This is an automated email from the git hooks/post-receive script. New commit to branch develop in repository pollen. See https://gitlab.nuiton.org/chorem/pollen.git commit edaa1be60a722c89cd502c59f779e750f1bbde3b Author: Kevin Morin <morin@codelutin.com> Date: Tue Sep 26 16:13:50 2017 +0200 fixes #150 bouchage des trous de secu --- .../persistence/entity/UserCredentialTopiaDao.java | 6 +- .../pollen/rest/api/v1/PollenResourceApi.java | 16 ----- .../chorem/pollen/rest/api/v1/PollenUserApi.java | 19 +++--- .../chorem/pollen/rest/api/v1/VoterListApi.java | 13 ---- .../pollen/services/service/ChoiceService.java | 1 + .../services/service/FavoriteListService.java | 77 ++++++++-------------- .../chorem/pollen/services/service/GtuService.java | 7 +- .../pollen/services/service/PollService.java | 16 ++--- .../services/service/PollenResourceService.java | 19 +----- .../services/service/PollenServiceSupport.java | 5 ++ .../pollen/services/service/PollenUserService.java | 16 ++--- .../pollen/services/service/SocialAuthService.java | 26 ++------ .../services/service/VoteCountingService.java | 1 + .../pollen/services/service/PollServiceTest.java | 2 +- pollen-ui-riot-js/src/main/web/js/AuthService.js | 2 +- pollen-ui-riot-js/src/main/web/js/UserService.js | 27 ++++---- pollen-ui-riot-js/src/main/web/tag/Pollen.tag.html | 2 +- .../src/main/web/tag/UserProfile.tag.html | 4 +- 18 files changed, 87 insertions(+), 172 deletions(-) diff --git a/pollen-persistence/src/main/java/org/chorem/pollen/persistence/entity/UserCredentialTopiaDao.java b/pollen-persistence/src/main/java/org/chorem/pollen/persistence/entity/UserCredentialTopiaDao.java index 68302fed..33baa7d0 100644 --- a/pollen-persistence/src/main/java/org/chorem/pollen/persistence/entity/UserCredentialTopiaDao.java +++ b/pollen-persistence/src/main/java/org/chorem/pollen/persistence/entity/UserCredentialTopiaDao.java @@ -12,9 +12,9 @@ public class UserCredentialTopiaDao extends AbstractUserCredentialTopiaDao<UserC + " (credential." + UserCredential.PROPERTY_PROVIDER + " = :provider" + " AND credential." + UserCredential.PROPERTY_USER_ID + " = :credentialUserId)"; if (email != null) { - query += " OR (user." + PollenUser.PROPERTY_TOPIA_ID + " = :userTopiaId" - + " AND credential." + UserCredential.PROPERTY_EMAIL + " = :credentialEmail)" - + " OR user." + PollenUser.PROPERTY_EMAIL + " = :userEmail"; + query += " OR user." + PollenUser.PROPERTY_TOPIA_ID + " != :userTopiaId" + + " AND (credential." + UserCredential.PROPERTY_EMAIL + " = :credentialEmail" + + " OR user." + PollenUser.PROPERTY_EMAIL + " = :userEmail)"; } Map<String, Object> params = new HashMap<>(); diff --git a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenResourceApi.java b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenResourceApi.java index fd44cb39..5a1d251f 100644 --- a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenResourceApi.java +++ b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenResourceApi.java @@ -123,22 +123,6 @@ public class PollenResourceApi { } @Path("/resources/{resourceId}") - @POST - @Consumes(MediaType.MULTIPART_FORM_DATA) - public PollenEntityRef<PollenResource> editResource(@Context PollenResourceService pollenResourceService, - @PathParam("resourceId") PollenEntityId<PollenResource> resourceId, - MultipartFormDataInput input) throws InvalidFormException { - ResourceFileBean resourceBean = ApiUtils.multipartToResourceBean(input, "resource"); - - PollenEntityRef<PollenResource> createRef = pollenResourceService.editResource(resourceId.getEntityId(), resourceBean); - - resourceBean.getFile().delete(); - - return createRef; - - } - - @Path("/resources/{resourceId}") @DELETE public void deleteResource(@Context PollenResourceService pollenResourceService, @PathParam("resourceId") PollenEntityId<PollenResource> resourceId) { diff --git a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenUserApi.java b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenUserApi.java index 188b9ea7..130a8212 100644 --- a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenUserApi.java +++ b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/PollenUserApi.java @@ -73,11 +73,11 @@ public class PollenUserApi { return pollenUserService.getUsers(paginationParameter, search); } - @Path("/users/connected") + @Path("/user") @GET public PollenUserBean getConnectedUser(@Context PollenSecurityContext securityContext, @Context PollenUserService pollenUserService) { PollenUser pollenUser = securityContext.getPollenUser(); - Objects.requireNonNull(pollenUser,"Could not find connected user"); + Objects.requireNonNull(pollenUser, "Could not find connected user"); return pollenUserService.getUser(pollenUser.getTopiaId()); } @@ -123,20 +123,18 @@ public class PollenUserApi { pollenUserService.validateUserEmail(userId.getEntityId(), token); } - @Path("/users/{userId}/password") + @Path("/user/password") @PUT @POST public void changePassword(@Context PollenUserService pollenUserService, - @PathParam("userId") PollenEntityId<PollenUser> userId, ChangePasswordBean bean) throws InvalidFormException { - pollenUserService.changePassword(userId.getEntityId(), bean.getOldPassword(), bean.getNewPassword()); + pollenUserService.changePassword(bean.getOldPassword(), bean.getNewPassword()); } - @Path("/users/{userId}/credentials/{provider}") + @Path("/user/credentials/{provider}") @POST public String addUserCredential(@Context SocialAuthService socialAuthService, @Context HttpServletRequest request, - @PathParam("userId") PollenEntityId<PollenUser> userId, @PathParam("provider") String provider, String providerReturn) throws Exception { @@ -146,16 +144,15 @@ public class PollenUserApi { request.getSession().removeAttribute(ApiUtils.SOCIAL_AUTH_MANAGER_SESSION_KEY); Gson gson = new Gson(); Map<String, String> paramsMap = gson.fromJson(providerReturn, Map.class); - return socialAuthService.addCredentialToUser(userId, socialAuthManager, paramsMap); + return socialAuthService.addCredentialToUser(socialAuthManager, paramsMap); } - @Path("/users/{userId}/credentials/{credentialId}") + @Path("/user/credentials/{credentialId}") @DELETE public void deleteUserCredential(@Context SocialAuthService socialAuthService, @Context HttpServletRequest request, - @PathParam("userId") PollenEntityId<PollenUser> userId, @PathParam("credentialId") PollenEntityId<UserCredential> credentialId) throws Exception { - socialAuthService.deleteUserCredential(userId, credentialId); + socialAuthService.deleteUserCredential(credentialId); } } diff --git a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/VoterListApi.java b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/VoterListApi.java index 8ac33dd7..c3aa802b 100644 --- a/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/VoterListApi.java +++ b/pollen-rest-api/src/main/java/org/chorem/pollen/rest/api/v1/VoterListApi.java @@ -57,18 +57,6 @@ import java.util.Set; @Produces(MediaType.APPLICATION_JSON) public class VoterListApi { -// public PollenEntityRef<VoterList> importFavoriteListNewGroup(VoterListService voterListService, PollenEntityId<Poll> pollId, PollenEntityId<FavoriteList> favoriteListId) { -// -// return voterListService.importFavoriteList(pollId.getEntityId(), null, favoriteListId.getEntityId()); -// -// } -// -// public PollenEntityRef<VoterList> importFavoriteList(VoterListService voterListService, PollenEntityId<Poll> pollId, PollenEntityId<VoterList> voterListId, PollenEntityId<FavoriteList> favoriteListId) { -// -// return voterListService.importFavoriteList(pollId.getEntityId(), voterListId.getEntityId(), favoriteListId.getEntityId()); -// -// } - @Path("/polls/{pollId}/voterLists/main") @GET public VoterListBean getMainVoterList(@Context VoterListService voterListService, @@ -222,5 +210,4 @@ public class VoterListApi { return voterListService.resendInvitationMember(pollId.getEntityId(), voterListId.getEntityId(), memberId.getEntityId()); } - } diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/ChoiceService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/ChoiceService.java index e3c908b5..333fd53e 