r3505 - in trunk: pollen-services/src/main/java/org/chorem/pollen/services/impl pollen-services/src/main/resources/i18n pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/poll
Author: tchemit Date: 2012-06-18 09:58:19 +0200 (Mon, 18 Jun 2012) New Revision: 3505 Url: http://chorem.org/repositories/revision/pollen/3505 Log: continue security stuff Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java trunk/pollen-services/src/main/resources/i18n/pollen-services_en_GB.properties trunk/pollen-services/src/main/resources/i18n/pollen-services_fr_FR.properties trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetPollComments.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/SummaryPoll.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/AbstractPollenAuthorization.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollCreatorAccessRequired.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollVoteAccessRequired.java trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/poll/vote.jsp Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -29,8 +29,6 @@ import org.chorem.pollen.PollenTechnicalException; import org.chorem.pollen.bean.PollUri; import org.chorem.pollen.business.persistence.Comment; -import org.chorem.pollen.business.persistence.PersonToList; -import org.chorem.pollen.business.persistence.PersonToListDAO; import org.chorem.pollen.business.persistence.Poll; import org.chorem.pollen.business.persistence.PollAccount; import org.chorem.pollen.business.persistence.PollAccountDAO; @@ -38,8 +36,6 @@ import org.chorem.pollen.business.persistence.Vote; import org.chorem.pollen.common.PollType; import org.chorem.pollen.services.PollenServiceSupport; -import org.chorem.pollen.services.exceptions.PollNotFoundException; -import org.chorem.pollen.services.exceptions.UnauthorizedPollAccessException; import org.nuiton.topia.TopiaException; import java.util.Date; @@ -55,9 +51,8 @@ */ public class SecurityService extends PollenServiceSupport { - public boolean isCreator(Poll poll, - PollUri uriId, - UserAccount pollenUserAccount) { + public boolean isPollCreator(Poll poll, PollUri uriId, + UserAccount pollenUserAccount) { PollAccount creator = poll.getCreator(); @@ -71,6 +66,7 @@ return result; } + /** * To define meaning of a accountId. * @@ -102,114 +98,83 @@ AccountIdRole.CREATOR ); - public void checkPoll(PollUri uri) throws PollNotFoundException { +// public void checkPoll(PollUri uri) throws PollNotFoundException { +// +// getExistingPoll(uri); +// } - getExistingPoll(uri); - } +// public void checkPollResult(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { +// +// Poll poll = getExistingPoll(uri); +// +// if (!poll.isPublicResults()) { +// throw new UnauthorizedPollAccessException(); +// } +// } - public void checkPollResult(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { +// public void checkPollAccount(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { +// +// +// String accountId = uri.getAccountId(); +// +// Poll poll = getExistingPoll(uri); +// +// PollAccountDAO dao = getDAO(PollAccount.class); +// +// String pollId = uri.getPollId(); +// +// if (poll.getPollType() == PollType.FREE) { +// +// // free poll +// if (accountId != null) { +// +// // account Id is given check there is a such vote for this account +// +// try { +// +// if (!dao.existsByPollVoteAccountId(pollId, accountId)) { +// throw new UnauthorizedPollAccessException(); +// } +// } catch (TopiaException e) { +// throw new PollenTechnicalException( +// "Could not check pollAccount existence from poll '" + +// pollId + "' and account '" + accountId + "'", e); +// } +// } +// } else { +// +// // check that uri contains a correct poll account for this +// +// // Use PersonToList association entity to find coherence between +// // the poll and votingId +// +// try { +// PollAccount result = +// dao.getRestrictedPollAccount(pollId, accountId); +// +// if (result == null) { +// throw new UnauthorizedPollAccessException(); +// } +// } catch (TopiaException e) { +// throw new PollenTechnicalException( +// "Could not obtain restricted pollAccount", e); +// } +// } +// } - Poll poll = getExistingPoll(uri); +// public void checkPollCreator(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { +// +// String accountId = uri.getAccountId(); +// +// Poll poll = getExistingPoll(uri); +// +// String creatorId = poll.getCreator().getAccountId(); +// +// if (!creatorId.equals(accountId)) { +// throw new UnauthorizedPollAccessException(); +// } +// } - if (!poll.isPublicResults()) { - throw new UnauthorizedPollAccessException(); - } - } - - public void checkPollAccount(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { - - - String accountId = uri.getAccountId(); - - Poll poll = getExistingPoll(uri); - - PollAccountDAO dao = getDAO(PollAccount.class); - - String