Author: bleny Date: 2010-10-05 16:23:14 +0200 (Tue, 05 Oct 2010) New Revision: 387 Url: http://nuiton.org/repositories/revision/wikitty/387 Log: security bug fixes Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java =================================================================== --- trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java 2010-10-05 13:34:48 UTC (rev 386) +++ trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java 2010-10-05 14:23:14 UTC (rev 387) @@ -185,10 +185,10 @@ WIKITTY_APPADMIN_GROUP_NAME)); } } - + protected boolean userIsAnonymousOrAppAdmin(String securityToken, String userId) { boolean userIsAnonymousOrAppAdmin = false; - + /* if (securityToken == null) { // user is anonymous userIsAnonymousOrAppAdmin = true; @@ -200,6 +200,20 @@ } } } + */ + + if (getAppAdminGroup(securityToken) == null) { + if (securityToken == null) { + // user is anonymous + userIsAnonymousOrAppAdmin = true; + } + } else { + if (isAppAdmin(securityToken, userId)) { + // user is appAdmin + userIsAnonymousOrAppAdmin = true; + } + } + return userIsAnonymousOrAppAdmin; } @@ -410,10 +424,12 @@ protected void refuseUnauthorizedRead( String securityToken, String userId, Wikitty wikitty) { - for (String extensionName : wikitty.getExtensionNames()) { - if ( ! canRead(securityToken, userId, extensionName, wikitty)) { - throw new SecurityException(_("user %s can't read extension %s on wikitty %s, it may be due to a global policy on the wikitty", - userId, extensionName, wikitty)); + if (wikitty != null) { + for (String extensionName : wikitty.getExtensionNames()) { + if ( ! canRead(securityToken, userId, extensionName, wikitty)) { + throw new SecurityException(_("user %s can't read extension %s on wikitty %s, it may be due to a global policy on the wikitty", + userId, extensionName, wikitty)); + } } } } @@ -486,12 +502,7 @@ || isOwner(securityToken, userId, wikitty, null); } else if ( ! canAdmin ) { // still not admin, check appAdmin - if (getAppAdminGroup(securityToken) == null) { - canAdmin = isAppAdmin(securityToken, userId); - } - } else { - // no security policy, everything is allowed - canAdmin = true; + canAdmin = userIsAnonymousOrAppAdmin(securityToken, userId); } return canAdmin; Modified: trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java =================================================================== --- trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java 2010-10-05 13:34:48 UTC (rev 386) +++ trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java 2010-10-05 14:23:14 UTC (rev 387) @@ -45,6 +45,12 @@ securityService = new WikittyServiceSecurity(inMemoryService); + /** / + // FIXME 20101005 bleny implementation should be able to allow + // passing trough two security layers + securityService = new WikittyServiceSecurity(securityService); + /**/ + service = securityService; // token = service.login(APPADMIN_LOGIN, APPADMIN_PASSWORD);