[server] Sanitize permissions when saving/checking

6 files changed, 55 insertions, 2 deletions

diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java
index 55613554..8cb8bb9e 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java
@@ -549,6 +549,14 @@ public class DbImage {
 			LocalImageVersion liv = new LocalImageVersion(imageVersionId, imageBaseId, filePath, fileSize,
 					owner.userId, nowSecs, expireTime, true);
 			DbLecture.autoUpdateUsedImage(connection, imageBaseId, liv);
+			// Update edit timestamp and edit user
+			MysqlStatement baseStmt = connection.prepareStatement("UPDATE imagebase SET"
+					+ " updatetime = :updatetime, updaterid = :updaterid"
+					+ " WHERE imagebaseid = :imagebaseid LIMIT 1");
+			baseStmt.setString("imagebaseid", imageBaseId);
+			baseStmt.setString("updaterid", owner.userId);
+			baseStmt.setLong("updatetime", nowSecs);
+			baseStmt.executeUpdate();
 			// Make this version the latest version
 			setLatestVersion(connection, imageBaseId, liv);
 			connection.commit();
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java
index 19562d4e..dcb0beb2 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java
@@ -9,6 +9,7 @@ import org.apache.log4j.Logger;
 import org.openslx.bwlp.sat.database.Database;
 import org.openslx.bwlp.sat.database.MysqlConnection;
 import org.openslx.bwlp.sat.database.MysqlStatement;
+import org.openslx.bwlp.sat.util.Sanitizer;
 import org.openslx.bwlp.thrift.iface.ImagePermissions;
 
 public class DbImagePermissions {
@@ -114,6 +115,7 @@ public class DbImagePermissions {
 			stmt.setString("baseid", imageBaseId);
 			for (Map.Entry<String, ImagePermissions> entry : permissions.entrySet()) {
 				ImagePermissions perm = entry.getValue();
+				perm = Sanitizer.handleImagePermissions(perm);
 				stmt.setString("userid", entry.getKey());
 				stmt.setBoolean("canlink", perm.link);
 				stmt.setBoolean("candownload", perm.download);
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java
index 77c7ea0d..7955308e 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java
@@ -9,6 +9,7 @@ import org.apache.log4j.Logger;
 import org.openslx.bwlp.sat.database.Database;
 import org.openslx.bwlp.sat.database.MysqlConnection;
 import org.openslx.bwlp.sat.database.MysqlStatement;
+import org.openslx.bwlp.sat.util.Sanitizer;
 import org.openslx.bwlp.thrift.iface.LecturePermissions;
 
 public class DbLecturePermissions {
@@ -81,6 +82,7 @@ public class DbLecturePermissions {
 			stmt.setString("lectureid", lectureId);
 			for (Map.Entry<String, LecturePermissions> entry : permissions.entrySet()) {
 				LecturePermissions perm = entry.getValue();
+				perm = Sanitizer.handleLecturePermissions(perm);
 				stmt.setString("userid", entry.getKey());
 				stmt.setBoolean("canedit", perm.edit);
 				stmt.setBoolean("canadmin", perm.admin);
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java
index 191a5f92..1d06b9bc 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java
@@ -7,6 +7,7 @@ import org.openslx.bwlp.sat.database.mappers.DbLecture;
 import org.openslx.bwlp.sat.database.mappers.DbOrganization;
 import org.openslx.bwlp.sat.database.models.LocalOrganization;
 import org.openslx.bwlp.sat.database.models.LocalUser;
+import org.openslx.bwlp.sat.util.Sanitizer;
 import org.openslx.bwlp.thrift.iface.AuthorizationError;
 import org.openslx.bwlp.thrift.iface.ImageDetailsRead;
 import org.openslx.bwlp.thrift.iface.ImagePermissions;
@@ -385,6 +386,7 @@ public class User {
 		if (lecture.userPermissions == null) {
 			lecture.userPermissions = lecture.defaultPermissions;
 		}
+		lecture.userPermissions = Sanitizer.handleLecturePermissions(lecture.userPermissions);
 	}
 
 	public static void setCombinedUserPermissions(LectureSummary lecture, UserInfo user) {
@@ -399,6 +401,7 @@ public class User {
 		if (lecture.userPermissions == null) {
 			lecture.userPermissions = lecture.defaultPermissions;
 		}
+		lecture.userPermissions = Sanitizer.handleLecturePermissions(lecture.userPermissions);
 	}
 
