Author: fdesbois Date: 2012-04-25 12:39:47 +0200 (Wed, 25 Apr 2012) New Revision: 3317 Url: http://chorem.org/repositories/revision/pollen/3317 Log: fixes #535 : security on result page Added: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/ResultAccessRequired.java trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/security/result_access_required.jsp Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetInvitedPolls.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetParticipatedPolls.java trunk/pollen-ui-struts2/src/main/resources/shiro.ini Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java 2012-04-25 09:37:55 UTC (rev 3316) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java 2012-04-25 10:39:47 UTC (rev 3317) @@ -799,6 +799,21 @@ } } + public void checkPollResult(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { + + String pollId = uri.getPollId(); + + Poll poll = getPollByPollId(pollId); + + if (poll == null) { + throw new PollNotFoundException(); + } + + if (!poll.isPublicResults()) { + throw new UnauthorizedPollAccessException(); + } + } + public void checkPollAccount(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { String pollId = uri.getPollId(); Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetInvitedPolls.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetInvitedPolls.java 2012-04-25 09:37:55 UTC (rev 3316) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetInvitedPolls.java 2012-04-25 10:39:47 UTC (rev 3317) @@ -108,7 +108,11 @@ protected Set<String> getPollFunctions(Poll poll) { Set<String> result = Sets.newHashSet(); result.add("vote"); - result.add("result"); + if (poll.isPublicResults()) { + + // only if results are public + result.add("result"); + } return result; } Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetParticipatedPolls.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetParticipatedPolls.java 2012-04-25 09:37:55 UTC (rev 3316) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetParticipatedPolls.java 2012-04-25 10:39:47 UTC (rev 3317) @@ -102,7 +102,11 @@ private Set<String> getPollFunctions(Poll poll) { Set<String> result = Sets.newHashSet(); result.add("vote"); - result.add("result"); + if (poll.isPublicResults()) { + + // only if results are public + result.add("result"); + } return result; } } \ No newline at end of file Added: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/ResultAccessRequired.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/ResultAccessRequired.java (rev 0) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/ResultAccessRequired.java 2012-04-25 10:39:47 UTC (rev 3317) @@ -0,0 +1,93 @@ +/* + * #%L + * Pollen :: UI (strust2) + * + * $Id$ + * $HeadURL$ + * %% + * Copyright (C) 2009 - 2012 CodeLutin + * %% + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * #L% + */ +package org.chorem.pollen.ui.security; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.chorem.pollen.bean.PollUri; +import org.chorem.pollen.services.PollenServiceContext; +import org.chorem.pollen.services.exceptions.PollNotFoundException; +import org.chorem.pollen.services.exceptions.UnauthorizedPollAccessException; +import org.chorem.pollen.services.impl.PollService; + +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; + +public class ResultAccessRequired extends AbstractPollenAuthorization { + + private static final Log log = + LogFactory.getLog(ResultAccessRequired.class); + + protected final PollAccessRequired pollAccountFilter; + + public ResultAccessRequired() { + pollAccountFilter = new PollAccessRequired(); + } + + @Override + protected boolean isAccessAllowed(ServletRequest request, + ServletResponse response, + Object mappedValue) { + + boolean isAccessAllowed; + + // Must be a valid user + if (pollAccountFilter.isAccessAllowed(request, response, mappedValue)) { + + PollUri pollUri = getPollUri(request); + + PollenServiceContext serviceContext = + getServiceContext(request); + + PollService pollService = + serviceContext.newService(PollService.class); + + try { + pollService.checkPollResult(pollUri); + isAccessAllowed = true; + + if (log.isDebugEnabled()) { + log.debug("Can display result for this poll " + pollUri.getPollId()); + } + } catch (PollNotFoundException e) { + if (log.isDebugEnabled()) { + log.debug("Poll not found!"); + } + isAccessAllowed = false; + } catch (UnauthorizedPollAccessException e) { + if (log.isDebugEnabled()) { + log.debug("User can not access page"); + } + isAccessAllowed = false; + } + + } else { + + isAccessAllowed = false; + } + + return isAccessAllowed; + } + +} Property changes on: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/ResultAccessRequired.java ___________________________________________________________________ Added: svn:keywords + Author Date Id Revision HeadURL Added: svn:eol-style + native Modified: trunk/pollen-ui-struts2/src/main/resources/shiro.ini =================================================================== --- trunk/pollen-ui-struts2/src/main/resources/shiro.ini 2012-04-25 09:37:55 UTC (rev 3316) +++ trunk/pollen-ui-struts2/src/main/resources/shiro.ini 2012-04-25 10:39:47 UTC (rev 3317) @@ -15,6 +15,9 @@ pollCreator=org.chorem.pollen.ui.security.PollCreatorRequired pollCreator.unauthorizedUrl=/security/poll_creator_required +resultAccess=org.chorem.pollen.ui.security.ResultAccessRequired +resultAccess.unauthorizedUrl=/security/result_access_required + [urls] # anon urls @@ -40,7 +43,7 @@ # is pollAccount (can vote and see result of a poll) /poll/votefor/**=poll,pollAccess -/poll/results/**=poll,pollAccess +/poll/results/**=poll,resultAccess # is pollCreator (can admin a poll) /poll/modification/**=poll,pollCreator Added: trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/security/result_access_required.jsp =================================================================== --- trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/security/result_access_required.jsp (rev 0) +++ trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/security/result_access_required.jsp 2012-04-25 10:39:47 UTC (rev 3317) @@ -0,0 +1,29 @@ +<%-- + #%L + Pollen :: UI (strust2) + + $Id$ + $HeadURL$ + %% + Copyright (C) 2009 - 2012 CodeLutin + %% + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + #L% + --%> +<%@ page contentType="text/html;charset=UTF-8" language="java" %> +<div class="info_error"> + <ul class="actionErrors"> + <li><span>Vous n'êtes pas autorisé à accéder à cette page de résultas.</span></li> + </ul> +</div> \ No newline at end of file Property changes on: trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/security/result_access_required.jsp ___________________________________________________________________ Added: svn:keywords + Author Date Id Revision HeadURL Added: svn:eol-style + native