This is an automated email from the git hooks/post-receive script. New commit to branch develop in repository pollen. See http://git.chorem.org/pollen.git commit 0f7ad3cc21773e491158bda5320fb5cdce7dd632 Author: Adrien Garandel <a.garandel@dralagen.fr> Date: Thu Jun 26 12:05:22 2014 +0200 fix security comment --- .../pollen/services/service/CommentService.java | 2 +- pollen-ui-angular/src/main/webapp/js/app.js | 9 +- .../src/main/webapp/js/controllers/pollCtrl.js | 105 +++++++++++---------- .../src/main/webapp/partials/poll-comment.html | 4 +- 4 files changed, 62 insertions(+), 58 deletions(-) diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/CommentService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/CommentService.java index 1141b41..fd1a7f2 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/CommentService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/CommentService.java @@ -46,7 +46,7 @@ public class CommentService extends PollenServiceSupport { private Function<CommentBean, CommentBean> commentFunction = new Function<CommentBean, CommentBean>() { @Override public CommentBean apply(CommentBean input) { - if (isNotPermitted(PermissionVerb.readComment, input.getEntityId())) { + if (isNotPermitted(PermissionVerb.editComment, input.getEntityId())) { input.setPermission(null); } return input; diff --git a/pollen-ui-angular/src/main/webapp/js/app.js b/pollen-ui-angular/src/main/webapp/js/app.js index 00bbfe7..a8bf214 100644 --- a/pollen-ui-angular/src/main/webapp/js/app.js +++ b/pollen-ui-angular/src/main/webapp/js/app.js @@ -57,16 +57,17 @@ angular.module('pollen', ['pollenDirective', 'pollenServices', 'ngRoute', 'pollC .config(['$routeProvider', function($routeProvider) { $routeProvider.when('/', {templateUrl: './partials/home.html', controller: "HomeCtrl"}) - .when('/poll/home/:pollId', {templateUrl: './partials/poll.html', controller: "PollCtrl"}) + .when('/poll/home/:pollId/:pollToken?', {templateUrl: './partials/poll.html', controller: "PollCtrl"}) .when('/poll/create/:tab?', {templateUrl: './partials/poll.html', controller: "PollCreateCtrl"}) - .when('/poll/edit/:pollId/:token?/:tab?', {templateUrl: './partials/poll.html', controller:"PollEditCtrl"}) - .when('/poll/vote/:pollId/:token?', {templateUrl: './partials/poll.html', controller :"PollVoteCtrl"}) + .when('/poll/edit/:pollId/:pollToken?/:tab?', {templateUrl: './partials/poll.html', controller:"PollEditCtrl"}) + .when('/poll/vote/:pollId/:voteToken?', {templateUrl: './partials/poll.html', controller :"PollVoteCtrl"}) .when('/poll/result/:pollId/:token?', {templateUrl: './partials/poll.html', controller :"PollResultCtrl"}) - .when('/poll/comment/:pollId/:token?', {templateUrl: './partials/poll.html', controller :"PollCommentCtrl"}) + .when('/poll/comment/:pollId/:commentToken?', {templateUrl: './partials/poll.html', controller :"PollCommentCtrl"}) .when('/poll/list/:cmd?', {templateUrl: './partials/poll-list.html', controller :"PollListCtrl"}) .when('/user/register', {templateUrl: './partials/user-register.html', controller:"UserRegisterCtrl"}) .when('/user/edit', {templateUrl: './partials/user-edit.html', controller:"UserEditCtrl"}) .when('/user/lostpassword', {templateUrl: './partials/user-lostPassword.html', controller:"UserLostPasswordCtrl"}) + .when('/user/:userId/:token', {templateUrl: './partials/user-lostPassword.html', controller:"UserLostPasswordCtrl"}) .when('/favoriteList', {templateUrl: './partials/favoriteList-list.html', controller:"FavoriteListCtrl"}) .when('/favoriteList/new', {templateUrl: './partials/favoriteList-edit.html', controller:"FavoriteListEditCtrl"}) .when('/favoriteList/:favoriteListId', {templateUrl: './partials/favoriteList-edit.html', controller:"FavoriteListEditCtrl"}) diff --git a/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js b/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js index a3e0eda..1283f6d 100644 --- a/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js +++ b/pollen-ui-angular/src/main/webapp/js/controllers/pollCtrl.js @@ -59,22 +59,19 @@ angular.module('pollControllers', []) * Sauvegarde du token si non connecté */ $scope.session = SessionStorage.get(); - if (angular.isUndefined($routeParams.token) && angular.isUndefined($scope.session.id)) { // pas de paramètre url et non connecté - if (angular.isDefined($scope.session.permission) && $scope.session.permission != '') { // existe une permission - $scope.globalVariables.permission = $scope.session.permission; - } - else if ($scope.session.permission == '') { - SessionStorage.remove('permission'); + if (angular.isUndefined($routeParams.pollToken) && angular.isUndefined($scope.session.id)) { // pas de paramètre url et non connecté + if (angular.isDefined($scope.session.pollToken) && $scope.session.pollToken != '') { // existe une permission + $scope.globalVariables.pollToken = $scope.session.pollToken; } } else if (angular.isDefined($scope.session.id)) { // connecté - if (angular.isDefined($scope.session.permission)) { // connecté => pas besoin de permission - SessionStorage.remove('permission'); + if (angular.isDefined($scope.session.pollToken)) { // connecté => pas besoin de permission + SessionStorage.remove('pollToken'); } } else { //token dans l'URL - SessionStorage.save({permission:$routeParams.token}); - $scope.globalVariables.permission = $routeParams.token; + SessionStorage.save({pollToken:$routeParams.pollToken}); + $scope.globalVariables.pollToken = $routeParams.pollToken; } } @@ -88,16 +85,16 @@ angular.module('pollControllers', []) if (angular.isDefined($routeParams.pollId)) { var pollDeferred = $q.defer(); $scope.pollDeferred = pollDeferred; - Poll.get({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, function (poll) { + Poll.get({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}, function (poll) { $scope.data.poll = poll; - $scope.globalVariables.permission = poll.permission; + $scope.globalVariables.pollToken = poll.permission; pollDeferred.resolve('read-write poll'); }, function (error) { Poll.get({pollId:$routeParams.pollId}, function (poll) { $scope.data.poll = poll; // clean permission - SessionStorage.remove('permission'); - delete $scope.globalVariables.permission; + SessionStorage.remove('pollToken'); + delete $scope.globalVariables.pollToken; pollDeferred.resolve('read-only poll') }, function (error) { @@ -118,9 +115,9 @@ angular.module('pollControllers', []) $scope.globalVariables.linkEdit += '#/poll/edit/'+$routeParams.pollId; $scope.globalVariables.linkResult += '#/poll/result/'+$routeParams.pollId; - if (angular.isDefined($scope.globalVariables.permission)) { - $scope.globalVariables.linkEdit += '/'+$scope.globalVariables.permission; - $scope.globalVariables.linkResult += '/'+$scope.globalVariables.permission; + if (angular.isDefined($scope.globalVariables.pollToken)) { + $scope.globalVariables.linkHome += '/'+$scope.globalVariables.pollToken; + $scope.globalVariables.linkEdit += '/'+$scope.globalVariables.pollToken; $scope.globalVariables.linkConf = $scope.globalVariables.linkEdit+'/conf'; $scope.globalVariables.linkParticipant = $scope.globalVariables.linkEdit+'/participant'; } @@ -191,8 +188,9 @@ angular.module('pollControllers', []) } } + $timeout(function () { $scope.$watch('data.poll.voteCountingType', function (newVal, oldVal) { - if ((newVal == 1 || oldVal == 1) && newVal != oldVal) { + if (angular.isDefined(oldVal) && (newVal == 1 || oldVal == 1) && newVal != oldVal) { console.log('vote Change'); angular.forEach($scope.data.votants, function(votant, key) { angular.forEach(votant.choice, function (choice) { @@ -202,6 +200,7 @@ angular.module('pollControllers', []) }); } }) + }); $scope.voteCountingIsBoolean = function () { if (angular.isDefined($scope.data.poll) && angular.isDefined($scope.data.poll.voteCountingType)) { @@ -435,7 +434,7 @@ angular.module('pollControllers', []) //////////////////////////////// $scope.callBackAddChoice = function (choice) { - PollChoice.