Author: tchemit Date: 2012-06-19 15:22:18 +0200 (Tue, 19 Jun 2012) New Revision: 3528 Url: http://chorem.org/repositories/revision/pollen/3528 Log: still some security holes... Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-06-19 13:21:32 UTC (rev 3527) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-06-19 13:22:18 UTC (rev 3528) @@ -160,6 +160,19 @@ return result; } + public boolean isCanAccessResult(Poll poll, + String accountId, + SecurityService.AccountIdRole accountIdRole, + UserAccount userAccount) { + + if (isPollCreator(poll, accountId, userAccount)) { + accountIdRole = AccountIdRole.CREATOR; + } + + String errorMessage = isCanAccessResult(poll, accountIdRole); + return errorMessage == null; + } + public String isCanAccessResult(Poll poll, SecurityService.AccountIdRole accountIdRole) { Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java 2012-06-19 13:21:32 UTC (rev 3527) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java 2012-06-19 13:22:18 UTC (rev 3528) @@ -239,7 +239,7 @@ public String getSummaryUrl() { PollUrl url = getPollUrlService().getPollSummaryUrl(poll); - getSecurityService().removeAccountIdWhenConnected(url, getPollenUserAccount()); + url.getPollUri().setAccountId(getAccountId()); return url.getUrl(); } @@ -250,12 +250,16 @@ return url.getUrl(); } + public String getVoteMessages() { + return _("pollen.common.voteNbVotes", poll.sizeVote()); + } + public boolean isFeedFileExisting() { return feedFileExisting; } - public boolean isCreatorUser() { - return creatorUser; + public boolean isCreatorOrAdmin() { + return creatorUser || isUserAdmin(); } public boolean isAccountFieldDisplayed() { @@ -430,14 +434,16 @@ accountId = null; } voteAllowed = getSecurityService().isCanVote(poll, - null, + accountId, accountIdRole); } // is can display result link ? resultAllowed = - getSecurityService().isCanAccessResult(poll, accountIdRole) - == null; + getSecurityService().isCanAccessResult(poll, + getAccountId(), + accountIdRole, + getPollenUserAccount()); if (voteAllowed) { Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java 2012-06-19 13:21:32 UTC (rev 3527) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java 2012-06-19 13:22:18 UTC (rev 3528) @@ -24,6 +24,7 @@ import org.chorem.pollen.bean.PollUri; import org.chorem.pollen.business.persistence.Poll; +import org.chorem.pollen.business.persistence.UserAccount; import org.chorem.pollen.services.PollenServiceContext; import org.chorem.pollen.services.impl.SecurityService; import org.chorem.pollen.ui.PollenUIUtils; @@ -92,6 +93,19 @@ request, n_("pollen.security.error.bad.accountId")); } + } else { + + // check if current userAccount is creator + UserAccount userAccount = getPollenUserAccount(request); + + boolean isCreator = securityService.isPollCreator( + poll, + null, + userAccount); + + if (isCreator) { + accountIdRole = SecurityService.AccountIdRole.CREATOR; + } } if (isAdmin) {