pollId = uri.getPollId(); - - if (poll.getPollType() == PollType.FREE) { - - // free poll - if (accountId != null) { - - // account Id is given check there is a such vote for this account - - try { - - if (!dao.existsByPollVoteAccountId(pollId, accountId)) { - throw new UnauthorizedPollAccessException(); - } - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - pollId + "' and account '" + accountId + "'", e); - } - } - } else { - - // check that uri contains a correct poll account for this - - // Use PersonToList association entity to find coherence between - // the poll and votingId - - try { - PollAccount result = - dao.getRestrictedPollAccount(pollId, accountId); - - if (result == null) { - throw new UnauthorizedPollAccessException(); - } - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not obtain restricted pollAccount", e); - } - } - } - - public void checkPollCreator(PollUri uri) throws PollNotFoundException, UnauthorizedPollAccessException { - - String accountId = uri.getAccountId(); - - Poll poll = getExistingPoll(uri); - - String creatorId = poll.getCreator().getAccountId(); - - if (!creatorId.equals(accountId)) { - throw new UnauthorizedPollAccessException(); - } - } - - private boolean isVoterAccountId(PollAccountDAO dao, PollUri uri) { - try { - - return dao.existsByPollVoteAccountId(uri.getPollId(), uri.getAccountId()); - - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); - } - } - - private boolean isRestrictPollAccountId(PollAccountDAO dao, PollUri uri) { - try { - - PollAccount result = - dao.getRestrictedPollAccount(uri.getPollId(), uri.getAccountId()); - - return result != null; - - } catch (TopiaException e) { - throw new PollenTechnicalException( - "Could not check pollAccount existence from poll '" + - uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); - } - } - - protected Poll getExistingPoll(PollUri uri) throws PollNotFoundException { - return newService(PollService.class).getExistingPollByPollId(uri.getPollId()); - } - public AccountIdRole getAccountIdRole(Poll poll, String accountId) { Preconditions.checkNotNull(poll); @@ -249,8 +214,8 @@ return result; } - public String isCanShowResult(Poll poll, - SecurityService.AccountIdRole accountIdRole) { + public String isCanAccessResult(Poll poll, + SecurityService.AccountIdRole accountIdRole) { // check now poll results can be displayed @@ -282,104 +247,316 @@ return null; } - /** - * Vote is allowed if {@code poll} is running and {@code pollAccount} is - * defined in the {@code poll} restricted list if it's not a {@link PollType#FREE} - * poll. The account must be defined previously using - * {@link PollService#getPollAccountEditable(String, UserAccount, Poll)} to - * have a proper link between userAccount and pollAccount even if not already - * created in dabase. The poll creator can't vote. The token is just use - * for moderate purpose. - * - * @param poll Poll - * @param accountEditable Account to check - * @return true if vote is allowed, false otherwise - */ - public boolean isVoteAllowed(Poll poll, PollAccount accountEditable) { + public String isCanAccessVote(Poll poll, String accountId, AccountIdRole accountIdRole) { - Preconditions.checkNotNull(poll); - Preconditions.checkNotNull(accountEditable); + if (AccountIdRole.CREATOR == accountIdRole) { + // poll admin can alwyas access vote page + return null; + } + + boolean pollIsFree = PollType.FREE == poll.getPollType(); + + if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { + + // on free poll, only the creator (using his creatorId as accountId) can not vote + return n_("pollen.security.error.poll.free.creatorId.can.not.vote"); + } + if (!pollIsFree && AccountIdRole.RESTRICTED_VOTER != accountIdRole) { + + // on none free poll, only restricted user can vote + return n_("pollen.security.error.poll.not.free.and.access.not.granted"); + } + return null; + } + + public boolean isCanVote(Poll poll, + String accountId, + AccountIdRole accountIdRole) { + + Date now = serviceContext.getCurrentTime(); - boolean result; - if (poll.getCreator().equals(accountEditable)) { + if (!poll.isRunning(now)) { - // The creator user can't vote - result = false; - } else { + // poll is not running, can not vote + return false; + } - // The poll must be running and account allowed for restricted poll - result = poll.isRunning(now); - if (poll.getPollType() != PollType.FREE) { + boolean pollIsFree = PollType.FREE == poll.getPollType(); - PersonToListDAO dao = getDAO(PersonToList.class); - PersonToList personToList = - dao.findByPollAndAccount(poll, accountEditable); + if (pollIsFree && poll.getCreator().getAccountId().equals(accountId)) { - result &= personToList != null; - } + // on free poll, only the creator (using his creatorId as accountId) can not vote + return false; } - return result; + if (!pollIsFree && AccountIdRole.RESTRICTED_VOTER != accountIdRole) { + + // on none free poll, only restricted user can vote + return false; + } + + // ok can vote + return true; } - public boolean isUpdateAllowed(Poll poll, String voteId, - String accountId, UserAccount userConnected) { + public boolean isCanModifyVote(Poll poll, String voteId, + String accountId, + UserAccount userConnected) { Date now = serviceContext.getCurrentTime(); - boolean result = false; + if (!poll.isRunning(now)) { + // poll is not running can not modify anything + return false; + } + + if (poll.isAnonymous()) { + + // poll is anonymous, no vote can be modify + return false; + } + Vote vote = poll.getVoteByTopiaId(voteId); - // can only modify a vote if poll is running. - if (vote != null && poll.isRunning(now)) { - PollAccount votePollAccount = vote.getPollAccount(); + if (vote == null) { - // si le votant du vote correspond au votant actuel (pollAccountId) - if (accountId != null - && accountId.equals(votePollAccount.getAccountId())) { - result = true; + // vote not found, can not modify it + return false; + } + + PollAccount votePollAccount = vote.getPollAccount(); + + if (votePollAccount.getAccountId().equals(accountId)) { + + // accountId is voteAccountId, can modifiy the vote + return true; + } + + if (userConnected != null) { + + if (userConnected.equals(votePollAccount.getUserAccount())) { + + // user conntected is the voter + return true; } + } - // si l'utilisateur du vote correspond à l'utilisateur actuel (user) - if (userConnected != null) { - UserAccount voteUserAccount = votePollAccount.getUserAccount(); - result = userConnected.equals(voteUserAccount); + // can not modify vote in other cases + return false; + } + + public boolean isCanDeleteVote(Poll poll, + String voteId, + String accountId, + AccountIdRole accountIdRole, + UserAccount userConnected) { + + Date now = serviceContext.getCurrentTime(); + + if (!poll.isRunning(now)) { + + // poll is not running can not remove anything + return false; + } + + if (poll.isAnonymous()) { + + // poll is anonymous, no vote can be delete (?) FIXME Check this + return false; + } + + + Vote vote = poll.getVoteByTopiaId(voteId); + + if (vote == null) { + + // vote not found, can not delete it + return false; + } + + if (accountIdRole == AccountIdRole.CREATOR) { + + // poll admin can delete any vote + return true; + } + + PollAccount votePollAccount = vote.getPollAccount(); + + if (votePollAccount.getAccountId().equals(accountId)) { + + // owner of vote (linked by accountId) can delete his own vote + return true; + } + + if (userConnected != null) { + + if (userConnected.equals(votePollAccount.getUserAccount())) { + + // owner of vote (linked by userAccount) can delete his own vote + return true; } } - return result; + + // can not modify vote in other cases + return false; } public boolean isCanDeleteComment(Comment comment, - PollAccount pollAccount, - UserAccount userAccount, - boolean isPollCreator) { + String accountId, + AccountIdRole accountIdRole, + UserAccount userAccount) { - boolean result = false; + if (accountIdRole == AccountIdRole.CREATOR) { + // poll admin can always delete comments + return true; + } + PollAccount commentAccount = comment.getPollAccount(); - if (isPollCreator) { + if (commentAccount.getAccountId().equals(accountId)) { - // poll creator has admin rights on his poll - result = true; - } else if (userAccount != null) { + // owner of comment (linked by accountId) can delete his comment + return true; + } - // loggued - boolean isAdmin = userAccount.isAdministrator(); -// boolean isCommentAccount = userAccount.equals(commentAccount.getUserAccount()); + if (userAccount != null) { - // pollen admin or comment owner (linked by user account) - result = isAdmin || - userAccount.equals(commentAccount.getUserAccount()); + if (userAccount.equals(commentAccount.getUserAccount())) { + // owner of comment (linked by userAccount) can delete his comment + return true; + } + } + return false; + } - } else if (pollAccount != null) { + private boolean isVoterAccountId(PollAccountDAO dao, PollUri uri) { + try { - // comment owner (linked by poll account) - result = pollAccount.equals(commentAccount); + return dao.existsByPollVoteAccountId(uri.getPollId(), uri.getAccountId()); + + } catch (TopiaException e) { + throw new PollenTechnicalException( + "Could not check pollAccount existence from poll '" + + uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); } - return result; } + private boolean isRestrictPollAccountId(PollAccountDAO dao, PollUri uri) { + try { + + PollAccount result = + dao.getRestrictedPollAccount(uri.getPollId(), uri.getAccountId()); + + return result != null; + + } catch (TopiaException e) { + throw new PollenTechnicalException( + "Could not check pollAccount existence from poll '" + + uri.getPollId() + "' and