ajax-user.js

ghuber Sun, 12 Jan 2014 05:59:45 -0800

Author: ghuber
Date: Sun Jan 12 13:58:44 2014
New Revision: 1557537

URL: http://svn.apache.org/r1557537
Log:
Fix for ROL-1983 to stop unauthorised access to user data.


Modified:
    
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java
    
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
    roller/trunk/app/src/main/webapp/WEB-INF/web.xml
    roller/trunk/app/src/main/webapp/roller-ui/scripts/ajax-user.js

Modified: 
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java
URL: 
http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java?rev=1557537&r1=1557536&r2=1557537&view=diff
==============================================================================
--- 
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java
 (original)
+++ 
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java
 Sun Jan 12 13:58:44 2014
@@ -20,38 +20,59 @@ package org.apache.roller.weblogger.ui.s
 
 import java.io.IOException;
 import java.util.List;
+
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
 import org.apache.roller.weblogger.WebloggerException;
 import org.apache.roller.weblogger.business.Weblogger;
 import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.business.UserManager;
 import org.apache.roller.weblogger.pojos.User;
-
+import org.apache.roller.weblogger.ui.rendering.util.WeblogRequest;
 
 /**
  * Return list of users matching a startsWith strings. <br />
  * Accepts request params (none required):<br />
- *     startsWith: string to be matched against username and email address<br 
/>
- *     enabled: true include only enabled users (default: no restriction<br />
- *     offset: offset into results (for paging)<br />
- *     length: number of users to return (max is 50)<br /><br />
+ * startsWith: string to be matched against username and email address<br />
+ * enabled: true include only enabled users (default: no restriction<br />
+ * offset: offset into results (for paging)<br />
+ * length: number of users to return (max is 50)<br />
+ * <br />
  * List format:<br />
- *     username0, emailaddress0 <br/>
- *     username1, emailaddress1 <br/>
- *     username2, emailaddress2 <br/>
- *     usernameN, emailaddressN <br/>
+ * username0, emailaddress0 <br/>
+ * username1, emailaddress1 <br/>
+ * username2, emailaddress2 <br/>
+ * usernameN, emailaddressN <br/>
  */
 public class UserDataServlet extends HttpServlet {
-    
+
+    private static final long serialVersionUID = -7596671919118637768L;
     private static final int MAX_LENGTH = 50;
-    
-    public void doGet(HttpServletRequest request, 
-                      HttpServletResponse response)
+
+    public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        
+
+        WeblogRequest weblogRequest = null;
+        try {
+            weblogRequest = new WeblogRequest(request);
+
+            // Make sure we have the correct authority
+            User user = weblogRequest.getUser();
+            if (user == null || !user.hasGlobalPermission("admin")) {
+                // user not found or not admin
+                response.sendError(HttpServletResponse.SC_NOT_FOUND);
+                return;
+            }
+
+        } catch (Exception e) {
+            // some kind of error just return
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
+            return;
+        }
+
         String startsWith = request.getParameter("startsWith");
         Boolean enabledOnly = null;
         int offset = 0;
@@ -64,16 +85,18 @@ public class UserDataServlet extends Htt
         }
         try {
             offset = Integer.parseInt(request.getParameter("offset"));
-        } catch (Exception ignored) {}
+        } catch (Exception ignored) {
+        }
         try {
             length = Integer.parseInt(request.getParameter("length"));
-        } catch (Exception ignored) {}
-        
+        } catch (Exception ignored) {
+        }
+
         Weblogger roller = WebloggerFactory.getWeblogger();
         try {
             UserManager umgr = roller.getUserManager();
-            List<User> users =
-                    umgr.getUsersStartingWith(startsWith, enabledOnly, offset, 
length);
+            List<User> users = umgr.getUsersStartingWith(startsWith,
+                    enabledOnly, offset, length);
             for (User user : users) {
                 response.getWriter().print(user.getUserName());
                 response.getWriter().print(",");
@@ -84,5 +107,5 @@ public class UserDataServlet extends Htt
             throw new ServletException(e.getMessage());
         }
     }
-    
+
 }

Modified: 
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
URL: 
http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties?rev=1557537&r1=1557536&r2=1557537&view=diff
==============================================================================
--- 
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
 (original)
+++ 
roller/trunk/app/src/main/resources/org/apache/roller/weblogger/config/roller.properties
 Sun Jan 12 13:58:44 2014
@@ -398,7 +398,7 @@ schemeenforcement.https.urls=/roller_j_s
 /roller-ui/profile.rol,/roller-ui/profile!save.rol,\
 /roller-ui/admin/userAdmin.rol,\
 /roller-ui/admin/createUser.rol,/roller-ui/admin/createUser!save.rol,\
-/roller-ui/authoring/userdata,\
+/roller-ui/admin/userdata,\
 
/roller-ui/authoring/membersInvite.rol,/roller-ui/authoring/membersInvite!save.rol
 
 # Ignored extensions otherwise we get SSL mixed content issues

Modified: roller/trunk/app/src/main/webapp/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewvc/roller/trunk/app/src/main/webapp/WEB-INF/web.xml?rev=1557537&r1=1557536&r2=1557537&view=diff
==============================================================================
--- roller/trunk/app/src/main/webapp/WEB-INF/web.xml (original)
+++ roller/trunk/app/src/main/webapp/WEB-INF/web.xml Sun Jan 12 13:58:44 2014
@@ -411,7 +411,7 @@
 
     <servlet-mapping>
         <servlet-name>UserDataServlet</servlet-name>
-        <url-pattern>/roller-ui/authoring/userdata/*</url-pattern>
+        <url-pattern>/roller-ui/admin/userdata/*</url-pattern>
     </servlet-mapping>
 
 

Modified: roller/trunk/app/src/main/webapp/roller-ui/scripts/ajax-user.js
URL: 
http://svn.apache.org/viewvc/roller/trunk/app/src/main/webapp/roller-ui/scripts/ajax-user.js?rev=1557537&r1=1557536&r2=1557537&view=diff
==============================================================================
--- roller/trunk/app/src/main/webapp/roller-ui/scripts/ajax-user.js (original)
+++ roller/trunk/app/src/main/webapp/roller-ui/scripts/ajax-user.js Sun Jan 12 
13:58:44 2014
@@ -30,7 +30,7 @@ function createRequestObject() {
 var http = createRequestObject();
 var init = false;
 var isBusy = false;
-var userURL = "<%= request.getContextPath() %>" + 
"/roller-ui/authoring/userdata?length=50";
+var userURL = "<%= request.getContextPath() %>" + 
"/roller-ui/admin/userdata?length=50";
 
 function onUserNameFocus(enabled) {
     if (!init) {

svn commit: r1557537 - in /roller/trunk/app/src/main: java/org/apache/roller/weblogger/ui/struts2/ajax/UserDataServlet.java resources/org/apache/roller/weblogger/config/roller.properties webapp/WEB-INF/web.xml webapp/roller-ui/scripts/ajax-user.js

Reply via email to