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/ChoiceService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/ChoiceService.java @@ -70,6 +70,7 @@ public class ChoiceService extends PollenServiceSupport { public List<ChoiceBean> getChoices(String pollId) { checkNotNull(pollId); + checkPermission(PermissionVerb.readPoll, pollId); Poll poll = getPollService().getPoll0(pollId); diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/FavoriteListService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/FavoriteListService.java index 60ad57ce..8b0666f9 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/FavoriteListService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/FavoriteListService.java @@ -98,9 +98,7 @@ public class FavoriteListService extends PollenServiceSupport { public PaginationResultBean<FavoriteListBean> getFavoriteLists(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); - - PollenUser user = getConnectedUser(); + PollenUser user = checkAndGetConnectedUser(); PaginationParameter page = getFavoriteListPaginationParameter(paginationParameter); @@ -118,10 +116,9 @@ public class FavoriteListService extends PollenServiceSupport { public FavoriteListBean getFavoriteList(String favoriteListId) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); - PollenUser user = getConnectedUser(); FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); return toBean(FavoriteListBean.class, favoriteList, this::favoriteListBeanFunction); @@ -130,11 +127,10 @@ public class FavoriteListService extends PollenServiceSupport { public PollenEntityRef<FavoriteList> createFavoriteList(FavoriteListBean favoriteList) throws InvalidFormException { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteList); checkIsNotPersisted(favoriteList); - PollenUser user = getConnectedUser(); List<FavoriteList> existingFavoriteLists = getFavoriteLists0(user); @@ -152,11 +148,10 @@ public class FavoriteListService extends PollenServiceSupport { public FavoriteListBean editFavoriteList(FavoriteListBean favoriteList) throws InvalidFormException { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteList); checkIsPersisted(favoriteList); - PollenUser user = getConnectedUser(); List<FavoriteList> existingFavoriteLists = getFavoriteLists0(user); @@ -175,10 +170,9 @@ public class FavoriteListService extends PollenServiceSupport { public void deleteFavoriteList(String favoriteListId) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); - PollenUser user = getConnectedUser(); FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); getFavoriteListDao().delete(favoriteList); @@ -200,11 +194,9 @@ public class FavoriteListService extends PollenServiceSupport { PaginationParameterBean paginationParameter, int offset) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); PaginationParameter page = getFavoriteListPaginationParameter(paginationParameter); @@ -244,12 +236,10 @@ public class FavoriteListService extends PollenServiceSupport { public FavoriteListMemberBean getFavoriteListMember(String favoriteListId, String memberId) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(memberId); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); FavoriteListMember member = getFavoriteListMember0(favoriteList, memberId); @@ -260,12 +250,11 @@ public class FavoriteListService extends PollenServiceSupport { public PollenEntityRef<FavoriteListMember> addFavoriteListMember(String favoriteListId, FavoriteListMemberBean member) throws InvalidFormException { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(member); checkIsNotPersisted(member); - PollenUser user = getConnectedUser(); FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); @@ -284,12 +273,11 @@ public class FavoriteListService extends PollenServiceSupport { public FavoriteListMemberBean editFavoriteListMember(String favoriteListId, FavoriteListMemberBean member) throws InvalidFormException { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(member); checkIsPersisted(member); - PollenUser user = getConnectedUser(); FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); @@ -308,11 +296,10 @@ public class