improved permission checks on archive

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
2024-03-15 13:27:25 +01:00
parent 1b484760b9
commit 0a1e210503
3 changed files with 36 additions and 36 deletions
--- a/src/main/java/de/srsoftware/widerhall/data/MailingList.java
+++ b/src/main/java/de/srsoftware/widerhall/data/MailingList.java
@@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener {
    }

    private void forward(Message message, Stream<ListMember> members) throws MessagingException {
-        if (hasState(STATE_PUBLIC_ARCHIVE)) storeMessage(message);
+        if (hasPublicArchive()) storeMessage(message);
        String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null;
        var receivers = members
                .map(ListMember::user)
@@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener {
        return ml;
    }

+    public boolean hasPublicArchive() {
+        return hasState(STATE_PUBLIC_ARCHIVE);
+    }
+
    public boolean hasState(int test){
        return (state & test) > 0;
    }
@@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener {
        if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN);
        if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN);
        if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN);
-        if (hasState(STATE_OPEN_FOR_GUESTS)) map.put(t("open_for_guests"),HIDDEN);
-        if (hasState(STATE_OPEN_FOR_SUBSCRIBERS)) map.put(t("open_for_subscribers"),HIDDEN);
-        if (hasState(STATE_PUBLIC_ARCHIVE)) map.put(t("archive"),VISIBLE);
+        if (isOpenForGuests()) map.put(t("open_for_guests"),HIDDEN);
+        if (isOpenForSubscribers()) map.put(t("open_for_subscribers"),HIDDEN);
+        if (hasPublicArchive()) map.put(t("archive"),VISIBLE);
        return map;
    }

--- a/src/main/java/de/srsoftware/widerhall/web/Rest.java
+++ b/src/main/java/de/srsoftware/widerhall/web/Rest.java
@@ -13,6 +13,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.NotAllowedException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.HashMap;
@@ -62,31 +63,29 @@ public class Rest extends HttpServlet {
        return Map.of(SUCCESS,"Updated user permissions");
    }

-    private Map<String,Object> archive(HttpServletRequest req, User user){
+    private Map<String,Object> archive(HttpServletRequest req, User user) throws SQLException {
        var list = Util.getMailingList(req);
-        if (list != null){
-            try {
-                var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
-                var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
+        if (list == null) throw new IllegalArgumentException(t("You are trying to access a non-existing list!"));
+        var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
+        if (!allowed) throw new NotAllowedException(t("You are not allowed to access the archive of this list!"));

-                String month = req.getParameter(MONTH);
-                boolean userIsMod = list.mayBeAlteredBy(user);
-                if (month == null || month.isBlank()) {
-                    return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
-                } else {
-                    return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
-                }
-            } catch (SQLException e) {
-                e.printStackTrace();
-            }
-        }
-        LOG.debug("list: {}",list.email());
-        return Map.of();
+        var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
+        var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
+
+        boolean userIsMod = list.mayBeAlteredBy(user);
+        String month = req.getParameter(MONTH);
+        if (month == null || month.isBlank()) return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
+        return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
    }

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
-        String error = handleGet(req, resp);
+        String error;
+        try {
+            error = handleGet(req, resp);
+        } catch (SQLException e) {
+            error = e.getMessage();
+        }
        if (error != null) resp.sendError(400,error);
    }

@@ -166,7 +165,7 @@ public class Rest extends HttpServlet {
        }
    }

-    public String handleGet(HttpServletRequest req, HttpServletResponse resp){
+    public String handleGet(HttpServletRequest req, HttpServletResponse resp) throws SQLException {
        var user = Util.getUser(req);
        var path = Util.getPath(req);

@@ -176,9 +175,6 @@ public class Rest extends HttpServlet {
            json.put(USER,user.safeMap());
            switch (path) {
                case LIST_ARCHIVE:
-                    var list = Util.getMailingList(req);
-                    var allowed = list.hasState(STATE_PUBLIC_ARCHIVE) || list.mayBeAlteredBy(user);
-                    if (!allowed) return t("Sie sind nicht berechtigt, das Archiv dieser Liste einzusehen!");
                    json.put("archive",archive(req,user));
                    break;
                case USER_LIST:
@@ -202,10 +198,7 @@ public class Rest extends HttpServlet {
        } else {
            switch (path) {
                case LIST_ARCHIVE:
-                    var list = Util.getMailingList(req);
-                    var allowed = list.hasState(STATE_PUBLIC_ARCHIVE);
-                    if (!allowed) return t("This mailing list has no public archive!");
-                    json.put("archive",archive(req,user));
+                    json.put("archive",archive(req,null));
                    break;
                case LIST_SUBSCRIBABLE:
                    json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList());
@@ -337,7 +330,7 @@ public class Rest extends HttpServlet {
        if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true);
        if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true);
        if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true);
-        if (list.hasState(MailingList.STATE_PUBLIC_ARCHIVE)) map.put(KEY_ARCHIVE,true);
+        if (list.hasPublicArchive()) map.put(KEY_ARCHIVE,true);
        if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true);
        if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime());
        return map;
--- a/src/main/java/de/srsoftware/widerhall/web/Web.java
+++ b/src/main/java/de/srsoftware/widerhall/web/Web.java
@@ -133,15 +133,18 @@ public class Web extends TemplateServlet {
        }
    }

-    private String archive(HttpServletRequest req, HttpServletResponse resp) {
+    private String archive(MailingList list, User user, HttpServletRequest req, HttpServletResponse resp) {
+        if (list == null) return t("The mailing list you are trying to view does not exist!");
+
+        var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
+        if (!allowed) return t("You are not allowed to access the archive of this list");
+
        var map = new HashMap<String,Object>();
-        var list = Util.getMailingList(req);
        map.put(LIST,list.email());

        var month = req.getParameter(MONTH);
        if (month != null && !month.isBlank()){
            map.put(MONTH,month);
-            var user = Util.getUser(req);
            map.put(MODERATOR,list.mayBeAlteredBy(user));
        }
        return loadTemplate(ARCHIVE,map,resp);
@@ -284,7 +287,7 @@ public class Web extends TemplateServlet {
        if (list != null) data.put(LIST,list.minimalMap());
        switch (path){
            case ARCHIVE:
-                return archive(req,resp);
+                return archive(list,user,req,resp);
            case CONFIRM:
                return confirm(req,resp);
            case POST: