From 61d0378d32e059c7dcc893879ddfc0003f159e3d Mon Sep 17 00:00:00 2001 From: Stephan Richter Date: Tue, 8 Jul 2025 23:31:21 +0200 Subject: [PATCH 1/2] extend UserHelper interface Signed-off-by: Stephan Richter --- .../main/java/de/srsoftware/umbrella/core/api/UserHelper.java | 4 +++- .../src/main/java/de/srsoftware/umbrella/user/UserModule.java | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/de/srsoftware/umbrella/core/api/UserHelper.java b/core/src/main/java/de/srsoftware/umbrella/core/api/UserHelper.java index 3dc2d76..3ac728d 100644 --- a/core/src/main/java/de/srsoftware/umbrella/core/api/UserHelper.java +++ b/core/src/main/java/de/srsoftware/umbrella/core/api/UserHelper.java @@ -1,11 +1,13 @@ +/* © SRSoftware 2025 */ package de.srsoftware.umbrella.core.api; import com.sun.net.httpserver.HttpExchange; +import de.srsoftware.umbrella.core.Token; import de.srsoftware.umbrella.core.UmbrellaException; import de.srsoftware.umbrella.core.model.UmbrellaUser; - import java.util.Optional; public interface UserHelper { + Optional loadUser(Optional sessionToken) throws UmbrellaException; Optional loadUser(HttpExchange ex) throws UmbrellaException; } diff --git a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java index 92290bc..bf74dae 100644 --- a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java +++ b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java @@ -126,7 +126,7 @@ public class UserModule extends BaseHandler implements UserHelper { } } - private Optional loadUser(Optional sessionToken) throws UmbrellaException { + public Optional loadUser(Optional sessionToken) throws UmbrellaException { if (sessionToken.isEmpty()) return empty(); var session = users.load(sessionToken.get()); return Optional.of(users.load(session)); From 6427eec0a7cf133b7348145fb3c7c5f89c8eb99e Mon Sep 17 00:00:00 2001 From: Stephan Richter Date: Wed, 9 Jul 2025 00:36:22 +0200 Subject: [PATCH 2/2] bugfix --- .../src/main/java/de/srsoftware/umbrella/user/UserModule.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java index bf74dae..ed3dc63 100644 --- a/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java +++ b/user/src/main/java/de/srsoftware/umbrella/user/UserModule.java @@ -168,7 +168,7 @@ public class UserModule extends BaseHandler implements UserHelper { long userId = Long.parseLong(head); if (user.isEmpty()) return forbidden(ex); if (!(user.get() instanceof DbUser dbUser)) return forbidden(ex); - if (dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS)) return forbidden(ex); + if (!(dbUser.id() == userId || dbUser.permissions().contains(LIST_USERS))) return forbidden(ex); return sendContent(ex,users.load(userId)); } catch (UmbrellaException e) { return send(ex,e); @@ -196,7 +196,7 @@ public class UserModule extends BaseHandler implements UserHelper { userId = Long.parseLong(head); DbUser editedUser = (DbUser) users.load(userId); - if (!(requestingUser.get() instanceof DbUser dbUser) || !dbUser.permissions().contains(UPDATE_USERS)) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name()); + if (!(requestingUser.get() instanceof DbUser dbUser) || !(dbUser.id() == userId || dbUser.permissions().contains(UPDATE_USERS))) return sendContent(ex,HTTP_FORBIDDEN,"You are not allowed to update user "+editedUser.name()); JSONObject json; try {