FavoriteListService extends PollenServiceSupport { public void deleteFavoriteListMember(String favoriteListId, String memberId) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(memberId); - PollenUser user = getConnectedUser(); FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); @@ -326,11 +313,11 @@ public class FavoriteListService extends PollenServiceSupport { public void importFavoriteListMembersFromCsv(String favoriteListId, File file) throws FavoriteListImportException { - checkIsConnected(); + PollenUser connectedUser = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(file); - FavoriteList favoriteList = getFavoriteList0(getConnectedUser(), favoriteListId); + FavoriteList favoriteList = getFavoriteList0(connectedUser, favoriteListId); List<FavoriteListMember> favoriteListMembers = getFavoriteListMembers0(favoriteList); FavoriteListImportFromFile importer = newService(FavoriteListImportFromFile.class); @@ -342,11 +329,11 @@ public class FavoriteListService extends PollenServiceSupport { public void importFavoriteListMembersFromLdap(String favoriteListId, String ldap) throws FavoriteListImportException { - checkIsConnected(); + PollenUser connectedUser = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(ldap); - FavoriteList favoriteList = getFavoriteList0(getConnectedUser(), favoriteListId); + FavoriteList favoriteList = getFavoriteList0(connectedUser, favoriteListId); List<FavoriteListMember> favoriteListMembers = getFavoriteListMembers0(favoriteList); FavoriteListImportFromLdap importer = newService(FavoriteListImportFromLdap.class); @@ -648,11 +635,9 @@ public class FavoriteListService extends PollenServiceSupport { public PaginationResultBean<ChildFavoriteListBean> getChildrenLists(String favoriteListId, String search, PaginationParameterBean paginationParameter) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); PaginationParameter page = getFavoriteListPaginationParameter(paginationParameter); @@ -679,12 +664,10 @@ public class FavoriteListService extends PollenServiceSupport { public ChildFavoriteListBean getChildList(String favoriteListId, String childListId) { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(childListId); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); ChildFavoriteList child = getChildList0(favoriteList, childListId); @@ -694,13 +677,11 @@ public class FavoriteListService extends PollenServiceSupport { public PollenEntityRef<ChildFavoriteList> addChildList(String favoriteListId, ChildFavoriteListBean childList) throws InvalidFormException { - checkIsConnected(); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(childList); checkIsNotPersisted(childList); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); List<ChildFavoriteList> existingChildFavoriteList = getAllChildrenLists0(user); @@ -716,13 +697,12 @@ public class FavoriteListService extends PollenServiceSupport { } public ChildFavoriteListBean editChildList(String favoriteListId, ChildFavoriteListBean childList) throws InvalidFormException { - checkIsConnected(); + + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(childList); checkIsPersisted(childList); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); List<ChildFavoriteList> existingChildFavoriteList = getChildrenLists0(favoriteList); @@ -738,12 +718,11 @@ public class FavoriteListService extends PollenServiceSupport { } public void removeChildList(String favoriteListId, String childListId) { - checkIsConnected(); + + PollenUser user = checkAndGetConnectedUser(); checkNotNull(favoriteListId); checkNotNull(childListId); - PollenUser user = getConnectedUser(); - FavoriteList favoriteList = getFavoriteList0(user, favoriteListId); ChildFavoriteList childFavoriteList = getChildList0(favoriteList, childListId); @@ -780,12 +759,10 @@ public class FavoriteListService extends PollenServiceSupport { } public FavoriteListBean importFavoriteListMembersFromVoterList(String voterListId) throws InvalidFormException { - VoterList voterList = getVoterListDao().forTopiaIdEquals(voterListId).findUniqueOrNull(); - checkIsConnected(); - checkNotNull(voterList); - - PollenUser