Author: tchemit Date: 2012-08-28 18:38:58 +0200 (Tue, 28 Aug 2012) New Revision: 3655 Url: http://chorem.org/repositories/revision/pollen/3655 Log: refs #717: Restricted and authentication user (creator can vote loggued or not) fixes #795: Can not delete your own vote in anonymous poll (can modify or delete his own vote in anonymous poll) fixes #564: Cannot remove vote (can remove votes except for anonymous poll, only user can do it since creator can not see all votes) refs #746: Improve security model (weak security linked by email for the moment...) Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/VoteService.java Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java 2012-08-28 16:32:07 UTC (rev 3654) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/PollService.java 2012-08-28 16:38:58 UTC (rev 3655) @@ -555,7 +555,12 @@ if (StringUtils.isNotEmpty(accountId) || withUserAccount) { - if (poll.isPollFree()) { + if (poll.getCreator().getAccountId().equals(accountId)) { + + // let's use the creator account + pollAccountLoaded = poll.getCreator(); + + } else if (poll.isPollFree()) { try { pollAccountLoaded = dao.findVoterPollAccount(poll.getPollId(), @@ -1034,167 +1039,4 @@ + thumbCopied.length() + ")"); } } - - -// /** -// * Build a new Poll instance with given {@code user} as creator -// * -// * @param user Build a new Poll instance with given {@code user} as creator -// * @return Build a new Poll instance with given {@code user} as creator -// */ -// protected Poll getNewPoll(UserAccount user) { -// -// PollDAO pollDAO = getDAO(Poll.class); -// Poll result = newInstance(pollDAO); -// -// PollenConfiguration configuration = getConfiguration(); -// -// // default values from configuration -// result.setChoiceType(configuration.getDefaultChoiceType()); -// result.setVoteCountingType(configuration.getDefaultVoteCountingType()); -// result.setPollType(configuration.getDefaultPollType()); -// result.setPollVoteVisibility(configuration.getDefaultPollVoteVisibility()); -// result.setPollCommentVisibility(configuration.getDefaultPollCommentVisibility()); -// -// // Initialize creator of the poll -// PollAccountDAO pollAccountDAO = getDAO(PollAccount.class); -// PollAccount creator = newInstance(pollAccountDAO); -// -// if (user != null) { -// -// // Link the creator with the user -// creator.setVotingId(user.getDisplayName()); -// creator.setEmail(user.getEmail()); -// creator.setUserAccount(user); -// } -// result.setCreator(creator); -// -// return result; -// } -// -// /** -// * Obtains a copy of an existing poll given his {@code pollUid}. -// * <p/> -// * If flag {@code clone} is setted to {@code true}, then all id will -// * be removed (pollId, accountId, topiaId). -// * -// * @param pollUid the {@link Poll#getPollId()} of the poll to copy -// * @param userAccount optional incoming user account to link to the -// * {@link Poll#getCreator()} -// * @param clone flag to clone or not the copy of the poll (if setted -// * to {@code true} then all id will be removed). -// * @return the copy of the poll -// * @throws PollNotFoundException if poll was not found -// */ -// protected Poll getNewPollCopy(String pollUid, -// UserAccount userAccount, -// boolean clone) throws PollNotFoundException { -// -// // pollUid can not be blank -// Preconditions.checkState(StringUtils.isNotBlank(pollUid)); -// -// // load for sure existing poll -// Poll poll = getExistingPollByPollId(pollUid); -// -// PollDAO pollDAO = getDAO(Poll.class); -// Poll result = newInstance(pollDAO); -// -// PollenBinderHelper.simpleCopy(poll, result, !clone); -// if (clone) { -// // reset id for clone case -// result.setPollId(null); -// } -// -// // -- Creator -- // -// PollAccount creatorLoaded = poll.getCreator(); -// PollAccountDAO pollAccountDAO = getDAO(PollAccount.class); -// PollAccount creatorEditable = newInstance(pollAccountDAO); -// result.setCreator(creatorEditable); -// -// PollenBinderHelper.simpleCopy(creatorLoaded, creatorEditable, !clone); -// if (clone) { -// // reset id for clone case -// creatorEditable.setAccountId(null); -// } -// -// if (creatorEditable.getUserAccount() == null) { -// // use the incoming userAccount -// creatorEditable.setUserAccount(userAccount); -// } -// -// // -- Choice -- // -// Function<Choice, Choice> choiceCreator = -// PollenServiceFunctions.newChoiceCreator(poll.getChoiceType()); -// Iterable<Choice> choices = -// Iterables.transform(poll.getChoice(), choiceCreator); -// -// for (Choice choiceLoaded : choices) { -// if (clone) { -// // reset id for clone case -// choiceLoaded.setTopiaId(null); -// } -// result.addChoice(choiceLoaded); -// } -// -// // -- VotingList -- // -// VotingListDAO votingListDAO = getDAO(VotingList.class); -// PersonToListDAO personToListDAO = getDAO(PersonToList.class); -// for (VotingList votingListLoaded : poll.getVotingList()) { -// VotingList votingListEditable = newInstance(votingListDAO); -// result.addVotingList(votingListEditable); -// // Do not keep votingLists topiaId, to simplify the update will delete old votingLists and create new ones -// PollenBinderHelper.simpleCopy( -// votingListLoaded, votingListEditable, false); -// -// for (PersonToList personToListLoaded : votingListLoaded.getPollAccountPersonToList()) { -// PersonToList personToListEditable = newInstance(personToListDAO); -// votingListEditable.addPollAccountPersonToList(personToListEditable); -// // Do not keep personToLists topiaId, to simplify the update will delete old personToLists and create new ones -// PollenBinderHelper.simpleCopy( -// personToListLoaded, personToListEditable, false); -// -// PollAccount personLoaded = personToListLoaded.getPollAccount(); -// PollAccount personEditable = newInstance(pollAccountDAO); -// personToListEditable.setPollAccount(personEditable); -// // copy the person, keeping topiaId is useless because we have the link with PersonToList -// PollenBinderHelper.simpleCopy( -// personLoaded, personEditable, false); -// if (clone) { -// // reset id for clone case -// personEditable.setAccountId(null); -// } -// } -// } -// -// // -- PreventRule -- // -// PreventRuleDAO preventRuleDAO = getDAO(PreventRule.class); -// for (PreventRule preventRuleLoaded : poll.getPreventRule()) { -// PreventRule preventRuleEditable = newInstance(preventRuleDAO); -// PollenBinderHelper.simpleCopy( -// preventRuleLoaded, preventRuleEditable, !clone); -// result.addPreventRule(preventRuleEditable); -// } -// -// // Load votes to have the correct size used to check if vote is started -// result.setVote(poll.getVote()); -// -// return result; -// } - -// protected PollAccount copyPollAccount(PollAccount source) { -// PollAccountDAO dao = getDAO(PollAccount.class); -// PollAccount result = newInstance(dao); -// PollenBinderHelper.copy("", source, result, true); -// result.setUserAccount(source.getUserAccount()); -// return result; -// } - -// public PollAccount getNewPollAccount(UserAccount userAccount) { -// PollAccountDAO dao = getDAO(PollAccount.class); -// PollAccount result = newInstance(dao); -// String votingId = userAccount != null ? userAccount.getDisplayName() : ""; -// result.setVotingId(votingId); -// result.setUserAccount(userAccount); -// return result; -// } } Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-08-28 16:32:07 UTC (rev 3654) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/SecurityService.java 2012-08-28 16:38:58 UTC (rev 3655) @@ -192,13 +192,6 @@ return false; } - if (securityContext.isWithAccountId() && - securityContext.getAccountId().equals(poll.getCreator().getAccountId())) { - - // user can not vote with his creator accountId (must use a new one) - return false; - } - if (!poll.isPollFree() && !securityContext.isRestrictedVoter()) { // on none free poll, only restricted user can vote @@ -209,28 +202,6 @@ return true; } - public boolean isCanVoteFromSummary(PollenUserSecurityContext securityContext) { - - Poll poll = securityContext.getPoll(); - - Date now = serviceContext.getCurrentTime(); - - if (!poll.isRunning(now)) { - - // poll is not running, can not vote - return false; - } - - if (!poll.isPollFree() && !securityContext.isRestrictedVoter()) { - - // on