StephanRichter
/
Widerhall
1
0
Fork 0
Code Issues Pull Requests Projects Releases Activity
Browse Source

improved permission checks on archive 

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 8 months ago
parent
1b484760b9
commit
0a1e210503
3 changed files with 37 additions and 37 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/main/java/de/srsoftware/widerhall/data/MailingList.java
  2. 51
      src/main/java/de/srsoftware/widerhall/web/Rest.java
  3. 11
      src/main/java/de/srsoftware/widerhall/web/Web.java

12
src/main/java/de/srsoftware/widerhall/data/MailingList.java
Unescape View File

@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener {
} }
private void forward(Message message, Stream<ListMember> members) throws MessagingException { private void forward(Message message, Stream<ListMember> members) throws MessagingException {
if (hasState(STATE_PUBLIC_ARCHIVE)) storeMessage(message); if (hasPublicArchive()) storeMessage(message);
String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null; String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null;
var receivers = members var receivers = members
.map(ListMember::user) .map(ListMember::user)
@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener {
return ml; return ml;
} }
public boolean hasPublicArchive() {
return hasState(STATE_PUBLIC_ARCHIVE);
}
public boolean hasState(int test){ public boolean hasState(int test){
return (state & test) > 0; return (state & test) > 0;
} }
@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener {
if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN); if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN);
if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN); if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN);
if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN); if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN);
if (hasState(STATE_OPEN_FOR_GUESTS)) map.put(t("open_for_guests"),HIDDEN); if (isOpenForGuests()) map.put(t("open_for_guests"),HIDDEN);
if (hasState(STATE_OPEN_FOR_SUBSCRIBERS)) map.put(t("open_for_subscribers"),HIDDEN); if (isOpenForSubscribers()) map.put(t("open_for_subscribers"),HIDDEN);
if (hasState(STATE_PUBLIC_ARCHIVE)) map.put(t("archive"),VISIBLE); if (hasPublicArchive()) map.put(t("archive"),VISIBLE);
return map; return map;
} }

51
src/main/java/de/srsoftware/widerhall/web/Rest.java
Unescape View File

@ -13,6 +13,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAllowedException;
import java.io.IOException; import java.io.IOException;
import java.sql.SQLException; import java.sql.SQLException;
import java.util.HashMap; import java.util.HashMap;
@ -62,31 +63,29 @@ public class Rest extends HttpServlet {
return Map.of(SUCCESS,"Updated user permissions"); return Map.of(SUCCESS,"Updated user permissions");
} }
private Map<String,Object> archive(HttpServletRequest req, User user){ private Map<String,Object> archive(HttpServletRequest req, User user) throws SQLException {
var list = Util.getMailingList(req); var list = Util.getMailingList(req);
if (list != null){ if (list == null) throw new IllegalArgumentException(t("You are trying to access a non-existing list!"));
try { var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS); if (!allowed) throw new NotAllowedException(t("You are not allowed to access the archive of this list!"));
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
String month = req.getParameter(MONTH); var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
boolean userIsMod = list.mayBeAlteredBy(user);
if (month == null || month.isBlank()) { boolean userIsMod = list.mayBeAlteredBy(user);
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders)); String month = req.getParameter(MONTH);
} else { if (month == null || month.isBlank()) return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList()); return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
} catch (SQLException e) {
e.printStackTrace();
}
}
LOG.debug("list: {}",list.email());
return Map.of();
} }
@Override @Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String error = handleGet(req, resp); String error;
try {
error = handleGet(req, resp);
} catch (SQLException e) {
error = e.getMessage();
}
if (error != null) resp.sendError(400,error); if (error != null) resp.sendError(400,error);
} }
@ -166,7 +165,7 @@ public class Rest extends HttpServlet {
} }
} }
public String handleGet(HttpServletRequest req, HttpServletResponse resp){ public String handleGet(HttpServletRequest req, HttpServletResponse resp) throws SQLException {
var user = Util.getUser(req); var user = Util.getUser(req);
var path = Util.getPath(req); var path = Util.getPath(req);
@ -176,9 +175,6 @@ public class Rest extends HttpServlet {
json.put(USER,user.safeMap()); json.put(USER,user.safeMap());
switch (path) { switch (path) {
case LIST_ARCHIVE: case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE) || list.mayBeAlteredBy(user);
if (!allowed) return t("Sie sind nicht berechtigt, das Archiv dieser Liste einzusehen!");
json.put("archive",archive(req,user)); json.put("archive",archive(req,user));
break; break;
case USER_LIST: case USER_LIST:
@ -202,10 +198,7 @@ public class Rest extends HttpServlet {
} else { } else {
switch (path) { switch (path) {
case LIST_ARCHIVE: case LIST_ARCHIVE:
var list = Util.getMailingList(req); json.put("archive",archive(req,null));
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE);
if (!allowed) return t("This mailing list has no public archive!");
json.put("archive",archive(req,user));
break; break;
case LIST_SUBSCRIBABLE: case LIST_SUBSCRIBABLE:
json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList()); json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList());
@ -337,7 +330,7 @@ public class Rest extends HttpServlet {
if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true); if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true);
if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true); if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true);
if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true); if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true);
if (list.hasState(MailingList.STATE_PUBLIC_ARCHIVE)) map.put(KEY_ARCHIVE,true); if (list.hasPublicArchive()) map.put(KEY_ARCHIVE,true);
if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true); if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true);
if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime()); if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime());
return map; return map;

11
src/main/java/de/srsoftware/widerhall/web/Web.java
Unescape View File

@ -133,15 +133,18 @@ public class Web extends TemplateServlet {
} }
} }
private String archive(HttpServletRequest req, HttpServletResponse resp) { private String archive(MailingList list, User user, HttpServletRequest req, HttpServletResponse resp) {
if (list == null) return t("The mailing list you are trying to view does not exist!");
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) return t("You are not allowed to access the archive of this list");
var map = new HashMap<String,Object>(); var map = new HashMap<String,Object>();
var list = Util.getMailingList(req);
map.put(LIST,list.email()); map.put(LIST,list.email());
var month = req.getParameter(MONTH); var month = req.getParameter(MONTH);
if (month != null && !month.isBlank()){ if (month != null && !month.isBlank()){
map.put(MONTH,month); map.put(MONTH,month);
var user = Util.getUser(req);
map.put(MODERATOR,list.mayBeAlteredBy(user)); map.put(MODERATOR,list.mayBeAlteredBy(user));
} }
return loadTemplate(ARCHIVE,map,resp); return loadTemplate(ARCHIVE,map,resp);
@ -284,7 +287,7 @@ public class Web extends TemplateServlet {
if (list != null) data.put(LIST,list.minimalMap()); if (list != null) data.put(LIST,list.minimalMap());
switch (path){ switch (path){
case ARCHIVE: case ARCHIVE:
return archive(req,resp); return archive(list,user,req,resp);
case CONFIRM: case CONFIRM:
return confirm(req,resp); return confirm(req,resp);
case POST: case POST:

Write Preview
Loading…
Cancel
Save