user = getConnectedUser(); + PollenUser user = checkAndGetConnectedUser(); + checkNotNull(voterListId); + VoterList voterList = getVoterListDao().forTopiaIdEquals(voterListId).findUnique(); List<FavoriteList> existingFavoriteLists = getFavoriteLists0(user); @@ -844,8 +821,7 @@ public class FavoriteListService extends PollenServiceSupport { } public int importFavoriteLists(File favoriteListsExportFile) throws InvalidFormException { - checkIsConnected(); - PollenUser user = getConnectedUser(); + PollenUser user = checkAndGetConnectedUser(); Gson gson = new Gson(); FileReader reader; @@ -993,8 +969,7 @@ public class FavoriteListService extends PollenServiceSupport { } public ExportBean exportFavoriteLists() { - checkIsConnected(); - PollenUser user = getConnectedUser(); + PollenUser user = checkAndGetConnectedUser(); FavoriteListsExport result = new FavoriteListsExport(); diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/GtuService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/GtuService.java index faf481a8..f94ecfb0 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/GtuService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/GtuService.java @@ -32,6 +32,8 @@ public class GtuService extends PollenServiceSupport { } public List<GtuMetaBean> getAllGtus() { + checkIsAdmin(); + List<PollenResource> gtus = getPollenResourceDao() .forResourceTypeEquals(ResourceType.GTU) .setOrderByArguments(PollenResource.PROPERTY_TOPIA_CREATE_DATE) @@ -96,11 +98,8 @@ public class GtuService extends PollenServiceSupport { } public void validateGtu() { - - checkIsConnected(); - PollenUser connectedUser = getConnectedUser(); + PollenUser connectedUser = checkAndGetConnectedUser(); connectedUser.setGtuValidationDate(getNow()); - commit(); } diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollService.java index 31c02bfc..dc7f72d2 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollService.java @@ -112,7 +112,6 @@ public class PollService extends PollenServiceSupport { public PaginationResultBean<PollBean> getPolls(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); checkIsAdmin(); PaginationParameter page = getPaginationParameter(paginationParameter); @@ -123,9 +122,7 @@ public class PollService extends PollenServiceSupport { public PaginationResultBean<PollBean> getCreatedPolls(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); - - PollenUser connectedUser = getConnectedUser(); + PollenUser connectedUser = checkAndGetConnectedUser(); PaginationParameter page = getPaginationParameter(paginationParameter); PaginationResult<Poll> polls = getPollDao().findAllCreated(connectedUser, page, search); @@ -135,9 +132,7 @@ public class PollService extends PollenServiceSupport { public PaginationResultBean<PollBean> getInvitedPolls(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); - - PollenUser connectedUser = getConnectedUser(); + PollenUser connectedUser = checkAndGetConnectedUser(); PaginationParameter page = getPaginationParameter(paginationParameter); PaginationResult<Poll> polls = getPollDao().findAllInvited(connectedUser, page, search); @@ -147,9 +142,7 @@ public class PollService extends PollenServiceSupport { public PaginationResultBean<PollBean> getParticipatedPolls(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); - - PollenUser connectedUser = getConnectedUser(); + PollenUser connectedUser = checkAndGetConnectedUser(); PaginationParameter page = getPaginationParameter(paginationParameter); PaginationResult<Poll> polls = getPollDao().findAllParticipated(connectedUser, page, search); @@ -376,14 +369,13 @@ public class PollService extends PollenServiceSupport { public PollBean assignPollToConnectedUser(String pollId) { - getSecurityContext().isConnected(); + PollenUser connectedUser = checkAndGetConnectedUser(); checkNotNull(pollId); checkPermission(PermissionVerb.editPoll, pollId); Poll poll = getPoll0(pollId); PollenUser creator = poll.getCreator().getPollenUser(); - PollenUser connectedUser = getConnectedUser(); if (creator != null) { if (!creator.equals(connectedUser)) { diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenResourceService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenResourceService.java index da8edb63..158b22e9 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenResourceService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenResourceService.java @@ -131,26 +131,9 @@ public class PollenResourceService extends PollenServiceSupport implements Polle return PollenEntityRef.of(savedResource); } - public PollenEntityRef<PollenResource> editResource(String resourceId, ResourceFileBean resource) throws InvalidFormException { - checkNotNull(resourceId); - checkIsNotPersisted(resource); - - if (ResourceType.GTU.equals(resource.getResourceType())) { - checkIsAdmin(); - } - - ErrorMap errorMap = checkRessource(resource); - errorMap.failIfNotEmpty(); - - PollenResource savedResource = saveResource(resource); - commit(); - - return PollenEntityRef.of(savedResource); - - } - public void deleteResource(String resourceId) { checkNotNull(resourceId); + checkIsAdmin(); PollenResource resource = getResource0(resourceId); diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenServiceSupport.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenServiceSupport.java index 6ea95d82..586a2947 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenServiceSupport.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenServiceSupport.java @@ -432,6 +432,11 @@ public abstract class PollenServiceSupport implements PollenService { } + protected PollenUser checkAndGetConnectedUser() { + checkIsConnected(); + return getConnectedUser(); + } + protected PollenUIContext getUIContext() { return serviceContext.getUIContext(); diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenUserService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenUserService.java index 76a5bc19..f911963a 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenUserService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/PollenUserService.java @@ -65,7 +65,6 @@ public class PollenUserService extends PollenServiceSupport implements PollenSer public PaginationResultBean<PollenUserBean> getUsers(PaginationParameterBean paginationParameter, String search) { - checkIsConnected(); checkIsAdmin(); PaginationParameter page = getPaginationParameter(paginationParameter); @@ -80,10 +79,9 @@ public class PollenUserService extends PollenServiceSupport implements PollenSer public PollenUserBean getUser(String userId) { - checkIsConnected(); checkNotNull(userId); + PollenUser pollenUser = checkAndGetConnectedUser(); - PollenUser pollenUser = getConnectedUser(); if (!userId.equals(pollenUser.getTopiaId())) { checkIsAdmin(); pollenUser = getUser0(userId); @@ -115,6 +113,11 @@ public class PollenUserService extends PollenServiceSupport implements PollenSer checkNotNull(user); checkIsPersisted(user); + PollenUser connectedUser = checkAndGetConnectedUser(); + if (!connectedUser.getTopiaId().equals(user.getEntityId())) { + checkIsAdmin(); + } + ErrorMap errorMap = checkPollenUser(user); errorMap.failIfNotEmpty(); @@ -146,15 +149,12 @@ public class PollenUserService extends PollenServiceSupport implements PollenSer } - public void changePassword(String userId, - String oldPassword, + public void changePassword(String oldPassword, String newPassword) throws InvalidFormException { - checkNotNull(userId); + PollenUser user = checkAndGetConnectedUser(); checkNotNull(newPassword); - PollenUser user = getUser0(userId); - ErrorMap errorMap = new ErrorMap(); boolean passwordNotBlank = checkNotBlank(errorMap, "newPassword", newPassword, l(getLocale(), "pollen.error.user.passwordEmpty")); diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/SocialAuthService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/SocialAuthService.java index d9afcc3f..28b75ab5 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/SocialAuthService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/SocialAuthService.java @@ -16,12 +16,10 @@ import org.chorem.pollen.persistence.entity.PollenUserImpl; import