 	private static boolean hasAllImagePermissions(UserInfo user, String imageOwnerId) {
@@ -431,6 +434,8 @@ public class User {
 				userPerms.edit = false;
 				userPerms.admin = false;
 			}
+		} else {
+			userPerms = Sanitizer.handleImagePermissions(userPerms);
 		}
 		return userPerms;
 	}
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java
index 45334db3..72049beb 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java
@@ -147,7 +147,8 @@ public class ServerHandler implements SatelliteServer.Iface {
 		} catch (SQLException e) {
 			throw new TInvocationException();
 		}
-		TransferInformation ti = new TransferInformation(transfer.getId(), fileServer.getPlainPort(), fileServer.getSslPort());
+		TransferInformation ti = new TransferInformation(transfer.getId(), fileServer.getPlainPort(),
+				fileServer.getSslPort());
 		ti.setBlockHashes(imageVersion.sha1sums);
 		ti.setMachineDescription(imageVersion.machineDescription);
 		return ti;
@@ -300,6 +301,7 @@ public class ServerHandler implements SatelliteServer.Iface {
 			// TODO: Should other fields be validated? Most fields should be protected by fk constraints,
 			// but the user would only get a generic error, with no hint at the actual problem.
 			// The update routine will make sure only the super user can change the template flag
+			newData.defaultPermissions = Sanitizer.handleImagePermissions(newData.defaultPermissions);
 			DbImage.updateImageMetadata(user, imageBaseId, newData);
 		} catch (SQLException e1) {
 			throw new TInvocationException();
@@ -464,6 +466,7 @@ public class ServerHandler implements SatelliteServer.Iface {
 		UserInfo user = SessionManager.getOrFail(userToken);
 		User.canEditLectureOrFail(user, lectureId);
 		Sanitizer.handleLectureDates(lecture);
+		lecture.defaultPermissions = Sanitizer.handleLecturePermissions(lecture.defaultPermissions);
 		try {
 			DbLecture.update(user, lectureId, lecture);
 		} catch (SQLException e) {
@@ -548,7 +551,7 @@ public class ServerHandler implements SatelliteServer.Iface {
 	@Override
 	public List<UserInfo> getUserList(String userToken, int page) throws TAuthorizationException,
 			TInvocationException {
-		UserInfo user = SessionManager.getOrFail(userToken);
+		SessionManager.getOrFail(userToken);
 		try {
 			return DbUser.getAll(page);
 		} catch (SQLException e) {
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java
index 52a32288..8ce4df5c 100644
--- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java
+++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java
@@ -2,6 +2,8 @@ package org.openslx.bwlp.sat.util;
 
 import org.openslx.bwlp.sat.RuntimeConfig;
 import org.openslx.bwlp.thrift.iface.DateParamError;
+import org.openslx.bwlp.thrift.iface.ImagePermissions;
+import org.openslx.bwlp.thrift.iface.LecturePermissions;
 import org.openslx.bwlp.thrift.iface.LectureWrite;
 import org.openslx.bwlp.thrift.iface.TInvalidDateParam;
 
@@ -64,4 +66,35 @@ public class Sanitizer {
 			throw new TInvalidDateParam(DateParamError.TOO_HIGH, "Expiry date lies too far in the future");
 	}
 
+	/**
+	 * Set consistent state for lecture permissions on writing.
+	 */
+	public static LecturePermissions handleLecturePermissions(LecturePermissions perms) {
+		if (perms == null)
+			return new LecturePermissions();
+		if (perms.admin && !perms.edit) {
+			perms = new LecturePermissions(perms);
+			perms.edit = true;
+		}
+		return perms;
+	}
+
+	/**
+	 * Set consistent state for image permissions on writing.
+	 */
+	public static ImagePermissions handleImagePermissions(ImagePermissions perms) {
+		if (perms == null)
+			return new ImagePermissions();
+		if (perms.admin && (!perms.edit || !perms.download || !perms.link)) {
+			perms = new ImagePermissions(perms);
+			perms.edit = true;
+			perms.download = true;
+			perms.link = true;
+		} else if (perms.edit && !perms.download) {
+			perms = new ImagePermissions(perms);
+			perms.download = true;
+		}
+		return perms;
+	}
+
 }