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, choice, function (data) { + PollChoice.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}, choice, function (data) { delete choice.restError; choice.id = data.id; $rootScope.$broadcast('newSuccess', 'poll.saved'); @@ -445,7 +444,7 @@ angular.module('pollControllers', []) } $scope.callBackEditChoice = function (choice) { - PollChoice.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, choice, function() { + PollChoice.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}, choice, function() { delete choice.restError; $rootScope.$broadcast('newSuccess', 'poll.saved'); }, function (error) { @@ -454,7 +453,7 @@ angular.module('pollControllers', []) } $scope.deleteChoice = function (choice) { - PollChoice.remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, choiceId: choice.id}, function () { + PollChoice.remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, choiceId: choice.id}, function () { $rootScope.$broadcast('newSuccess', 'poll.saved'); var index = $scope.data.choices.indexOf(choice); if (index > -1) { @@ -493,11 +492,11 @@ angular.module('pollControllers', []) }); SessionStorage.remove('voterList'); } else { - PollVoterList.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, function (voterList) { + PollVoterList.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}, function (voterList) { if (voterList.length > 0) { $scope.data.voterList = []; angular.forEach(voterList, function (list) { - PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId: list.id}, function (voterListMember) { + PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId: list.id}, function (voterListMember) { var newVoterList = {group:list, members:voterListMember}; $scope.data.voterList.push(newVoterList); }) @@ -539,10 +538,10 @@ angular.module('pollControllers', []) pollVoterListPromise.then(function (data) { $scope.data.favoriteListImport = null; - PollVoterList.get({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId: data.id}, + PollVoterList.get({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId: data.id}, function (vl) { voterList.group = vl; - PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId: vl.id}, + PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId: vl.id}, function(members) { voterList.members = members; } @@ -554,7 +553,7 @@ angular.module('pollControllers', []) $scope.saveVoterList = function (voterList) { if (angular.isDefined(voterList.group.id)) { - PollVoterList.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId:voterList.group.id}, voterList.group, function (data) { + PollVoterList.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId:voterList.group.id}, voterList.group, function (data) { $rootScope.$broadcast('newSuccess', 'poll.saved'); delete voterList.group.restError; }, function (error) { @@ -573,13 +572,13 @@ angular.module('pollControllers', []) } }); if (vl.members.length > 0) { - PollVoterList.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, vl, function (data) { + PollVoterList.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}, vl, function (data) { $rootScope.$broadcast('newSuccess', 'poll.saved'); voterList.group.id = data.id; delete voterList.group.restError; // Get member Id - PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId: data.id}, + PollVoterListMember.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId: data.id}, function (voterListMember) { angular.forEach(voterListMember, function(member, key) { for (var i = 0; i < voterList.members.length; i++) { @@ -626,9 +625,9 @@ angular.module('pollControllers', []) var vlMemberPromise; if (angular.isDefined(vlId)) { if (angular.isDefined(member.id)) { - vlMemberPromise = PollVoterListMember.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId:vlId}, member).$promise; + vlMemberPromise = PollVoterListMember.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId:vlId}, member).$promise; } else { - vlMemberPromise = PollVoterListMember.