org.chorem.pollen.persistence.entity.PollenUserTopiaDao; import org.chorem.pollen.persistence.entity.UserCredential; import org.chorem.pollen.persistence.entity.UserCredentialImpl; -import org.chorem.pollen.persistence.entity.UserCredentialTopiaDao; import org.chorem.pollen.services.bean.LoginProviderBean; import org.chorem.pollen.services.bean.PollenEntityId; import org.chorem.pollen.services.bean.PollenEntityRef; import org.chorem.pollen.services.service.security.PollenEmailOrProviderAccountAlreadyUsedException; -import org.chorem.pollen.services.service.security.PollenUnauthorizedException; import java.util.ArrayList; import java.util.List; @@ -87,15 +85,10 @@ public class SocialAuthService extends PollenServiceSupport { return getSecurityService().getSessionTokenForUser(pollenUser); } - public String addCredentialToUser(PollenEntityId<PollenUser> userId, - SocialAuthManager manager, + public String addCredentialToUser(SocialAuthManager manager, Map<String, String> paramsMap) throws Exception { - checkIsConnected(); - PollenUser connectedUser = getConnectedUser(); - if (!connectedUser.getTopiaId().equals(userId.getEntityId())) { - throw new PollenUnauthorizedException(userId.getReducedId()); - } + PollenUser connectedUser = checkAndGetConnectedUser(); AuthProvider provider = manager.connect(paramsMap); @@ -182,6 +175,7 @@ public class SocialAuthService extends PollenServiceSupport { } public List<String> getAvailableLoginProviders() { + checkIsAdmin(); return new ArrayList<String>() {{ add(Constants.AMAZON); add(Constants.FACEBOOK); @@ -234,17 +228,11 @@ public class SocialAuthService extends PollenServiceSupport { commit(); } - public void deleteUserCredential(PollenEntityId<PollenUser> userId, PollenEntityId<UserCredential> credentialId) { + public void deleteUserCredential(PollenEntityId<UserCredential> credentialId) { checkNotNull(credentialId); - - checkIsConnected(); - PollenUser connectedUser = getConnectedUser(); - if (!connectedUser.getTopiaId().equals(userId.getEntityId())) { - throw new PollenUnauthorizedException(userId.getReducedId()); - } - - UserCredentialTopiaDao dao = getUserCredentialDao(); - dao.delete(dao.forTopiaIdEquals(credentialId.getEntityId()).findUnique()); + PollenUser pollenUser = checkAndGetConnectedUser(); + UserCredential credential = pollenUser.getUserCredentialByTopiaId(credentialId.getEntityId()); + getUserCredentialDao().delete(credential); commit(); } } diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteCountingService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteCountingService.java index feac3507..56826893 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteCountingService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteCountingService.java @@ -108,6 +108,7 @@ public class VoteCountingService extends PollenServiceSupport { public ListVoteCountingResultBean getGroupResult(String pollId) { Preconditions.checkNotNull(pollId); + checkPermission(PermissionVerb.readPollResult, pollId); Poll poll = getPollService().getPoll0(pollId); VoterList mainVoterList = getVoterListService().getMainVoterList0(poll); diff --git a/pollen-services/src/test/java/org/chorem/pollen/services/service/PollServiceTest.java b/pollen-services/src/test/java/org/chorem/pollen/services/service/PollServiceTest.java index 13897562..527aa601 100644 --- a/pollen-services/src/test/java/org/chorem/pollen/services/service/PollServiceTest.java +++ b/pollen-services/src/test/java/org/chorem/pollen/services/service/PollServiceTest.java @@ -545,7 +545,7 @@ public class PollServiceTest extends AbstractPollenServiceTest { service.assignPollToConnectedUser(poll.getTopiaId()); Assert.fail("An error should be thrown as no user is connected"); - } catch (PollenInvalidPermissionException e) { + } catch (PollenUnauthorizedException e) { Assert.assertNull(poll.getCreator().getPollenUser()); } diff --git a/pollen-ui-riot-js/src/main/web/js/AuthService.js b/pollen-ui-riot-js/src/main/web/js/AuthService.js index e3ebea3f..7fd0dbd5 100644 --- a/pollen-ui-riot-js/src/main/web/js/AuthService.js +++ b/pollen-ui-riot-js/src/main/web/js/AuthService.js @@ -68,7 +68,7 @@ class AuthService extends FetchService { } connectedUserPromise() { - return this.get("/v1/users/connected"); + return this.get("/v1/user"); } validateEmail(userId, token) { diff --git a/pollen-ui-riot-js/src/main/web/js/UserService.js b/pollen-ui-riot-js/src/main/web/js/UserService.js index 396921a5..c203638a 100644 --- a/pollen-ui-riot-js/src/main/web/js/UserService.js +++ b/pollen-ui-riot-js/src/main/web/js/UserService.js @@ -23,7 +23,7 @@ let FetchService = require("./FetchService"); class UserService extends FetchService { - _getUrlPrefix(userId) { + _getUsersUrlPrefix(userId) { let url = "/v1/users"; if (userId) { url += "/" + userId; @@ -31,30 +31,34 @@ class UserService extends FetchService { return url; } + _getUserUrlPrefix() { + return "/v1/user"; + } + users(pagination, search) { let params = Object.assign({}, pagination); params.search = search || ""; - let url = this._getUrlPrefix(); + let url = this._getUsersUrlPrefix(); return this.get(url, params); } user(userId, permission) { - let url = this._getUrlPrefix(userId); + let url = this._getUsersUrlPrefix(userId); return this.get(url, {permission: permission}); } deleteUser(userId) { - let url = this._getUrlPrefix(userId); + let url = this._getUsersUrlPrefix(userId); return this.doDelete(url, {anonymize: true}); } saveUser(user) { - let url = this._getUrlPrefix(user.id); + let url = this._getUsersUrlPrefix(user.id); return this.post(url, user); } - changePassword(userId, oldPassword, newPassword) { - let url = this._getUrlPrefix(userId) + "/password"; + changePassword(oldPassword, newPassword) { + let url = this._getUserUrlPrefix() + "/password"; let body = { oldPassword: oldPassword, newPassword: newPassword @@ -62,15 +66,14 @@ class UserService extends FetchService { return this.post(url, body); } - linkProvider(userId, query) { - let url = this._getUrlPrefix(userId) + "/credentials/" + query.loginProvider; + linkProvider(query) { + let url = this._getUserUrlPrefix() + "/credentials/" + query.loginProvider; let body = JSON.stringify(query); return this.post(url, body); } - - unlinkProvider(userId, credentialId) { - let url = this._getUrlPrefix(userId) + "/credentials/" + credentialId; + unlinkProvider(credentialId) { + let url = this._getUserUrlPrefix() + "/credentials/" + credentialId; return this.doDelete(url); } diff --git a/pollen-ui-riot-js/src/main/web/tag/Pollen.tag.html b/pollen-ui-riot-js/src/main/web/tag/Pollen.tag.html index 56d89608..654e58b2 100644 --- a/pollen-ui-riot-js/src/main/web/tag/Pollen.tag.html +++ b/pollen-ui-riot-js/src/main/web/tag/Pollen.tag.html @@ -282,7 +282,7 @@ require("./popup/GtuChangeModal.tag.html"); } else if (q.action === "link" && session.isConnected()) { let callback = (user) => { - userService.linkProvider(user.id, q).then(() => { + userService.linkProvider(q).then(() => { location.replace(session.pollenUIContext.uiEndPoint + "/#user/profile"); }, (e) => { e.text().then(label => { diff --git a/pollen-ui-riot-js/src/main/web/tag/UserProfile.tag.html b/pollen-ui-riot-js/src/main/web/tag/UserProfile.tag.html index 6b0d9b86..676fd4e0 100644 --- a/pollen-ui-riot-js/src/main/web/tag/UserProfile.tag.html +++ b/pollen-ui-riot-js/src/main/web/tag/UserProfile.tag.html @@ -206,7 +206,7 @@ require("./components/HumanInput.tag.html"); if (this.errors.repeatPassword === undefined) { let oldPassword = this.user.withPassword ? this.refs.oldPassword.value : null; let newPassword = this.refs.newPassword.value; - userService.changePassword(this.user.id, oldPassword, newPassword).then(() => { + userService.changePassword(oldPassword, newPassword).then(() => { if (this.user.withPassword) { this.refs.oldPassword.value = ""; } @@ -236,7 +236,7 @@ require("./components/HumanInput.tag.html"); if (!confirm) { return Promise.reject(); } - return userService.unlinkProvider(this.user.id, credentialId) + return userService.unlinkProvider(credentialId) }).then(result => { this.user.credentials.splice(index, 1); this.update(); -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.