none free poll, only restricted user can vote - return false; - } - - // ok can vote - return true; - } - public boolean isCanModifyVote(PollenUserSecurityContext securityContext, String voteId) { @@ -247,12 +218,6 @@ return false; } - if (poll.isAnonymous()) { - - // poll is anonymous, no vote can be modify - return false; - } - Vote vote = poll.getVoteByTopiaId(voteId); if (vote == null) { @@ -276,6 +241,13 @@ // user conntected is the voter return true; } + + if (userConnected.getEmail().equals(votePollAccount.getEmail())) { + + //FIXME-tchemit-2012-08-28 : voir http://chorem.org/issues/796 + // owner linked by email + return true; + } } // can not modify vote in other cases @@ -329,13 +301,6 @@ return false; } - if (poll.isAnonymous()) { - - // poll is anonymous, no vote can be delete (?) FIXME Check this - return false; - } - - Vote vote = poll.getVoteByTopiaId(voteId); if (vote == null) { @@ -365,6 +330,13 @@ // owner of vote (linked by userAccount) can delete his own vote return true; } + + if (userConnected.getEmail().equals(votePollAccount.getEmail())) { + + //FIXME-tchemit-2012-08-28 : voir http://chorem.org/issues/796 + // owner linked by email + return true; + } } // can not modify vote in other cases @@ -429,7 +401,8 @@ result = Lists.newArrayList(); - if (!poll.isAnonymous() && userSecurityContext.isVoter()) { + if (userSecurityContext.isVoter() || + userSecurityContext.isRestrictedVoter()) { // but can still see his own vote @@ -453,6 +426,20 @@ break; } } + + //FIXME-tchemit-2012-08-28 : voir http://chorem.org/issues/796 + // owner linked by email + + if (result.isEmpty()) { + String userAccountEmail = userAccount.getEmail(); + for (Vote vote : allVotes) { + + if (userAccountEmail.equals(vote.getPollAccount().getEmail())) { + result.add(vote); + break; + } + } + } } } @@ -483,6 +470,7 @@ result = true; } else { + //FIXME-tchemit-2012-08-28 : voir http://chorem.org/issues/796 // try to link bo user account email result = ObjectUtils.equals(poll.getCreator().getEmail(), userAccount.getEmail()); Modified: trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/VoteService.java =================================================================== --- trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/VoteService.java 2012-08-28 16:32:07 UTC (rev 3654) +++ trunk/pollen-services/src/main/java/org/chorem/pollen/services/impl/VoteService.java 2012-08-28 16:38:58 UTC (rev 3655) @@ -41,43 +41,19 @@ import org.chorem.pollen.business.persistence.VoteToChoiceDAO; import org.chorem.pollen.common.PollType; import org.chorem.pollen.entities.PollenBinderHelper; -import org.chorem.pollen.entities.PollenDAOHelper; import org.chorem.pollen.services.PollenServiceSupport; import org.chorem.pollen.services.exceptions.PollAccountNotFound; import org.chorem.pollen.services.exceptions.VoteNotFoundException; -import org.nuiton.topia.TopiaContext; import org.nuiton.topia.TopiaException; import org.nuiton.topia.persistence.TopiaFilterPagerUtil; import java.util.List; -import java.util.Map; public class VoteService extends PollenServiceSupport { /** Logger. */ private static final Log log = LogFactory.getLog(VoteService.class); -// public Vote getNewVote(Poll poll, PollAccount account) { -// -// Preconditions.checkNotNull(poll); -// -// VoteDAO voteDAO = getDAO(Vote.class); -// VoteToChoiceDAO voteToChoiceDAO = getDAO(VoteToChoice.class); -// -// Vote result = newInstance(voteDAO); -// result.setPollAccount(account); -// result.setWeight(1.); -// -// // Prepare the List of VoteToChoice with Poll's choices -// for (Choice choice : poll.getChoice()) { -// VoteToChoice element = newInstance(voteToChoiceDAO); -// element.setChoice(choice); -// result.addChoiceVoteToChoice(element); -// } -// -// return result; -// } - public Vote getVoteEditable(Poll poll, PollAccount accountEditable) { Preconditions.checkNotNull(poll); @@ -143,11 +119,17 @@ } // Retrieve weight for Restricted Poll with existing account - if (!poll.isPollFree()&& accountEditable.getTopiaId() != null) { + if (!poll.isPollFree() && accountEditable.getTopiaId() != null) { PersonToListDAO