account '" + uri.getAccountId() + "'", e); + } + } + +// /** +// * Vote is allowed if {@code poll} is running and {@code pollAccount} is +// * defined in the {@code poll} restricted list if it's not a {@link PollType#FREE} +// * poll. The account must be defined previously using +// * {@link PollService#getPollAccountEditable(String, UserAccount, Poll)} to +// * have a proper link between userAccount and pollAccount even if not already +// * created in dabase. The poll creator can't vote. The token is just use +// * for moderate purpose. +// * +// * @param poll Poll +// * @param accountEditable Account to check +// * @return true if vote is allowed, false otherwise +// */ +// public boolean isVoteAllowed(Poll poll, PollAccount accountEditable) { +// +// Preconditions.checkNotNull(poll); +// Preconditions.checkNotNull(accountEditable); +// +// Date now = serviceContext.getCurrentTime(); +// +// boolean result; +// if (poll.getCreator().equals(accountEditable)) { +// +// // The creator user can't vote +// result = false; +// } else { +// +// // The poll must be running and account allowed for restricted poll +// result = poll.isRunning(now); +// if (poll.getPollType() != PollType.FREE) { +// +// PersonToListDAO dao = getDAO(PersonToList.class); +// PersonToList personToList = +// dao.findByPollAndAccount(poll, accountEditable); +// +// result &= personToList != null; +// } +// } +// return result; +// } + +// public boolean isUpdateAllowed(Poll poll, String voteId, +// String accountId, UserAccount userConnected) { +// +// Date now = serviceContext.getCurrentTime(); +// +// boolean result = false; +// +// Vote vote = poll.getVoteByTopiaId(voteId); +// +// // can only modify a vote if poll is running. +// if (vote != null && poll.isRunning(now)) { +// PollAccount votePollAccount = vote.getPollAccount(); +// +// // si le votant du vote correspond au votant actuel (pollAccountId) +// if (accountId != null +// && accountId.equals(votePollAccount.getAccountId())) { +// result = true; +// } +// +// // si l'utilisateur du vote correspond à l'utilisateur actuel (user) +// if (userConnected != null) { +// UserAccount voteUserAccount = votePollAccount.getUserAccount(); +// result = userConnected.equals(voteUserAccount); +// } +// } +// return result; +// } + +// public boolean isCanDeleteComment(Comment comment, +// PollAccount pollAccount, +// UserAccount userAccount, +// boolean isPollCreator) { +// +// boolean result = false; +// +// PollAccount commentAccount = comment.getPollAccount(); +// +// if (isPollCreator) { +// +// // poll creator has admin rights on his poll +// result = true; +// } else if (userAccount != null) { +// +// // loggued +// boolean isAdmin = userAccount.isAdministrator(); +//// boolean isCommentAccount = userAccount.equals(commentAccount.getUserAccount()); +// +// // pollen admin or comment owner (linked by user account) +// result = isAdmin || +// userAccount.equals(commentAccount.getUserAccount()); +// +// } else if (pollAccount != null) { +// +// // comment owner (linked by poll account) +// result = pollAccount.equals(commentAccount); +// } +// return result; +// } + } Modified: trunk/pollen-services/src/main/resources/i18n/pollen-services_en_GB.properties =================================================================== --- trunk/pollen-services/src/main/resources/i18n/pollen-services_en_GB.properties 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-services/src/main/resources/i18n/pollen-services_en_GB.properties 2012-06-18 07:58:19 UTC (rev 3505) @@ -44,6 +44,8 @@ pollen.feed.updateVoteTitle=Vote modified for '%s' pollen.info.admin.created=Super admin was created with login %1$s pollen.info.admin.exists=Super admin already exists +pollen.security.error.poll.free.creatorId.can.not.vote=Using a creator Id does not allow you to vote. pollen.security.error.poll.not.closed.and.results.not.continuous=The poll is not closed and results are not continuous pollen.security.error.poll.not.free.and.access.not.granted=You can not access to this non free poll +pollen.security.error.poll.not.running.can.not.vote=You can not vote (poll is finished or not began). pollen.security.error.poll.result.private.and.access.not.granted=Results of the poll are private and you do not have credentials to see them Modified: trunk/pollen-services/src/main/resources/i18n/pollen-services_fr_FR.properties =================================================================== --- trunk/pollen-services/src/main/resources/i18n/pollen-services_fr_FR.properties 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-services/src/main/resources/i18n/pollen-services_fr_FR.properties 2012-06-18 07:58:19 UTC (rev 3505) @@ -44,6 +44,8 @@ pollen.feed.updateVoteTitle=Vote modifié de '%s' pollen.info.admin.created=Le super admin a été créé avec l'identifiant %1$s. pollen.info.admin.exists=Le super admin existe déjà +pollen.security.error.poll.free.creatorId.can.not.vote=L'utlisation du creatorId ne permet de voter. pollen.security.error.poll.not.closed.and.results.not.continuous=Vous n'avez pas accès aux résultats de ce sondage (résultats non continus et sondage non fermé) pollen.security.error.poll.not.free.and.access.not.granted=Vous n'avez pas accès à ce sondage restreint +pollen.security.error.poll.not.running.can.not.vote=Vous n'êtes pas autorisé à voter (sondage terminé ou pas encore commencé). pollen.security.error.poll.result.private.and.access.not.granted=Vous n'avez pas accès aux résultats privés de ce sondage Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetPollComments.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetPollComments.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/json/GetPollComments.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -112,7 +112,7 @@ Set<String> result = Sets.newHashSet(); //TODO-tchemit-2012-06-03 Should use also pollAccountId (if specified in url)... boolean canDelete = getSecurityService().isCanDeleteComment( - comment, null, userAccount, false); + comment, null, null, userAccount); if (canDelete) { result.add("delete"); } Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/AbstractVoteAction.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -27,6 +27,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.struts2.interceptor.ParameterAware; +import org.apache.struts2.interceptor.ServletRequestAware; import org.chorem.pollen.bean.PollResult; import org.chorem.pollen.bean.PollResultList; import org.chorem.pollen.business.persistence.Choice; @@ -41,8 +42,11 @@ import org.chorem.pollen.common.VoteCountingType; import org.chorem.pollen.services.exceptions.PollAccountNotFound; import org.chorem.pollen.services.exceptions.PollNotFoundException; +import org.chorem.pollen.services.impl.SecurityService; import org.chorem.pollen.ui.actions.PageSkin; +import org.chorem.pollen.ui.security.PollVoteAccessRequired; +import javax.servlet.http.HttpServletRequest; import java.util.Date; import java.util.List; import java.util.Map; @@ -54,7 +58,7 @@ * @author fdesbois <fdesbois@codelutin.com> * @since 1.3 */ -public abstract class AbstractVoteAction extends AbstractPollUriIdAction implements ParameterAware { +public abstract class AbstractVoteAction extends AbstractPollUriIdAction implements ParameterAware, ServletRequestAware { private static final long serialVersionUID = 1L; @@ -141,6 +145,21 @@ */ private Map<String, String[]> parameters; + /** + * The accountId role on this page. + * + * @since 1.4 + */ + private SecurityService.AccountIdRole accountIdRole; + + /** + * The incoming request (some stuff are store in it from security filters). + * + * @since 1.4 + */ + private transient HttpServletRequest request; + + @Override public PageSkin getSkin() { return PageSkin.VOTE; @@ -151,6 +170,11 @@ this.parameters = parameters; } + @Override + public void setServletRequest(HttpServletRequest request) { + this.request = request; + } + public Poll getPoll() { return poll; } @@ -300,15 +324,14 @@ // TODO no pagination for the moment, need to retrieve the correct page depends on current pollAccount votes = getVoteService().getAllVotes(poll); - voteAllowed = !moderate && getSecurityService().isVoteAllowed(poll, pollAccount); + accountIdRole = (SecurityService.AccountIdRole) + request.getAttribute(PollVoteAccessRequired.ACCOUNT_ID_ROLE); - if (voteAllowed) { + voteAllowed = !moderate && + getSecurityService().isCanVote(poll, + getAccountId(), + accountIdRole); - // can not vote if accountId from the url is the creator one - voteAllowed = !poll.getCreator().getAccountId().equals(getUriId().getAccountId()); - - } - // Current vote if (voteAllowed) { vote = getVoteService().getVoteEditable(poll, pollAccount); @@ -319,18 +342,10 @@ feedFileExisting = getPollFeedService().isFeedExists(poll); - PollAccount pollCreator = poll.getCreator(); - if (getPollenUserAccount() == null) { + creatorUser = getSecurityService().isPollCreator(poll, + getUriId(), + getPollenUserAccount()); - // User is creator if loaded pollAccount is the creator - creatorUser = pollCreator.equals(pollAccount); - - } else { - - // User is creator if the userAccount is the same - creatorUser = getPollenUserAccount().equals(pollCreator.getUserAccount()); - } - if (log.isInfoEnabled()) { Date now = serviceContext.getCurrentTime(); log.info("pollChoiceOrVoteStarted = " + isPollChoiceOrVoteStarted()); @@ -375,8 +390,8 @@ return result; } - public boolean isModifAllowed(Vote vote) { - return getSecurityService().isUpdateAllowed( + public boolean isModifyVoteAllowed(Vote vote) { + return getSecurityService().isCanModifyVote( getPoll(), vote.getTopiaId(), getAccountId(), @@ -390,14 +405,20 @@ public boolean isDeleteCommentAllowed(Comment comment) { return getSecurityService().isCanDeleteComment( comment, - getPollAccount(), - getPollenUserAccount(), - isCreatorUser()); + getUriId().getAccountId(), + accountIdRole, + getPollenUserAccount()); } public boolean isDeleteVoteAllowed(Vote vote) { - // can delete a vote if admin or poll creator - return isUserAdmin() || isCreatorUser(); + return getSecurityService().isCanDeleteVote( + getPoll(), + vote.getTopiaId(), + getUriId().getAccountId(), + accountIdRole, + getPollenUserAccount()); +// // can delete a vote if admin or poll creator +// return isUserAdmin() || isCreatorUser(); } public String escapeLineBreak(String text) { Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/SummaryPoll.