Author: snoopdave
Date: Thu Jan 12 10:30:07 2006
New Revision: 368440
URL: http://svn.apache.org/viewcvs?rev=368440&view=rev
Log:
Couple of additional permissions checks
Modified:
incubator/roller/trunk/src/org/roller/business/utils/PasswordUtility.java
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/CommentManagementAction.java
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/WeblogQueryAction.java
incubator/roller/trunk/src/org/roller/presentation/website/actions/InviteMemberAction.java
incubator/roller/trunk/src/org/roller/presentation/website/actions/MemberPermissionsAction.java
incubator/roller/trunk/web/website/InviteMember.jsp
Modified:
incubator/roller/trunk/src/org/roller/business/utils/PasswordUtility.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/business/utils/PasswordUtility.java?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
--- incubator/roller/trunk/src/org/roller/business/utils/PasswordUtility.java
(original)
+++ incubator/roller/trunk/src/org/roller/business/utils/PasswordUtility.java
Thu Jan 12 10:30:07 2006
@@ -144,6 +144,7 @@
userUpdate.setString(1, Utilities.encodePassword(passphrase,
algorithm));
userUpdate.setString(2, username);
userUpdate.executeUpdate();
+ System.out.println("Encrypted password for user: " + username);
}
configUpdate.setBoolean(1, true);
Modified:
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/CommentManagementAction.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/weblog/actions/CommentManagementAction.java?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/CommentManagementAction.java
(original)
+++
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/CommentManagementAction.java
Thu Jan 12 10:30:07 2006
@@ -63,7 +63,8 @@
CommentManagementForm queryForm = (CommentManagementForm)actionForm;
RollerRequest rreq = RollerRequest.getRollerRequest(request);
-
+ RollerSession rses = RollerSession.getRollerSession(request);
+
if (rreq.getWeblogEntry() != null) {
queryForm.setEntryid(rreq.getWeblogEntry().getId());
queryForm.setWeblog(rreq.getWeblogEntry().getWebsite().getHandle());
@@ -77,10 +78,17 @@
request.setAttribute("commentManagementForm", actionForm);
}
- if (rreq.getWebsite() != null) {
+ // Ensure user is authorized to view comments in weblog
+ if (rreq.getWebsite() != null &&
rses.isUserAuthorized(rreq.getWebsite())) {
return mapping.findForward("commentManagement.page");
}
- return mapping.findForward("commentManagementGlobal.page");
+ // And ensure only global admins can see all comments
+ else if (rses.isGlobalAdminUser()) {
+ return mapping.findForward("commentManagementGlobal.page");
+ }
+ else {
+ return mapping.findForward("access-denied");
+ }
}
public ActionForward update(
Modified:
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/WeblogQueryAction.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/weblog/actions/WeblogQueryAction.java?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/WeblogQueryAction.java
(original)
+++
incubator/roller/trunk/src/org/roller/presentation/weblog/actions/WeblogQueryAction.java
Thu Jan 12 10:30:07 2006
@@ -14,6 +14,7 @@
import org.roller.RollerException;
import org.roller.model.RollerFactory;
import org.roller.model.WeblogManager;
+import org.roller.pojos.WebsiteData;
import org.roller.presentation.RollerRequest;
import org.roller.presentation.RollerSession;
import org.roller.presentation.weblog.formbeans.WeblogQueryForm;
@@ -44,22 +45,28 @@
throws IOException, ServletException, RollerException
{
WeblogQueryForm form = (WeblogQueryForm)actionForm;
- RollerRequest rreq = RollerRequest.getRollerRequest(request);
- WeblogManager wmgr = RollerFactory.getRoller().getWeblogManager();
-
- String status= form.getStatus().equals("ALL") ? null :
form.getStatus();
-
- request.setAttribute("model", new WeblogQueryPageModel(
- request,
- response,
- mapping,
- rreq.getWebsite(),
- form.getCategoryId(),
- form.getStartDateString(),
