JahiaPage currentPage = jParams.getPage();
  +            final JahiaUser currentUser = jParams.getUser();
  +                    
  +            if (currentUser != null && currentPage != null &&
  +                    currentPage.getACL().getPermission(currentUser, 
JahiaBaseACL.WRITE_RIGHTS)) {
  +                jParams.setOpMode(jParams.EDIT);
  +                
  +            } else {
  +                logger.warn("Unauthorized attempt to use AJAX Servlet");
  +                response.setStatus(response.SC_FORBIDDEN);
  +                response.sendError(response.SC_FORBIDDEN, 
  +                        "Must be logged in and have 'Write' access");
  +                return;
  +            }
  +            
  +            logger.debug("jParams: pid = " + currentPage.getID() + ", user = 
" +
  +                    currentUser.getName() + ", mode = " +
  +                    jParams.getOperationMode() + ", SessionID = " +
  +                    jParams.getSessionID());
  +            
               final String objectType = getParameter(request, response, TYPE);
               if (objectType == null) return;
               
  @@ -152,21 +178,7 @@
               
               logger.debug("processRequest: objectType=" + objectType + ", 
objectID="+
                       objectID + ", definitionID=" + definitionID + ", 
parentID=" +
  -                    parentID + ", pageID=" + pageID);
  -            
  -            // Create the ProcessingContext
  -            final BeanFactory bf = Jahia.getConfigBeanFactory();
  -            final ProcessingContextFactory pcf = (ProcessingContextFactory) 
bf.
  -                    getBean(ProcessingContextFactory.class.getName());
  -            final ProcessingContext jParams = pcf.getContext(request, 
response, 
  -                    super.getServletContext());
  -            
  -            jParams.setOpMode(jParams.EDIT);
  -            
  -            logger.debug("jParams: pid = " + jParams.getPageID() + ", user = 
" +
  -                    jParams.getUser().getName() + ", mode = " + 
  -                    jParams.getOperationMode () + ", SessionID = " + 
  -                    jParams.getSessionID());
  +                    parentID + ", pageID=" + pageID);   
               
               // The unique contentObject ID
               final int objID = Integer.parseInt(objectID);
  @@ -181,7 +193,7 @@
               
               // Action Menu for a page
               if (PageBean.TYPE.equals(objectType)) {
  -                bean = new PageBean(jParams.getPage(), jParams);
  +                bean = new PageBean(currentPage, jParams);
                   logger.debug("PageID: " + bean.getID());
                   
               // Action Menu for a ContainerList
  @@ -327,7 +339,7 @@
               final ProcessingContext jParams) throws JahiaException {
           final GuiBean gui = new GuiBean(jParams);
           final HTMLToolBox box = new HTMLToolBox(gui, jParams);
  -        final HashMap result = new HashMap();
  +        final Map result = new HashMap();
           
           final Map objectInfo = (Map)objectKeyToInfo.get(
                   box.buildUniqueContentID(bean));

cvs commit: jahia/core/src/java/org/jahia/ajax AjaxServlet.java

Reply via email to