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/SummaryPoll.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/actions/poll/SummaryPoll.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -83,7 +83,7 @@ } public boolean isCanShowResult() { - String errorMessage = getSecurityService().isCanShowResult( + String errorMessage = getSecurityService().isCanAccessResult( poll, SecurityService.AccountIdRole.CREATOR); return errorMessage == null; } Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/AbstractPollenAuthorization.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/AbstractPollenAuthorization.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/AbstractPollenAuthorization.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -31,12 +31,12 @@ import org.apache.shiro.web.util.WebUtils; import org.chorem.pollen.PollenApplicationContext; import org.chorem.pollen.bean.PollUri; +import org.chorem.pollen.business.persistence.Poll; import org.chorem.pollen.business.persistence.UserAccount; import org.chorem.pollen.services.DefaultPollenServiceContext; import org.chorem.pollen.services.PollenServiceContext; import org.chorem.pollen.services.PollenServiceFactory; -import org.chorem.pollen.services.exceptions.PollNotFoundException; -import org.chorem.pollen.services.impl.SecurityService; +import org.chorem.pollen.services.impl.PollService; import org.chorem.pollen.ui.PollenSession; import org.chorem.pollen.ui.PollenUIUtils; import org.nuiton.topia.TopiaContext; @@ -107,20 +107,62 @@ return result; } - protected SecurityService getSecurityService(ServletRequest request) { - PollenServiceContext serviceContext = getServiceContext(request); - - SecurityService securityService = - serviceContext.newService(SecurityService.class); - return securityService; - } - protected UserAccount getPollenUserAccount(ServletRequest request) { PollenSession pollenSession = PollenSession.get(request); return pollenSession.getUserAccount(); } + protected Poll getPollIdSane(PollUri pollUri, + PollenServiceContext serviceContext, + ServletRequest request) { + + Poll poll = null; + String errorMessage = null; + if (pollUri == null) { + + // no pollUri in url + errorMessage = n_("pollen.security.error.no.pollId"); + + } else { + + if (!pollUri.isPollIdNotBlank()) { + + // no pollId in uri + errorMessage = n_("pollen.security.error.no.pollId"); + } else { + + // there is a pollId check that it exists + + PollService pollService = + serviceContext.newService(PollService.class); + + poll = pollService.getPollByPollId(pollUri.getPollId()); + + if (poll == null) { + + // poll not found + errorMessage = n_("pollen.security.error.poll.not.found"); + } + + if (log.isDebugEnabled()) { + log.debug("Can access to this poll " + + pollUri.getPollId()); + } + + } + } + + if (errorMessage != null) { + + // something wrong happens + poll = null; + registerError(request, errorMessage); + } + + return poll; + } + protected PollenServiceContext getServiceContext(ServletRequest request) { PollenApplicationContext applicationContext = PollenApplicationContext.get(getServletContext()); @@ -152,7 +194,6 @@ Map<String, String> params = Maps.newHashMap(); params.put("errorMessage", attribute); WebUtils.issueRedirect(request, response, unauthorizedUrl, params); -// request.removeAttribute(ERROR_MESSAGE_PARAMETER); } else { @@ -164,61 +205,6 @@ return false; } - protected boolean isPollIdSane(PollUri pollUri, - SecurityService securityService, - ServletRequest request) { - - String errorMessage = null; - if (pollUri == null) { - - // no pollUri in url - errorMessage = n_("pollen.security.error.no.pollId"); - - } else { - - if (!pollUri.isPollIdNotBlank()) { - - // no pollId in uri - errorMessage = n_("pollen.security.error.no.pollId"); - } else { - - // there is a pollId check that it exists - - try { - securityService.checkPoll(pollUri); - - if (log.isDebugEnabled()) { - log.debug("Can access to this poll " + - pollUri.getPollId()); - } - - } catch (PollNotFoundException e) { - if (log.isDebugEnabled()) { - log.debug("Poll not found!"); - } - errorMessage = n_("pollen.security.error.poll.not.found"); - } - } - } - boolean isAccessAllowed; - - if (errorMessage == null) { - - // no error message seems ok - isAccessAllowed = true; - - } else { - - // something wrong happens - isAccessAllowed = false; - - registerError(request, errorMessage); - } - - return isAccessAllowed; - } - - protected void registerError(ServletRequest request, String errorMessage) { request.setAttribute(ERROR_MESSAGE_PARAMETER, errorMessage); } Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollCreatorAccessRequired.