quantranhong1999 commented on code in PR #3000:
URL: https://github.com/apache/james-project/pull/3000#discussion_r3063326842
##########
server/protocols/webadmin/webadmin-core/src/main/java/org/apache/james/webadmin/authentication/PasswordFilter.java:
##########
@@ -39,12 +40,68 @@ public class PasswordFilter implements AuthenticationFilter
{
public static final String AUTHORIZATION_HEADER_PREFIX = "Bearer ";
public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
- private final List<String> passwords;
+ private static final String GET_METHOD = "GET";
+ private static final String DELETE_METHOD = "DELETE";
+ private final Optional<List<String>> passwords;
+ private final Optional<List<String>> readOnlyPasswords;
+ private final Optional<List<String>> noDeletePasswords;
+
+ /**
+ * @param passwordString optional comma-separated list of full-access
passwords
+ * @param readOnlyPasswordString optional comma-separated list of
read-only passwords
+ * @param noDeletePasswordString optional comma-separated list of
no-delete passwords
+ */
@Inject
- public PasswordFilter(String passwordString) {
- this.passwords = Splitter.on(',')
- .splitToList(passwordString);
+ public PasswordFilter(Optional<String> passwordString, Optional<String>
readOnlyPasswordString, Optional<String> noDeletePasswordString) {
+ this.passwords = splitOptionalPasswords(passwordString);
+ this.readOnlyPasswords =
splitOptionalPasswords(readOnlyPasswordString);
+ this.noDeletePasswords =
splitOptionalPasswords(noDeletePasswordString);
+ }
+
+ private Optional<List<String>> splitOptionalPasswords(Optional<String>
optionalPasswordString) {
+ return optionalPasswordString.map(this::splitPasswords);
+ }
+
+ private List<String> splitPasswords(String passwordString) {
+ if (passwordString == null || passwordString.isEmpty()) {
+ return ImmutableList.of();
+ }
+ return Splitter.on(',').splitToList(passwordString);
+ }
+
+ private enum AccessLevel {
+ FULL,
+ NO_DELETE,
+ READ_ONLY,
+ NONE
+ }
+
+ private AccessLevel getAccessLevel(String password) {
+ if (passwords.isPresent() && passwords.get().contains(password)) {
+ return AccessLevel.FULL;
+ }
+ if (noDeletePasswords.isPresent() &&
noDeletePasswords.get().contains(password)) {
+ return AccessLevel.NO_DELETE;
+ }
+ if (readOnlyPasswords.isPresent() &&
readOnlyPasswords.get().contains(password)) {
+ return AccessLevel.READ_ONLY;
+ }
+ return AccessLevel.NONE;
+ }
+
+ private boolean isAccessAllowed(AccessLevel accessLevel, String
httpMethod) {
+ switch (accessLevel) {
+ case FULL:
+ return true;
+ case NO_DELETE:
+ return !httpMethod.equals(DELETE_METHOD);
+ case READ_ONLY:
+ return httpMethod.equals(GET_METHOD);
Review Comment:
Support the HEAD method for the READ_ONLY case too? e.g.
```
Testing a user existence
curl -XHEAD http://ip:port/users/usernameToBeUsed
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