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId:vlId}, member).$promise; + vlMemberPromise = PollVoterListMember.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId:vlId}, member).$promise; } vlMemberPromise.then(function (data) { @@ -656,7 +655,7 @@ angular.module('pollControllers', []) }).then( function () { var confirmDelete = confirm(confirmMessage); if (confirmDelete == true) { - PollVoterList.remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId:voterList.group.id}, function (data) { + PollVoterList.remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId:voterList.group.id}, function (data) { var index = $scope.data.voterList.indexOf(voterList); $scope.data.voterList.splice(index, 1); if ($scope.data.voterList.length == 0 && $scope.data.poll.pollType == 'RESTRICTED') { @@ -683,7 +682,7 @@ angular.module('pollControllers', []) }).then( function () { var confirmDelete = confirm(confirmMessage); if (confirmDelete == true) { - member.$remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, voterListId:voterList.group.id}, function (data) { + member.$remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken, voterListId:voterList.group.id}, function (data) { var index = voterList.members.indexOf(member); voterList.members.splice(index, 1); }); @@ -703,7 +702,7 @@ angular.module('pollControllers', []) var initPoll = function () { initVoterList(); - PollChoice.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}).$promise.then(function (choices) { + PollChoice.query({pollId:$routeParams.pollId, permission:$scope.globalVariables.pollToken}).$promise.then(function (choices) { $scope.data.choices = choices; $scope.data.vote = {}; $scope.data.vote.choice = $scope.data.choices; @@ -729,7 +728,7 @@ angular.module('pollControllers', []) $scope.pollDeferred.promise.then(function () { if (angular.isDefined($scope.data.poll.permission)) { initPoll(); - delete $scope.pollDeferred; + $scope.pollDeferred.resolve('poll load'); } else { $location.path('/'); } @@ -753,7 +752,7 @@ angular.module('pollControllers', []) $scope.data.poll.endDate = $scope.data.poll.endDate.getTime(); } - $scope.data.poll.$update({permission:$scope.globalVariables.permission}, function (data) { + $scope.data.poll.$update({permission:$scope.globalVariables.pollToken}, function (data) { $rootScope.$broadcast('newSuccess', 'poll.saved'); }, function (error) { angular.extend($scope.restError, error.data); @@ -767,7 +766,7 @@ angular.module('pollControllers', []) }).then( function () { var confirmDelete = confirm(confirmMessage); if (confirmDelete == true) { - $scope.data.poll.$remove({permission:$scope.globalVariables.permission}, function() { + $scope.data.poll.$remove({permission:$scope.globalVariables.pollToken}, function() { $rootScope.$broadcast('newSuccess', 'poll.deleted'); $location.path('/'); }); @@ -783,13 +782,12 @@ angular.module('pollControllers', []) $scope.tab = $scope.setTab('vote'); var initPoll = function () { - PollChoice.query({pollId:$routeParams.pollId}, function (choices) { + var pollChoicePromise = PollChoice.query({pollId:$routeParams.pollId}, function (choices) { $scope.data.choices = choices; - initVote(); - }); + }).$promise; - PollVote.query({pollId:$routeParams.pollId}, function (votes) { + PollVote.query({pollId:$routeParams.pollId, permission:$routeParams.voteToken}, function (votes) { $scope.data.votants = votes; angular.forEach($scope.data.votants, function (vote) { angular.forEach(vote.choice, function (choice) { @@ -805,6 +803,8 @@ angular.module('pollControllers', []) }) }) }); + + $q.all([$scope.pollDeferred.promise, pollChoicePromise]).then(function() { initVote(); }); } initPoll(); @@ -841,7 +841,7 @@ angular.module('pollControllers', []) var sendVote = angular.copy($scope.data.vote); if ($scope.voteCountingIsBoolean()) { angular.forEach(sendVote.choice, function (choice) { - choice.voteValue = (choice.voteValue) ? 