StephanRichter
/
Widerhall
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity
Browse Source

improved permission checks on archive 

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 2 months ago
parent
1b484760b9
commit
0a1e210503
3 changed files with 37 additions and 37 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/main/java/de/srsoftware/widerhall/data/MailingList.java
  2. 51
      src/main/java/de/srsoftware/widerhall/web/Rest.java
  3. 11
      src/main/java/de/srsoftware/widerhall/web/Web.java

12
src/main/java/de/srsoftware/widerhall/data/MailingList.java
Unescape View File

@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener {
}
private void forward(Message message, Stream<ListMember> members) throws MessagingException {
if (hasState(STATE_PUBLIC_ARCHIVE)) storeMessage(message);
if (hasPublicArchive()) storeMessage(message);
String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null;
var receivers = members
.map(ListMember::user)
@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener {
return ml;
}
public boolean hasPublicArchive() {
return hasState(STATE_PUBLIC_ARCHIVE);
}
public boolean hasState(int test){
return (state & test) > 0;
}
@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener { @@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener {
if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN);
if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN);
if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN);
if (hasState(STATE_OPEN_FOR_GUESTS)) map.put(t("open_for_guests"),HIDDEN);
if (hasState(STATE_OPEN_FOR_SUBSCRIBERS)) map.put(t("open_for_subscribers"),HIDDEN);
if (hasState(STATE_PUBLIC_ARCHIVE)) map.put(t("archive"),VISIBLE);
if (isOpenForGuests()) map.put(t("open_for_guests"),HIDDEN);
if (isOpenForSubscribers()) map.put(t("open_for_subscribers"),HIDDEN);
if (hasPublicArchive()) map.put(t("archive"),VISIBLE);
return map;
}

51
src/main/java/de/srsoftware/widerhall/web/Rest.java
Unescape View File

@ -13,6 +13,7 @@ import javax.servlet.ServletException; @@ -13,6 +13,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAllowedException;
import java.io.IOException;
import java.sql.SQLException;
import java.util.HashMap;
@ -62,31 +63,29 @@ public class Rest extends HttpServlet { @@ -62,31 +63,29 @@ public class Rest extends HttpServlet {
return Map.of(SUCCESS,"Updated user permissions");
}
private Map<String,Object> archive(HttpServletRequest req, User user){
private Map<String,Object> archive(HttpServletRequest req, User user) throws SQLException {
var list = Util.getMailingList(req);
if (list != null){
try {
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
String month = req.getParameter(MONTH);
boolean userIsMod = list.mayBeAlteredBy(user);
if (month == null || month.isBlank()) {
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
} else {
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
} catch (SQLException e) {
e.printStackTrace();
}
}
LOG.debug("list: {}",list.email());
return Map.of();
if (list == null) throw new IllegalArgumentException(t("You are trying to access a non-existing list!"));
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) throw new NotAllowedException(t("You are not allowed to access the archive of this list!"));
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
boolean userIsMod = list.mayBeAlteredBy(user);
String month = req.getParameter(MONTH);
if (month == null || month.isBlank()) return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String error = handleGet(req, resp);
String error;
try {
error = handleGet(req, resp);
} catch (SQLException e) {
error = e.getMessage();
}
if (error != null) resp.sendError(400,error);
}
@ -166,7 +165,7 @@ public class Rest extends HttpServlet { @@ -166,7 +165,7 @@ public class Rest extends HttpServlet {
}
}
public String handleGet(HttpServletRequest req, HttpServletResponse resp){
public String handleGet(HttpServletRequest req, HttpServletResponse resp) throws SQLException {
var user = Util.getUser(req);
var path = Util.getPath(req);
@ -176,9 +175,6 @@ public class Rest extends HttpServlet { @@ -176,9 +175,6 @@ public class Rest extends HttpServlet {
json.put(USER,user.safeMap());
switch (path) {
case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE) || list.mayBeAlteredBy(user);
if (!allowed) return t("Sie sind nicht berechtigt, das Archiv dieser Liste einzusehen!");
json.put("archive",archive(req,user));
break;
case USER_LIST:
@ -202,10 +198,7 @@ public class Rest extends HttpServlet { @@ -202,10 +198,7 @@ public class Rest extends HttpServlet {
} else {
switch (path) {
case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE);
if (!allowed) return t("This mailing list has no public archive!");
json.put("archive",archive(req,user));
json.put("archive",archive(req,null));
break;
case LIST_SUBSCRIBABLE:
json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList());
@ -337,7 +330,7 @@ public class Rest extends HttpServlet { @@ -337,7 +330,7 @@ public class Rest extends HttpServlet {
if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true);
if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true);
if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true);
if (list.hasState(MailingList.STATE_PUBLIC_ARCHIVE)) map.put(KEY_ARCHIVE,true);
if (list.hasPublicArchive()) map.put(KEY_ARCHIVE,true);
if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true);
if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime());
return map;

11
src/main/java/de/srsoftware/widerhall/web/Web.java
Unescape View File

@ -133,15 +133,18 @@ public class Web extends TemplateServlet { @@ -133,15 +133,18 @@ public class Web extends TemplateServlet {
}
}
private String archive(HttpServletRequest req, HttpServletResponse resp) {
private String archive(MailingList list, User user, HttpServletRequest req, HttpServletResponse resp) {
if (list == null) return t("The mailing list you are trying to view does not exist!");
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) return t("You are not allowed to access the archive of this list");
var map = new HashMap<String,Object>();
var list = Util.getMailingList(req);
map.put(LIST,list.email());
var month = req.getParameter(MONTH);
if (month != null && !month.isBlank()){
map.put(MONTH,month);
var user = Util.getUser(req);
map.put(MODERATOR,list.mayBeAlteredBy(user));
}
return loadTemplate(ARCHIVE,map,resp);
@ -284,7 +287,7 @@ public class Web extends TemplateServlet { @@ -284,7 +287,7 @@ public class Web extends TemplateServlet {
if (list != null) data.put(LIST,list.minimalMap());
switch (path){
case ARCHIVE:
return archive(req,resp);
return archive(list,user,req,resp);
case CONFIRM:
return confirm(req,resp);
case POST:

Write Preview
Loading…
Cancel
Save