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollCreatorAccessRequired.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollCreatorAccessRequired.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -26,7 +26,6 @@ import org.chorem.pollen.business.persistence.Poll; import org.chorem.pollen.business.persistence.UserAccount; import org.chorem.pollen.services.PollenServiceContext; -import org.chorem.pollen.services.impl.PollService; import org.chorem.pollen.services.impl.SecurityService; import javax.servlet.ServletRequest; @@ -60,9 +59,11 @@ SecurityService securityService = serviceContext.newService(SecurityService.class); - // test that poll is sane - boolean isAccessAllowed = isPollIdSane(pollUri, securityService, request); + // get sane poll + Poll poll = getPollIdSane(pollUri, serviceContext, request); + boolean isAccessAllowed = poll != null; + SecurityService.AccountIdRole accountIdRole = SecurityService.AccountIdRole.UNDEFINED; @@ -70,10 +71,6 @@ // pollId is sane (poll exists from it) - // get it - Poll poll = serviceContext.newService(PollService.class).getPollByPollId( - pollUri.getPollId()); - // test if user is admin boolean isAdmin = adminFilter.isAccessAllowed(request, response, Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollResultAccessRequired.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -25,7 +25,6 @@ import org.chorem.pollen.bean.PollUri; import org.chorem.pollen.business.persistence.Poll; import org.chorem.pollen.services.PollenServiceContext; -import org.chorem.pollen.services.impl.PollService; import org.chorem.pollen.services.impl.SecurityService; import javax.servlet.ServletRequest; @@ -59,21 +58,16 @@ SecurityService securityService = serviceContext.newService(SecurityService.class); - // test that poll is sane - boolean isAccessAllowed = isPollIdSane(pollUri, securityService, request); + // get sane poll + Poll poll = getPollIdSane(pollUri, serviceContext, request); - Poll poll = null; + boolean isAccessAllowed = poll != null; SecurityService.AccountIdRole accountIdRole = null; if (isAccessAllowed) { // pollId is sane (poll exists from it) - - // get it - poll = serviceContext.newService(PollService.class).getPollByPollId( - pollUri.getPollId()); - // test if user is admin boolean isAdmin = adminFilter.isAccessAllowed(request, @@ -109,11 +103,11 @@ if (isAccessAllowed) { // pollId is sane - // accountId also + // accountId is sane // check now poll results can be displayed - String errorMessage = securityService.isCanShowResult( + String errorMessage = securityService.isCanAccessResult( poll, accountIdRole); if (errorMessage != null) { Modified: trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollVoteAccessRequired.java =================================================================== --- trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollVoteAccessRequired.java 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/java/org/chorem/pollen/ui/security/PollVoteAccessRequired.java 2012-06-18 07:58:19 UTC (rev 3505) @@ -24,9 +24,7 @@ import org.chorem.pollen.bean.PollUri; import org.chorem.pollen.business.persistence.Poll; -import org.chorem.pollen.common.PollType; import org.chorem.pollen.services.PollenServiceContext; -import org.chorem.pollen.services.impl.PollService; import org.chorem.pollen.services.impl.SecurityService; import javax.servlet.ServletRequest; @@ -42,6 +40,8 @@ */ public class PollVoteAccessRequired extends AbstractPollenAuthorization { + public static final String ACCOUNT_ID_ROLE = "accountIdRole"; + protected final AdminUserRequired adminFilter; public PollVoteAccessRequired() { @@ -60,11 +60,10 @@ SecurityService securityService = serviceContext.newService(SecurityService.class); - // test that poll is sane - boolean isAccessAllowed = isPollIdSane(pollUri, securityService, - request); + // get sane poll + final Poll poll = getPollIdSane(pollUri, serviceContext, request); - Poll poll = null; + boolean isAccessAllowed = poll != null; SecurityService.AccountIdRole accountIdRole = null; @@ -72,10 +71,6 @@ // pollId is sane (poll exists from it) - // get it - poll = serviceContext.newService(PollService.class).getPollByPollId( - pollUri.getPollId()); - // test if user is admin boolean isAdmin = adminFilter.isAccessAllowed(request, response, @@ -93,9 +88,8 @@ // bad