- form.getEndDateString(),
- status,
- form.getMaxEntries()));
+ RollerRequest rreq = RollerRequest.getRollerRequest(request);
+ WeblogManager wmgr = RollerFactory.getRoller().getWeblogManager();
+ RollerSession rses = RollerSession.getRollerSession(request);
+ // ensure that weblog is specfied and user has permission to work there
+ if (rreq.getWebsite() != null &&
rses.isUserAuthorized(rreq.getWebsite())) {
+ String status= form.getStatus().equals("ALL") ? null :
form.getStatus();
+ request.setAttribute("model", new WeblogQueryPageModel(
+ request,
+ response,
+ mapping,
+ rreq.getWebsite(),
+ form.getCategoryId(),
+ form.getStartDateString(),
+ form.getEndDateString(),
+ status,
+ form.getMaxEntries()));
+ }
+ else
+ {
+ return mapping.findForward("access-denied");
+ }
return mapping.findForward("weblogQuery.page");
}
}
Modified:
incubator/roller/trunk/src/org/roller/presentation/website/actions/InviteMemberAction.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/website/actions/InviteMemberAction.java?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/website/actions/InviteMemberAction.java
(original)
+++
incubator/roller/trunk/src/org/roller/presentation/website/actions/InviteMemberAction.java
Thu Jan 12 10:30:07 2006
@@ -35,6 +35,7 @@
import org.roller.presentation.BasePageModel;
import org.roller.presentation.RollerContext;
import org.roller.presentation.RollerRequest;
+import org.roller.presentation.RollerSession;
import org.roller.presentation.website.formbeans.InviteMemberForm;
import org.roller.util.MailUtil;
@@ -80,22 +81,27 @@
ActionForm actionForm,
HttpServletRequest request,
HttpServletResponse response)
- throws IOException, ServletException
+ throws Exception
{
// if group blogging is disabled then you can't change permissions
if (!RollerConfig.getBooleanProperty("groupblogging.enabled")) {
return mapping.findForward("access-denied");
}
-
- ActionForward forward = mapping.findForward("inviteMember.page");
-
+
BasePageModel pageModel = new BasePageModel(
- "inviteMember.title", request, response, mapping);
- request.setAttribute("model", pageModel);
+ "inviteMember.title", request, response, mapping);
+ RollerSession rses = RollerSession.getRollerSession(request);
- InviteMemberForm form = (InviteMemberForm)actionForm;
- form.setWebsiteId(pageModel.getWebsite().getId());
- return forward;
+ // Ensure use has admin perms for this weblog
+ if (pageModel.getWebsite() != null &&
rses.isUserAuthorizedToAdmin(pageModel.getWebsite())) {
+ request.setAttribute("model", pageModel);
+ InviteMemberForm form = (InviteMemberForm)actionForm;
+ form.setWebsiteId(pageModel.getWebsite().getId());
+ ActionForward forward = mapping.findForward("inviteMember.page");
+ return forward;
+ } else {
+ return mapping.findForward("access-denied");
+ }
}
public ActionForward send(
@@ -117,55 +123,66 @@
UserManager umgr = RollerFactory.getRoller().getUserManager();
UserData user = umgr.getUser(form.getUserName());
- if (user == null)
- {
- errors.add(ActionErrors.GLOBAL_ERROR,
- new ActionError("inviteMember.error.userNotFound"));
- }
- else
- {
- RollerRequest rreq = RollerRequest.getRollerRequest(request);
- WebsiteData website = rreq.getWebsite();
- PermissionsData perms = umgr.getPermissions(website, user);
- if (perms != null && perms.isPending())
- {
- errors.add(ActionErrors.GLOBAL_ERROR,
- new ActionError("inviteMember.error.userAlreadyInvited"));
- request.setAttribute("model", new BasePageModel(
- "inviteMember.title", request, response, mapping));
- }
- else if (perms != null)
+ BasePageModel pageModel = new BasePageModel(
+ "inviteMember.title", request, response, mapping);
+ RollerSession rses = RollerSession.getRollerSession(request);
+
+ // Ensure use has admin perms for this weblog
+ if (pageModel.getWebsite() != null &&
rses.isUserAuthorizedToAdmin(pageModel.getWebsite())) {
+
+ if (user == null)
{
errors.add(ActionErrors.GLOBAL_ERROR,
- new ActionError("inviteMember.error.userAlreadyMember"));
