Browse Source

improved permission checks on archive

Signed-off-by: Stephan Richter <s.richter@srsoftware.de>
main
Stephan Richter 8 months ago
parent
commit
0a1e210503
  1. 12
      src/main/java/de/srsoftware/widerhall/data/MailingList.java
  2. 51
      src/main/java/de/srsoftware/widerhall/web/Rest.java
  3. 11
      src/main/java/de/srsoftware/widerhall/web/Web.java

12
src/main/java/de/srsoftware/widerhall/data/MailingList.java

@ -187,7 +187,7 @@ public class MailingList implements MessageHandler, ProblemListener {
} }
private void forward(Message message, Stream<ListMember> members) throws MessagingException { private void forward(Message message, Stream<ListMember> members) throws MessagingException {
if (hasState(STATE_PUBLIC_ARCHIVE)) storeMessage(message); if (hasPublicArchive()) storeMessage(message);
String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null; String newSender = !hasState(STATE_FORWARD_FROM) ? email() : null;
var receivers = members var receivers = members
.map(ListMember::user) .map(ListMember::user)
@ -238,6 +238,10 @@ public class MailingList implements MessageHandler, ProblemListener {
return ml; return ml;
} }
public boolean hasPublicArchive() {
return hasState(STATE_PUBLIC_ARCHIVE);
}
public boolean hasState(int test){ public boolean hasState(int test){
return (state & test) > 0; return (state & test) > 0;
} }
@ -603,9 +607,9 @@ public class MailingList implements MessageHandler, ProblemListener {
if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN); if (hasState(STATE_FORWARD_ATTACHED)) map.put(t("forward_attached"),HIDDEN);
if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN); if (hasState(STATE_HIDE_RECEIVERS)) map.put(t("hide_receivers"),HIDDEN);
if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN); if (hasState(STATE_REPLY_TO_LIST)) map.put(t("reply_to_list"),HIDDEN);
if (hasState(STATE_OPEN_FOR_GUESTS)) map.put(t("open_for_guests"),HIDDEN); if (isOpenForGuests()) map.put(t("open_for_guests"),HIDDEN);
if (hasState(STATE_OPEN_FOR_SUBSCRIBERS)) map.put(t("open_for_subscribers"),HIDDEN); if (isOpenForSubscribers()) map.put(t("open_for_subscribers"),HIDDEN);
if (hasState(STATE_PUBLIC_ARCHIVE)) map.put(t("archive"),VISIBLE); if (hasPublicArchive()) map.put(t("archive"),VISIBLE);
return map; return map;
} }

