Browse Source

improved permission checks on archive

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 9 months ago
parent
commit
0a1e210503
  1. 12
      src/main/java/de/srsoftware/widerhall/data/MailingList.java
  2. 51
      src/main/java/de/srsoftware/widerhall/web/Rest.java
  3. 11
      src/main/java/de/srsoftware/widerhall/web/Web.java

12
src/main/java/de/srsoftware/widerhall/data/MailingList.java

@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener {
}
private void forward(Message message, Stream<ListMember> members) throws MessagingException {
if (hasState(STATE_PUBLIC_ARCHIVE)) storeMessage(message);
if (hasPublicArchive()) storeMessage(message);
String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null;
var receivers = members
.map(ListMember::user)
@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener {
return ml;
}
public boolean hasPublicArchive() {
return hasState(STATE_PUBLIC_ARCHIVE);
}
public boolean hasState(int test){
return (state & test) > 0;
}
@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener {
if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN);
if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN);
if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN);
if (hasState(STATE_OPEN_FOR_GUESTS)) map.put(t("open_for_guests"),HIDDEN);
if (hasState(STATE_OPEN_FOR_SUBSCRIBERS)) map.put(t("open_for_subscribers"),HIDDEN);
if (hasState(STATE_PUBLIC_ARCHIVE)) map.put(t("archive"),VISIBLE);
if (isOpenForGuests()) map.put(t("open_for_guests"),HIDDEN);
if (isOpenForSubscribers()) map.put(t("open_for_subscribers"),HIDDEN);
if (hasPublicArchive()) map.put(t("archive"),VISIBLE);
return map;
}

51
src/main/java/de/srsoftware/widerhall/web/Rest.java

@ -13,6 +13,7 @@ import javax.servlet.ServletException; @@ -13,6 +13,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAllowedException;
import java.io.IOException;
import java.sql.SQLException;
import java.util.HashMap;
@ -62,31 +63,29 @@ public class Rest extends HttpServlet { @@ -62,31 +63,29 @@ public class Rest extends HttpServlet {
return Map.of(SUCCESS,"Updated user permissions");
}
private Map<String,Object> archive(HttpServletRequest req, User user){
private Map<String,Object> archive(HttpServletRequest req, User user) throws SQLException {
var list = Util.getMailingList(req);
if (list != null){
try {
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
String month = req.getParameter(MONTH);
boolean userIsMod = list.mayBeAlteredBy(user);
if (month == null || month.isBlank()) {
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
} else {
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
} catch (SQLException e) {
e.printStackTrace();
}
}
LOG.debug("list: {}",list.email());
return Map.of();
if (list == null) throw new IllegalArgumentException(t("You are trying to access a non-existing list!"));
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) throw new NotAllowedException(t("You are not allowed to access the archive of this list!"));
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
boolean userIsMod = list.mayBeAlteredBy(user);
String month = req.getParameter(MONTH);
if (month == null || month.isBlank()) return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String error = handleGet(req, resp);
String error;
try {
error = handleGet(req, resp);
} catch (SQLException e) {
error = e.getMessage();
}
if (error != null) resp.sendError(400,error);
}
@ -166,7 +165,7 @@ public class Rest extends HttpServlet { @@ -166,7 +165,7 @@ public class Rest extends HttpServlet {
}
}
public String handleGet(HttpServletRequest req, HttpServletResponse resp){
public String handleGet(HttpServletRequest req, HttpServletResponse resp) throws SQLException {
var user = Util.getUser(req);
var path = Util.getPath(req);
@ -176,9 +175,6 @@ public class Rest extends HttpServlet { @@ -176,9 +175,6 @@ public class Rest extends HttpServlet {
json.put(USER,user.safeMap());
switch (path) {
case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE) || list.mayBeAlteredBy(user);
if (!allowed) return t("Sie sind nicht berechtigt, das Archiv dieser Liste einzusehen!");
json.put("archive",archive(req,user));
break;
case USER_LIST:
@ -202,10 +198,7 @@ public class Rest extends HttpServlet { @@ -202,10 +198,7 @@ public class Rest extends HttpServlet {
} else {
switch (path) {
case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE);
if (!allowed) return t("This mailing list has no public archive!");
json.put("archive",archive(req,user));
json.put("archive",archive(req,null));
break;
case LIST_SUBSCRIBABLE:
json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList());
@ -337,7 +330,7 @@ public class Rest extends HttpServlet { @@ -337,7 +330,7 @@ public class Rest extends HttpServlet {
if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true);
if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true);
if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true);
if (list.hasState(MailingList.STATE_PUBLIC_ARCHIVE)) map.put(KEY_ARCHIVE,true);
if (list.hasPublicArchive()) map.put(KEY_ARCHIVE,true);
if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true);
if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime());
return map;

11
src/main/java/de/srsoftware/widerhall/web/Web.java

@ -133,15 +133,18 @@ public class Web extends TemplateServlet { @@ -133,15 +133,18 @@ public class Web extends TemplateServlet {
}
}
private String archive(HttpServletRequest req, HttpServletResponse resp) {
private String archive(MailingList list, User user, HttpServletRequest req, HttpServletResponse resp) {
if (list == null) return t("The mailing list you are trying to view does not exist!");
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) return t("You are not allowed to access the archive of this list");
var map = new HashMap<String,Object>();
var list = Util.getMailingList(req);
map.put(LIST,list.email());
var month = req.getParameter(MONTH);
if (month != null && !month.isBlank()){
map.put(MONTH,month);
var user = Util.getUser(req);
map.put(MODERATOR,list.mayBeAlteredBy(user));
}
return loadTemplate(ARCHIVE,map,resp);
@ -284,7 +287,7 @@ public class Web extends TemplateServlet { @@ -284,7 +287,7 @@ public class Web extends TemplateServlet {
if (list != null) data.put(LIST,list.minimalMap());
switch (path){
case ARCHIVE:
return archive(req,resp);
return archive(list,user,req,resp);
case CONFIRM:
return confirm(req,resp);
case POST:

Loading…
Cancel
Save