Author: agilliland
Date: Wed Jan 11 22:36:01 2006
New Revision: 368290
URL: http://svn.apache.org/viewcvs?rev=368290&view=rev
Log:
updating profile page for better security.
- removed hidden html form fields for user id and password.
- updated profile action to be more robust.
Modified:
incubator/roller/trunk/src/org/roller/presentation/website/actions/YourProfileAction.java
incubator/roller/trunk/web/website/YourProfile.jsp
Modified:
incubator/roller/trunk/src/org/roller/presentation/website/actions/YourProfileAction.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/website/actions/YourProfileAction.java?rev=368290&r1=368289&r2=368290&view=diff
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/website/actions/YourProfileAction.java
(original)
+++
incubator/roller/trunk/src/org/roller/presentation/website/actions/YourProfileAction.java
Wed Jan 11 22:36:01 2006
@@ -119,14 +119,18 @@
ActionMessages errors = validate(form, new ActionErrors());
if (errors.size() == 0)
{
- UserManager mgr = RollerFactory.getRoller().getUserManager();
- UserData data = mgr.getUser( form.getUserName() );
+ // We ONLY modify the user currently logged in
+ RollerSession rollerSession =
RollerSession.getRollerSession(request);
+ UserData data = rollerSession.getAuthenticatedUser();
// Need system user to update user
RollerFactory.getRoller().setUser(UserData.SYSTEM_USER);
- // Copy data from form to object (won't copy over password)
- form.copyTo(data, request.getLocale());
+ // We want to be VERY selective about what data gets updated
+ data.setFullName(form.getFullName());
+ data.setEmailAddress(form.getEmailAddress());
+ data.setLocale(form.getLocale());
+ data.setTimeZone(form.getTimeZone());
// If user set both password and passwordConfirm then reset
password
if ( !StringUtils.isEmpty(form.getPasswordText())
@@ -144,16 +148,16 @@
new
ActionMessage("yourProfile.passwordResetError"));
}
}
- RollerSession rses = RollerSession.getRollerSession(request);
- rses.setAuthenticatedUser(data);
- mgr.storeUser( data );
+
+ // save the updated profile
+ UserManager mgr = RollerFactory.getRoller().getUserManager();
+ mgr.storeUser(data);
RollerFactory.getRoller().commit();
request.setAttribute("model", new BasePageModel(
"yourProfile.title", request, response, mapping));
- //msgs.add(null, new ActionMessage("yourProfile.saved"));
saveMessages(request, msgs);
}
else
Modified: incubator/roller/trunk/web/website/YourProfile.jsp
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/web/website/YourProfile.jsp?rev=368290&r1=368289&r2=368290&view=diff
==============================================================================
--- incubator/roller/trunk/web/website/YourProfile.jsp (original)
+++ incubator/roller/trunk/web/website/YourProfile.jsp Wed Jan 11 22:36:01 2006
@@ -4,9 +4,6 @@
<html:form action="/editor/yourProfile" method="post" focus="fullName">
<input type="hidden" name="method" value="save"></input>
- <html:hidden property="id" /></input>
- <html:hidden property="password" /></input>
- <html:hidden property="enabled" /></input>
<table class="formtable">
