diff options
author | Simon Rettberg | 2015-09-04 19:22:07 +0200 |
---|---|---|
committer | Simon Rettberg | 2015-09-04 19:22:07 +0200 |
commit | d18172067ab35d2721cb8764976d2753d6b37ba2 (patch) | |
tree | 9346669d6c4d6eb23d096abac92f1df5c5df66d0 /dozentenmodulserver/src/main/java/org/openslx/bwlp | |
parent | [client] Close details windows on save, 'Cancel' => 'Close' (diff) | |
download | tutor-module-d18172067ab35d2721cb8764976d2753d6b37ba2.tar.gz tutor-module-d18172067ab35d2721cb8764976d2753d6b37ba2.tar.xz tutor-module-d18172067ab35d2721cb8764976d2753d6b37ba2.zip |
[server] Sanitize permissions when saving/checking
Diffstat (limited to 'dozentenmodulserver/src/main/java/org/openslx/bwlp')
6 files changed, 55 insertions, 2 deletions
diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java index 55613554..8cb8bb9e 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImage.java @@ -549,6 +549,14 @@ public class DbImage { LocalImageVersion liv = new LocalImageVersion(imageVersionId, imageBaseId, filePath, fileSize, owner.userId, nowSecs, expireTime, true); DbLecture.autoUpdateUsedImage(connection, imageBaseId, liv); + // Update edit timestamp and edit user + MysqlStatement baseStmt = connection.prepareStatement("UPDATE imagebase SET" + + " updatetime = :updatetime, updaterid = :updaterid" + + " WHERE imagebaseid = :imagebaseid LIMIT 1"); + baseStmt.setString("imagebaseid", imageBaseId); + baseStmt.setString("updaterid", owner.userId); + baseStmt.setLong("updatetime", nowSecs); + baseStmt.executeUpdate(); // Make this version the latest version setLatestVersion(connection, imageBaseId, liv); connection.commit(); diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java index 19562d4e..dcb0beb2 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbImagePermissions.java @@ -9,6 +9,7 @@ import org.apache.log4j.Logger; import org.openslx.bwlp.sat.database.Database; import org.openslx.bwlp.sat.database.MysqlConnection; import org.openslx.bwlp.sat.database.MysqlStatement; +import org.openslx.bwlp.sat.util.Sanitizer; import org.openslx.bwlp.thrift.iface.ImagePermissions; public class DbImagePermissions { @@ -114,6 +115,7 @@ public class DbImagePermissions { stmt.setString("baseid", imageBaseId); for (Map.Entry<String, ImagePermissions> entry : permissions.entrySet()) { ImagePermissions perm = entry.getValue(); + perm = Sanitizer.handleImagePermissions(perm); stmt.setString("userid", entry.getKey()); stmt.setBoolean("canlink", perm.link); stmt.setBoolean("candownload", perm.download); diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java index 77c7ea0d..7955308e 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/database/mappers/DbLecturePermissions.java @@ -9,6 +9,7 @@ import org.apache.log4j.Logger; import org.openslx.bwlp.sat.database.Database; import org.openslx.bwlp.sat.database.MysqlConnection; import org.openslx.bwlp.sat.database.MysqlStatement; +import org.openslx.bwlp.sat.util.Sanitizer; import org.openslx.bwlp.thrift.iface.LecturePermissions; public class DbLecturePermissions { @@ -81,6 +82,7 @@ public class DbLecturePermissions { stmt.setString("lectureid", lectureId); for (Map.Entry<String, LecturePermissions> entry : permissions.entrySet()) { LecturePermissions perm = entry.getValue(); + perm = Sanitizer.handleLecturePermissions(perm); stmt.setString("userid", entry.getKey()); stmt.setBoolean("canedit", perm.edit); stmt.setBoolean("canadmin", perm.admin); diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java index 191a5f92..1d06b9bc 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/permissions/User.java @@ -7,6 +7,7 @@ import org.openslx.bwlp.sat.database.mappers.DbLecture; import org.openslx.bwlp.sat.database.mappers.DbOrganization; import org.openslx.bwlp.sat.database.models.LocalOrganization; import org.openslx.bwlp.sat.database.models.LocalUser; +import org.openslx.bwlp.sat.util.Sanitizer; import org.openslx.bwlp.thrift.iface.AuthorizationError; import org.openslx.bwlp.thrift.iface.ImageDetailsRead; import org.openslx.bwlp.thrift.iface.ImagePermissions; @@ -385,6 +386,7 @@ public class User { if (lecture.userPermissions == null) { lecture.userPermissions = lecture.defaultPermissions; } + lecture.userPermissions = Sanitizer.handleLecturePermissions(lecture.userPermissions); } public static void setCombinedUserPermissions(LectureSummary lecture, UserInfo user) { @@ -399,6 +401,7 @@ public class User { if (lecture.userPermissions == null) { lecture.userPermissions = lecture.defaultPermissions; } + lecture.userPermissions = Sanitizer.handleLecturePermissions(lecture.userPermissions); } private static boolean hasAllImagePermissions(UserInfo user, String imageOwnerId) { @@ -431,6 +434,8 @@ public class User { userPerms.edit = false; userPerms.admin = false; } + } else { + userPerms = Sanitizer.handleImagePermissions(userPerms); } return userPerms; } diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java index 45334db3..72049beb 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/thrift/ServerHandler.java @@ -147,7 +147,8 @@ public class ServerHandler implements SatelliteServer.Iface { } catch (SQLException e) { throw new TInvocationException(); } - TransferInformation ti = new TransferInformation(transfer.getId(), fileServer.getPlainPort(), fileServer.getSslPort()); + TransferInformation ti = new TransferInformation(transfer.getId(), fileServer.getPlainPort(), + fileServer.getSslPort()); ti.setBlockHashes(imageVersion.sha1sums); ti.setMachineDescription(imageVersion.machineDescription); return ti; @@ -300,6 +301,7 @@ public class ServerHandler implements SatelliteServer.Iface { // TODO: Should other fields be validated? Most fields should be protected by fk constraints, // but the user would only get a generic error, with no hint at the actual problem. // The update routine will make sure only the super user can change the template flag + newData.defaultPermissions = Sanitizer.handleImagePermissions(newData.defaultPermissions); DbImage.updateImageMetadata(user, imageBaseId, newData); } catch (SQLException e1) { throw new TInvocationException(); @@ -464,6 +466,7 @@ public class ServerHandler implements SatelliteServer.Iface { UserInfo user = SessionManager.getOrFail(userToken); User.canEditLectureOrFail(user, lectureId); Sanitizer.handleLectureDates(lecture); + lecture.defaultPermissions = Sanitizer.handleLecturePermissions(lecture.defaultPermissions); try { DbLecture.update(user, lectureId, lecture); } catch (SQLException e) { @@ -548,7 +551,7 @@ public class ServerHandler implements SatelliteServer.Iface { @Override public List<UserInfo> getUserList(String userToken, int page) throws TAuthorizationException, TInvocationException { - UserInfo user = SessionManager.getOrFail(userToken); + SessionManager.getOrFail(userToken); try { return DbUser.getAll(page); } catch (SQLException e) { diff --git a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java index 52a32288..8ce4df5c 100644 --- a/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java +++ b/dozentenmodulserver/src/main/java/org/openslx/bwlp/sat/util/Sanitizer.java @@ -2,6 +2,8 @@ package org.openslx.bwlp.sat.util; import org.openslx.bwlp.sat.RuntimeConfig; import org.openslx.bwlp.thrift.iface.DateParamError; +import org.openslx.bwlp.thrift.iface.ImagePermissions; +import org.openslx.bwlp.thrift.iface.LecturePermissions; import org.openslx.bwlp.thrift.iface.LectureWrite; import org.openslx.bwlp.thrift.iface.TInvalidDateParam; @@ -64,4 +66,35 @@ public class Sanitizer { throw new TInvalidDateParam(DateParamError.TOO_HIGH, "Expiry date lies too far in the future"); } + /** + * Set consistent state for lecture permissions on writing. + */ + public static LecturePermissions handleLecturePermissions(LecturePermissions perms) { + if (perms == null) + return new LecturePermissions(); + if (perms.admin && !perms.edit) { + perms = new LecturePermissions(perms); + perms.edit = true; + } + return perms; + } + + /** + * Set consistent state for image permissions on writing. + */ + public static ImagePermissions handleImagePermissions(ImagePermissions perms) { + if (perms == null) + return new ImagePermissions(); + if (perms.admin && (!perms.edit || !perms.download || !perms.link)) { + perms = new ImagePermissions(perms); + perms.edit = true; + perms.download = true; + perms.link = true; + } else if (perms.edit && !perms.download) { + perms = new ImagePermissions(perms); + perms.download = true; + } + return perms; + } + } |