51
src/main/java/de/srsoftware/widerhall/web/Rest.java

@ -13,6 +13,7 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.NotAllowedException;
import java.io.IOException; import java.io.IOException;
import java.sql.SQLException; import java.sql.SQLException;
import java.util.HashMap; import java.util.HashMap;
@ -62,31 +63,29 @@ public class Rest extends HttpServlet {
return Map.of(SUCCESS,"Updated user permissions"); return Map.of(SUCCESS,"Updated user permissions");
} }
private Map<String,Object> archive(HttpServletRequest req, User user){ private Map<String,Object> archive(HttpServletRequest req, User user) throws SQLException {
var list = Util.getMailingList(req); var list = Util.getMailingList(req);
if (list != null){ if (list == null) throw new IllegalArgumentException(t("You are trying to access a non-existing list!"));
try { var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS); if (!allowed) throw new NotAllowedException(t("You are not allowed to access the archive of this list!"));
var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
var allEmails = user != null || list.hasState(STATE_OPEN_FOR_SUBSCRIBERS) || list.hasState(STATE_OPEN_FOR_GUESTS);
String month = req.getParameter(MONTH); var limitedSenders = allEmails ? null : list.moderators().map(ListMember::user).map(User::email).toList();
boolean userIsMod = list.mayBeAlteredBy(user);
if (month == null || month.isBlank()) { boolean userIsMod = list.mayBeAlteredBy(user);
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders)); String month = req.getParameter(MONTH);
} else { if (month == null || month.isBlank()) return Map.of(LIST,list.email(),MODERATOR,userIsMod,"summary",Post.summarize(list,limitedSenders));
return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList()); return Map.of(LIST,list.email(),MODERATOR,userIsMod,"posts",Post.find(list,month,limitedSenders).stream().map(Post::safeMap).toList());
}
} catch (SQLException e) {
e.printStackTrace();
}
}
LOG.debug("list: {}",list.email());
return Map.of();
} }
@Override @Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String error = handleGet(req, resp); String error;
try {
error = handleGet(req, resp);
} catch (SQLException e) {
error = e.getMessage();
}
if (error != null) resp.sendError(400,error); if (error != null) resp.sendError(400,error);
} }
@ -166,7 +165,7 @@ public class Rest extends HttpServlet {
} }
} }
public String handleGet(HttpServletRequest req, HttpServletResponse resp){ public String handleGet(HttpServletRequest req, HttpServletResponse resp) throws SQLException {
var user = Util.getUser(req); var user = Util.getUser(req);
var path = Util.getPath(req); var path = Util.getPath(req);
@ -176,9 +175,6 @@ public class Rest extends HttpServlet {
json.put(USER,user.safeMap()); json.put(USER,user.safeMap());
switch (path) { switch (path) {
case LIST_ARCHIVE: case LIST_ARCHIVE:
var list = Util.getMailingList(req);
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE) || list.mayBeAlteredBy(user);
if (!allowed) return t("Sie sind nicht berechtigt, das Archiv dieser Liste einzusehen!");
json.put("archive",archive(req,user)); json.put("archive",archive(req,user));
break; break;
case USER_LIST: case USER_LIST:
@ -202,10 +198,7 @@ public class Rest extends HttpServlet {
} else { } else {
switch (path) { switch (path) {
case LIST_ARCHIVE: case LIST_ARCHIVE:
var list = Util.getMailingList(req); json.put("archive",archive(req,null));
var allowed = list.hasState(STATE_PUBLIC_ARCHIVE);
if (!allowed) return t("This mailing list has no public archive!");
json.put("archive",archive(req,user));
break; break;
case LIST_SUBSCRIBABLE: case LIST_SUBSCRIBABLE:
json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList()); json.put("lists", MailingList.subscribable().stream().map(MailingList::minimalMap).toList());
@ -337,7 +330,7 @@ public class Rest extends HttpServlet {
if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true); if (list.hasState(MailingList.STATE_REPLY_TO_LIST)) map.put(KEY_REPLY_TO_LIST,true);
if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true); if (list.isOpenForGuests()) map.put(KEY_OPEN_FOR_GUESTS,true);
if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true); if (list.isOpenForSubscribers()) map.put(KEY_OPEN_FOR_SUBSCRIBERS,true);
if (list.hasState(MailingList.STATE_PUBLIC_ARCHIVE)) map.put(KEY_ARCHIVE,true); if (list.hasPublicArchive()) map.put(KEY_ARCHIVE,true);
if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true); if (list.hasState(STATE_MODS_CAN_EDIT_MODS)) map.put(KEY_MODS_CAN_EDIT_MODS,true);
if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime()); if (list.holdTime() != null) map.put(KEY_DELETE_MESSAGES,list.holdTime());
return map; return map;

11
src/main/java/de/srsoftware/widerhall/web/Web.java

@ -133,15 +133,18 @@ public class Web extends TemplateServlet {
} }
} }
private String archive(HttpServletRequest req, HttpServletResponse resp) { private String archive(MailingList list, User user, HttpServletRequest req, HttpServletResponse resp) {
if (list == null) return t("The mailing list you are trying to view does not exist!");
var allowed = list.hasPublicArchive() || list.mayBeAlteredBy(user);
if (!allowed) return t("You are not allowed to access the archive of this list");
var map = new HashMap<String,Object>(); var map = new HashMap<String,Object>();
var list = Util.getMailingList(req);
map.put(LIST,list.email()); map.put(LIST,list.email());
var month = req.getParameter(MONTH); var month = req.getParameter(MONTH);
if (month != null && !month.isBlank()){ if (month != null && !month.isBlank()){
map.put(MONTH,month); map.put(MONTH,month);
var user = Util.getUser(req);
map.put(MODERATOR,list.mayBeAlteredBy(user)); map.put(MODERATOR,list.mayBeAlteredBy(user));
} }
return loadTemplate(ARCHIVE,map,resp); return loadTemplate(ARCHIVE,map,resp);
@ -284,7 +287,7 @@ public class Web extends TemplateServlet {
if (list != null) data.put(LIST,list.minimalMap()); if (list != null) data.put(LIST,list.minimalMap());
switch (path){ switch (path){
case ARCHIVE: case ARCHIVE:
return archive(req,resp); return archive(list,user,req,resp);
case CONFIRM: case CONFIRM:
return confirm(req,resp); return confirm(req,resp);
case POST: case POST:

Loading…
Cancel
Save