1.0 : 0.0; + choice.voteValue = $scope.getChoiceValue(choice.voteValue); }); } @@ -903,10 +903,14 @@ angular.module('pollControllers', []) }]) .controller('PollCommentCtrl', - ['$scope', '$rootScope', '$controller', '$routeParams', 'Poll', 'PollComment', '$translate', - function ( $scope, $rootScope, $controller, $routeParams, Poll, PollComment, $translate) { + ['$scope', '$rootScope', '$controller', '$routeParams', 'Poll', 'PollComment', '$translate', '$location', + function ( $scope, $rootScope, $controller, $routeParams, Poll, PollComment, $translate, $location) { $controller('PollCtrl', {$scope:$scope}); + if (angular.isDefined($routeParams.commentToken)) { + $scope.commentToken = $routeParams.commentToken; + } + $scope.tab = $scope.setTab('comment'); $scope.globalVariables.commentMode = true; @@ -950,7 +954,7 @@ angular.module('pollControllers', []) } var initComments = function () { - var commentPromise = PollComment.get({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, paginationParameter:paginationParameter}, function (data) { + var commentPromise = PollComment.get({pollId:$routeParams.pollId, permission:$scope.commentToken, paginationParameter:paginationParameter}, function (data) { $scope.data.comments = data.elements; $scope.data.commentsPagination = data.pagination; }).$promise; @@ -971,18 +975,17 @@ angular.module('pollControllers', []) var commentPromise if (angular.isDefined($scope.comment.id)) { // edit - commentPromise = PollComment.update({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, $scope.comment, function (data) { + commentPromise = PollComment.update({pollId:$routeParams.pollId}, $scope.comment, function (data) { paginationParameter.pageNumber = $scope.comment.page; initComments(); initAuthor(); }).$promise; } else { //Add - commentPromise = PollComment.add({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission}, $scope.comment, function (data) { - // add ID and Permission and push in list of comments - $scope.comment.id = data.id; - $scope.comment.permission = data.permission; - $scope.comment.postDate = new Date(); + commentPromise = PollComment.add({pollId:$routeParams.pollId}, $scope.comment, function (data) { + // save Permission + $scope.commentToken = data.permission; + $location.url('/poll/comment/'+$routeParams.pollId+'/'+data.permission); // reload comments if ($scope.data.commentsPagination.desc) { @@ -1034,7 +1037,7 @@ angular.module('pollControllers', []) delete $scope.comment.permission; } - PollComment.remove({pollId:$routeParams.pollId, permission:$scope.globalVariables.permission, commentId:comment.id}, function (data) { + PollComment.remove({pollId:$routeParams.pollId, commentId:comment.id}, function (data) { // reload comments initComments().then(function () { // if no comment then change page if it's possible diff --git a/pollen-ui-angular/src/main/webapp/partials/poll-comment.html b/pollen-ui-angular/src/main/webapp/partials/poll-comment.html index ab8f2a1..6966b23 100644 --- a/pollen-ui-angular/src/main/webapp/partials/poll-comment.html +++ b/pollen-ui-angular/src/main/webapp/partials/poll-comment.html @@ -63,8 +63,8 @@ <td> <span class="glyphicon glyphicon-user"></span>{{comment.authorName}}<br/> <span class="glyphicon glyphicon-calendar"></span>{{comment.postDate | date:globalVariables.dateFormat}}<br/> - <a class="fakeLink" ng-click="editPost(comment)"><span class="glyphicon glyphicon-pencil" ng-show="comment.id"></span></a> - <a class="fakeLink" ng-click="deletePost(comment)"><span class="glyphicon glyphicon-trash danger" ng-show="comment.id"></span></a> + <a class="fakeLink" ng-click="editPost(comment)" ng-if="comment.permission"><span class="glyphicon glyphicon-pencil" ng-show="comment.id"></span></a> + <a class="fakeLink" ng-click="deletePost(comment)" ng-if="comment.permission"><span class="glyphicon glyphicon-trash danger" ng-show="comment.id"></span></a> </td> <td> <div ng-bind-html="toHTML(comment.text)"></div> -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.