account Id isAccessAllowed = false; - registerError( - request, - n_("pollen.security.error.bad.accountId")); + registerError(request, + n_("pollen.security.error.bad.accountId")); } } @@ -109,23 +103,27 @@ if (isAccessAllowed) { // pollId is sane - // accountId also + // accountId is sane // check now poll votes can be displayed - boolean pollIsFree = PollType.FREE == poll.getPollType(); + String errorMessage = securityService.isCanAccessVote( + poll, pollUri.getAccountId(), accountIdRole); - if (!pollIsFree && - !SecurityService.NONE_FREE_ACCOUNT_ID_ROLES.contains(accountIdRole)) { + if (errorMessage != null) { - // on none free poll, only creator or restricted user can have it + // can not vote isAccessAllowed = false; - registerError( - request, - n_("pollen.security.error.poll.not.free.and.access.not.granted")); + registerError(request, errorMessage); } } + if (isAccessAllowed) { + + // store accountIdRole in request + request.setAttribute(ACCOUNT_ID_ROLE, accountIdRole); + } + return isAccessAllowed; } Modified: trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/poll/vote.jsp =================================================================== --- trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/poll/vote.jsp 2012-06-18 07:55:12 UTC (rev 3504) +++ trunk/pollen-ui-struts2/src/main/webapp/WEB-INF/jsp/poll/vote.jsp 2012-06-18 07:58:19 UTC (rev 3505) @@ -93,7 +93,7 @@ $votingIdField.attr('disabled', $anonymousField.prop('checked')); - $anonymousField.change(function() { + $anonymousField.change(function () { $votingIdField.attr('disabled', $(this).prop('checked')); }); @@ -232,8 +232,7 @@ <s:if test="imageType"> <s:iterator value="poll.choice" var="choice"> <s:if test="!isChoiceHidden(#choice)"> - <s:url id="imageUrl" namespace="/io" - action="getPollChoiceImage" + <s:url id="imageUrl" namespace="/io" action="getPollChoiceImage" escapeAmp="false"> <s:param name="choiceId" value="name"/> <s:param name="pollId" value="poll.pollId"/> @@ -277,28 +276,24 @@ <s:if test="!isChoiceHidden(#choice)"> <th> <s:if test="normalVoteCounting"> - <s:checkbox - name="vote.choiceVoteToChoice[%{#status.index}].voteValue" - value="%{vote.choiceVoteToChoice[#status.index].voteValue}" - theme="simple"/> + <s:checkbox theme="simple" + name="vote.choiceVoteToChoice[%{#status.index}].voteValue" + value="%{vote.choiceVoteToChoice[#status.index].voteValue}"/> </s:if> <s:if test="percentageVoteCounting"> - <s:textfield - name="vote.choiceVoteToChoice[%{#status.index}].voteValue" - value="%{vote.choiceVoteToChoice[#status.index].voteValue}" - required="true" size="3" theme="simple"/> + <s:textfield required="true" size="3" theme="simple" + name="vote.choiceVoteToChoice[%{#status.index}].voteValue" + value="%{vote.choiceVoteToChoice[#status.index].voteValue}"/> </s:if> <s:if test="condorcetVoteCounting"> - <s:textfield - name="vote.choiceVoteToChoice[%{#status.index}].voteValue" - value="%{vote.choiceVoteToChoice[#status.index].voteValue}" - id="condorcetInput" size="3" theme="simple"/> + <s:textfield id="condorcetInput" size="3" theme="simple" + name="vote.choiceVoteToChoice[%{#status.index}].voteValue" + value="%{vote.choiceVoteToChoice[#status.index].voteValue}"/> </s:if> <s:if test="numberVoteCounting"> - <s:textfield - name="vote.choiceVoteToChoice[%{#status.index}].voteValue" - value="%{vote.choiceVoteToChoice[#status.index].voteValue}" - size="3" theme="simple"/> + <s:textfield size="3" theme="simple" + name="vote.choiceVoteToChoice[%{#status.index}].voteValue" + value="%{vote.choiceVoteToChoice[#status.index].voteValue}"/> </s:if> </th> </s:if> @@ -320,7 +315,7 @@ </s:else> </s:if> <s:if test="!poll.anonymous"> - <s:if test="isModifAllowed(#vote)"> + <s:if test="isModifyVoteAllowed(#vote)"> <s:a action="editVote" namespace="/poll"> <s:param name="pollId" value="%{pollId}"/> <s:param name="accountId" value="%{#vote.pollAccount.accountId}"/> @@ -418,7 +413,8 @@ <s:if test="voteAllowed"> <div id="buttons"> <s:if test="poll.anonymousVoteAllowed"> - <s:checkbox key="vote.anonymous" label='%{getText("pollen.common.voteAnonymous")}'/> + <s:checkbox key="vote.anonymous" + label='%{getText("pollen.common.voteAnonymous")}'/> <br/> </s:if> <s:submit action="vote/%{uriId}" key="pollen.action.pollVote" @@ -457,9 +453,10 @@ <s:textarea cols="36" key="choice.description" label="%{getText('pollen.common.description')}"/> <br/> + <div class="cleanBoth"> - <s:submit action="addChoice/%{uriId}" key="pollen.action.addChoice" - align="center"/> + <s:submit action="addChoice/%{uriId}" key="pollen.action.addChoice" + align="center"/> </div> </s:form> </div> @@ -470,7 +467,7 @@ <div id="commentZone"> - <%--Show paginated comments--%> + <%--Show paginated comments--%> <%@include file="displayPollComments.jsp" %> <div id="commentFormDiv">
participants (1)
-
tchemit@users.chorem.org