- request.setAttribute("model", new BasePageModel(
- "inviteMember.title", request, response, mapping));
+ new ActionError("inviteMember.error.userNotFound"));
}
- else
+ else
{
- String mask = request.getParameter("permissionsMask");
- umgr.inviteUser(website, user, Short.parseShort(mask));
- request.setAttribute("user", user);
- try
+ RollerRequest rreq = RollerRequest.getRollerRequest(request);
+ WebsiteData website = rreq.getWebsite();
+ PermissionsData perms = umgr.getPermissions(website, user);
+ if (perms != null && perms.isPending())
{
- notifyInvitee(request, website, user);
+ errors.add(ActionErrors.GLOBAL_ERROR,
+ new
ActionError("inviteMember.error.userAlreadyInvited"));
+ request.setAttribute("model", new BasePageModel(
+ "inviteMember.title", request, response, mapping));
}
- catch (RollerException e)
+ else if (perms != null)
{
errors.add(ActionErrors.GLOBAL_ERROR,
- new ActionError("error.untranslated",
e.getMessage()));
- }
- msgs.add(ActionMessages.GLOBAL_MESSAGE,
- new ActionMessage("inviteMember.userInvited"));
-
- request.setAttribute("model", new BasePageModel(
- "inviteMemberDone.title", request, response, mapping));
-
- forward = mapping.findForward("memberPermissions");
+ new
ActionError("inviteMember.error.userAlreadyMember"));
+ request.setAttribute("model", new BasePageModel(
+ "inviteMember.title", request, response, mapping));
+ }
+ else
+ {
+ String mask = request.getParameter("permissionsMask");
+ umgr.inviteUser(website, user, Short.parseShort(mask));
+ request.setAttribute("user", user);
+ try
+ {
+ notifyInvitee(request, website, user);
+ }
+ catch (RollerException e)
+ {
+ errors.add(ActionErrors.GLOBAL_ERROR,
+ new ActionError("error.untranslated",
e.getMessage()));
+ }
+ msgs.add(ActionMessages.GLOBAL_MESSAGE,
+ new ActionMessage("inviteMember.userInvited"));
+
+ request.setAttribute("model", new BasePageModel(
+ "inviteMemberDone.title", request, response, mapping));
+
+ forward = mapping.findForward("memberPermissions");
+ }
}
+ saveErrors(request, errors);
+ saveMessages(request, msgs);
+
+ } else {
+ return mapping.findForward("access-denied");
}
- saveErrors(request, errors);
- saveMessages(request, msgs);
return forward;
}
Modified:
incubator/roller/trunk/src/org/roller/presentation/website/actions/MemberPermissionsAction.java
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/src/org/roller/presentation/website/actions/MemberPermissionsAction.java?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
---
incubator/roller/trunk/src/org/roller/presentation/website/actions/MemberPermissionsAction.java
(original)
+++
incubator/roller/trunk/src/org/roller/presentation/website/actions/MemberPermissionsAction.java
Thu Jan 12 10:30:07 2006
@@ -85,11 +85,17 @@
MemberPermissionsPageModel pageModel =
new MemberPermissionsPageModel(request, response, mapping);
request.setAttribute("model", pageModel);
+ RollerSession rses = RollerSession.getRollerSession(request);
- MemberPermissionsForm form = (MemberPermissionsForm)actionForm;
- form.setWebsiteId(pageModel.getWebsite().getId());
- ActionForward forward = mapping.findForward("memberPermissions.page");
- return forward;
+ // Ensure use has admin perms for this weblog
+ if (pageModel.getWebsite() != null &&
rses.isUserAuthorizedToAdmin(pageModel.getWebsite())) {
+ MemberPermissionsForm form = (MemberPermissionsForm)actionForm;
+ form.setWebsiteId(pageModel.getWebsite().getId());
+ ActionForward forward =
mapping.findForward("memberPermissions.page");
+ return forward;
+ } else {
+ return mapping.findForward("access-denied");
+ }
}
public ActionForward save(
@@ -101,64 +107,70 @@
{
ActionErrors errors = new ActionErrors();
ActionMessages msgs = new ActionMessages();
-
+ RollerSession rses = RollerSession.getRollerSession(request);
MemberPermissionsPageModel model =
new MemberPermissionsPageModel(request, response, mapping);
- Iterator iter = model.getPermissions().iterator();