personToListDAO = getDAO(PersonToList.class); PersonToList personToList = personToListDAO.findByPollAndAccount(poll, accountEditable); result.setWeight(personToList.getWeight()); } + + if (poll.isAnonymous()) { + + // force anonymous flag on vote + result.setAnonymous(true); + } return result; } @@ -157,8 +139,10 @@ Vote result = create(voteDAO); result.setWeight(vote.getWeight()); - result.setAnonymous(vote.isAnonymous()); + // make sure vote is anonymous if poll is + result.setAnonymous(vote.isAnonymous() || poll.isAnonymous()); + // -- PollAccount -- // PollAccount pollAccount = vote.getPollAccount(); String pollAccountId = pollAccount.getTopiaId(); @@ -176,20 +160,17 @@ pollAccountLoaded = getEntityById(PollAccount.class, pollAccountId); } - // Update user data if not anonymous - if (!vote.isAnonymous()) { + // Update user data - pollAccountLoaded.setVotingId(pollAccount.getVotingId()); - pollAccountLoaded.setEmail(pollAccount.getEmail()); + pollAccountLoaded.setVotingId(pollAccount.getVotingId()); + pollAccountLoaded.setEmail(pollAccount.getEmail()); - UserAccount userAccount = pollAccount.getUserAccount(); - if (userAccount != null) { - UserAccount userAccountLoaded = - getEntityById(UserAccount.class, userAccount.getTopiaId()); - pollAccountLoaded.setUserAccount(userAccountLoaded); - } + UserAccount userAccount = pollAccount.getUserAccount(); + if (userAccount != null) { + UserAccount userAccountLoaded = + getEntityById(UserAccount.class, userAccount.getTopiaId()); + pollAccountLoaded.setUserAccount(userAccountLoaded); } - // TODO Manage anonymous for existing account ??? problem with restricted and email result.setPollAccount(pollAccountLoaded); // -- List of VoteToChoice -- // @@ -245,17 +226,12 @@ // -- PollAccount -- // PollAccount voteAccount = vote.getPollAccount(); PollAccount pollAccountEntity = result.getPollAccount(); - if (vote.isAnonymous()) { - pollAccountEntity.setVotingId(null); - pollAccountEntity.setEmail(null); - pollAccountEntity.setUserAccount(null); + pollAccountEntity.setVotingId(voteAccount.getVotingId()); + pollAccountEntity.setEmail(voteAccount.getEmail()); + pollAccountEntity.setUserAccount(voteAccount.getUserAccount()); - } else { - pollAccountEntity.setVotingId(voteAccount.getVotingId()); - pollAccountEntity.setEmail(voteAccount.getEmail()); - pollAccountEntity.setUserAccount(voteAccount.getUserAccount()); - } - result.setAnonymous(vote.isAnonymous()); + // make sure vote is anonymous if poll is + result.setAnonymous(vote.isAnonymous() || poll.isAnonymous()); VoteToChoiceDAO voteToChoiceDao = getDAO(VoteToChoice.class); @@ -334,14 +310,16 @@ if (poll.isPollFree()) { - // Delete vote PollAccount if the Poll is free and account is not the creator if (!voteAccount.equals(poll.getCreator())) { + + // Delete vote PollAccount if the Poll is free and account is not the creator PollAccountDAO accountDAO = getDAO(PollAccount.class); delete(accountDAO, voteAccount); } - // Update pollAccount hasVoted flag } else { + + // Update pollAccount hasVoted flag PersonToList personToList = poll.getPersonToListByVote(entityToDelete); personToList.setHasVoted(false); } @@ -398,35 +376,6 @@ } } - public List<Vote> selectVotes(Map<String, Object> properties) { - TopiaContext transaction = getTransaction(); - try { - VoteDAO voteDAO = PollenDAOHelper.getVoteDAO(transaction); - - List<Vote> voteEntities; - - if (properties == null) { - voteEntities = voteDAO.findAll(); - if (log.isWarnEnabled()) { - log.warn("Attention : tous les votes ont été sélectionnés !"); - } - } else { - voteEntities = voteDAO.findAllByProperties(properties); - } - - List<Vote> results = Lists.newArrayList(voteEntities); - - if (log.isDebugEnabled()) { - log.debug("Entities found: " - + ((results == null) ? "null" : results.size())); - } - - return results; - } catch (Exception e) { - throw new PollenTechnicalException("Could not obtain votes", e); - } - } - protected VoteToChoice createVoteToChoice(Vote vote, VoteToChoice source) { VoteToChoiceDAO voteToChoiceDao = getDAO(VoteToChoice.class);