- int removed = 0;
- int changed = 0;
- while (iter.hasNext())
- {
- PermissionsData perms = (PermissionsData)iter.next();
- String sval = request.getParameter("perm-" + perms.getId());
- if (sval != null)
+ // Ensure use has admin perms for this weblog
+ if (model.getWebsite() != null &&
rses.isUserAuthorizedToAdmin(model.getWebsite())) {
+
+ Iterator iter = model.getPermissions().iterator();
+ int removed = 0;
+ int changed = 0;
+ while (iter.hasNext())
{
- short val = Short.parseShort(sval);
- RollerSession rses = RollerSession.getRollerSession(request);
- UserData user = rses.getAuthenticatedUser();
- if (perms.getUser().getId().equals(user.getId())
- && val < perms.getPermissionMask())
- {
- errors.add(null,new ActionError(
- "memberPermissions.noSelfDemotions"));
- }
- else if (val != perms.getPermissionMask())
+ PermissionsData perms = (PermissionsData)iter.next();
+ String sval = request.getParameter("perm-" + perms.getId());
+ if (sval != null)
{
- if (val == -1)
+ short val = Short.parseShort(sval);
+ UserData user = rses.getAuthenticatedUser();
+ if (perms.getUser().getId().equals(user.getId())
+ && val < perms.getPermissionMask())
{
- perms.remove();
- removed++;
+ errors.add(null,new ActionError(
+ "memberPermissions.noSelfDemotions"));
}
- else
+ else if (val != perms.getPermissionMask())
{
- perms.setPermissionMask(val);
- changed++;
+ if (val == -1)
+ {
+ perms.remove();
+ removed++;
+ }
+ else
+ {
+ perms.setPermissionMask(val);
+ changed++;
+ }
}
}
}
+ if (removed > 0 || changed > 0)
+ {
+ RollerFactory.getRoller().commit();
+ }
+ if (removed > 0)
+ {
+ msgs.add(null,new ActionMessage(
+ "memberPermissions.membersRemoved", new Integer(removed)));
+ }
+ if (changed > 0)
+ {
+ msgs.add(null,new ActionMessage(
+ "memberPermissions.membersChanged", new Integer(changed)));
+ }
+ saveErrors(request, errors);
+ saveMessages(request, msgs);
+ MemberPermissionsPageModel updatedModel =
+ new MemberPermissionsPageModel(request, response, mapping);
+ request.setAttribute("model", updatedModel);
+ ActionForward forward =
mapping.findForward("memberPermissions.page");
+ return forward;
+
+ } else {
+ return mapping.findForward("access-denied");
}
- if (removed > 0 || changed > 0)
- {
- RollerFactory.getRoller().commit();
- }
- if (removed > 0)
- {
- msgs.add(null,new ActionMessage(
- "memberPermissions.membersRemoved", new Integer(removed)));
- }
- if (changed > 0)
- {
- msgs.add(null,new ActionMessage(
- "memberPermissions.membersChanged", new Integer(changed)));
- }
- saveErrors(request, errors);
- saveMessages(request, msgs);
- MemberPermissionsPageModel updatedModel =
- new MemberPermissionsPageModel(request, response, mapping);
- request.setAttribute("model", updatedModel);
- ActionForward forward = mapping.findForward("memberPermissions.page");
- return forward;
}
public static class MemberPermissionsPageModel extends BasePageModel
Modified: incubator/roller/trunk/web/website/InviteMember.jsp
URL:
http://svn.apache.org/viewcvs/incubator/roller/trunk/web/website/InviteMember.jsp?rev=368440&r1=368439&r2=368440&view=diff
==============================================================================
--- incubator/roller/trunk/web/website/InviteMember.jsp (original)
+++ incubator/roller/trunk/web/website/InviteMember.jsp Thu Jan 12 10:30:07 2006
@@ -33,7 +33,7 @@
</div>
</div>
- <div class="permissionsMask">
+ <div style="clear:left">
<label for="userName" class="formrow" />
<fmt:message key="inviteMember.permissions" /></label>
<input type="radio" name="permissionsMask" value="3" />
@@ -42,8 +42,8 @@
<fmt:message key="inviteMember.author" />
<input type="radio" name="permissionsMask" value="0" />
<fmt:message key="inviteMember.limited" />
- </div>
-
+ </div>
+
<br />
<input type="submit" value='<fmt:message key="inviteMember.button.save"
/>'></input>
<input type="button" value='<fmt:message key="application.cancel" />'
onclick="cancel()"></input>
