Skip to content

Commit

Permalink
Updated permissions handling. Additional logging. (#397)
Browse files Browse the repository at this point in the history 
* Updated permissions handling. Additional logging.

Also includes a smidge of logging / TODO notes around hibernate / cache
weirdness experienced while working on this commit.

* Fixed imports.

My IDE's settings for switching direct imports to '*' was set too low,
so I undid the '*' import but forgot to fix the missing direct imports.

* chore: change pom parent (#377)

Co-authored-by: Bill Smith <[email protected]>

* Updated permissions handling. Additional logging.

Also includes a smidge of logging / TODO notes around hibernate / cache
weirdness experienced while working on this commit.

* Fixed imports.

My IDE's settings for switching direct imports to '*' was set too low,
so I undid the '*' import but forgot to fix the missing direct imports.

---------

Co-authored-by: Benito Gonzalez <[email protected]>
  • Loading branch information
@Naenyn @bjagg
Naenyn and bjagg authored Jan 31, 2025
1 parent 4bcda5a commit 960f69c
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 10 deletions.
5 changes: 5 additions & 0 deletions src/main/java/org/jasig/portlet/newsreader/dao/HibernateNewsStore.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,6 +356,11 @@ public NewsSet getNewsSet(String userId, String setName) {
NewsSet set = (NewsSet) q.uniqueResult();
if (logger.isDebugEnabled()) {
logger.debug(this.getSessionFactory().getStatistics().toString());
if (set != null) {
logger.debug("found " + set.getNewsConfigurations().size() + " news configurations");
} else {
logger.debug("no news configurations found");
}
}
return set;

Expand Down
27 changes: 24 additions & 3 deletions src/main/java/org/jasig/portlet/newsreader/mvc/portlet/reader/AdminNewsController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,16 @@

import java.util.HashMap;
import java.util.Map;
import java.util.Set;

import javax.portlet.ActionRequest;
import javax.portlet.PortletRequest;
import javax.portlet.PortletSecurityException;
import javax.portlet.RenderRequest;
import javax.portlet.RenderResponse;
import javax.servlet.http.HttpServletRequest;

import org.jasig.portlet.newsreader.mvc.AbstractNewsController;
import org.jasig.portlet.newsreader.service.RolesService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.jasig.portlet.newsreader.PredefinedNewsDefinition;
Expand All @@ -35,6 +41,8 @@
import org.springframework.web.portlet.ModelAndView;
import org.springframework.web.portlet.bind.annotation.ActionMapping;
import org.springframework.web.portlet.bind.annotation.RenderMapping;
import org.springframework.web.portlet.context.PortletApplicationContextUtils;
import org.springframework.web.portlet.util.PortletUtils;


/**
Expand All @@ -54,7 +62,13 @@ public class AdminNewsController {
private NewsStore newsStore;

@RenderMapping(params="action=administration")
public ModelAndView getAdminView(RenderRequest request,RenderResponse response) {
public ModelAndView getAdminView(RenderRequest request) throws PortletSecurityException {
if (!request.isUserInRole(AbstractNewsController.NEWS_ADMIN_ROLE)) {
log.warn("User [ {} ] with IP [ {} ] tried to access news administration!",
request.getRemoteUser(),
request.getProperty("REMOTE_ADDR"));
throw new PortletSecurityException("User does not have required admin role");
}

log.debug("Entering news admin");

Expand All @@ -67,7 +81,14 @@ public ModelAndView getAdminView(RenderRequest request,RenderResponse response)
}

@ActionMapping(params="action=deletePredefinedFeed")
public void deleteFeed(@RequestParam("id") Long id) {
public void deleteFeed(@RequestParam("id") Long id, ActionRequest request) throws PortletSecurityException {
if (!request.isUserInRole(AbstractNewsController.NEWS_ADMIN_ROLE)) {
log.warn("User [ {} ] with IP [ {} ] tried to access news administration!",
request.getRemoteUser(),
request.getProperty("REMOTE_ADDR"));
throw new PortletSecurityException("User does not have required admin role");
}

PredefinedNewsDefinition def = newsStore.getPredefinedNewsDefinition(id);
newsStore.deleteNewsDefinition(def);
}
Expand Down
65 changes: 59 additions & 6 deletions src/main/java/org/jasig/portlet/newsreader/mvc/portlet/reader/EditUserRomeController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,17 @@
import javax.portlet.ActionRequest;
import javax.portlet.ActionResponse;
import javax.portlet.PortletRequest;
import javax.portlet.PortletURL;
import javax.portlet.RenderResponse;

import org.apache.commons.lang.StringUtils;
import org.jasig.portlet.newsreader.NewsConfiguration;
import org.jasig.portlet.newsreader.PredefinedNewsDefinition;
import org.jasig.portlet.newsreader.UserDefinedNewsConfiguration;
import org.jasig.portlet.newsreader.UserDefinedNewsDefinition;
import org.jasig.portlet.newsreader.adapter.RomeAdapter;
import org.jasig.portlet.newsreader.dao.NewsStore;
import org.jasig.portlet.newsreader.mvc.AbstractNewsController;
import org.jasig.portlet.newsreader.mvc.NewsListingCommand;
import org.jasig.portlet.newsreader.service.NewsSetResolvingService;
import org.slf4j.Logger;
Expand Down Expand Up @@ -96,7 +101,32 @@ public NewsListingCommand getNewsForm(PortletRequest request) throws Exception {
}

@RenderMapping(params = "action=editUrl")
public String getUserEditView(PortletRequest request) {
public String getUserEditView(PortletRequest request, RenderResponse response) {
log.debug("Returning editNewsUrl view");

// get the to-be-edited news configuration id
String[] formIdValues = request.getParameterMap().get("id");
String formId = null;
if (formIdValues != null && formIdValues.length > 0) {
formId = formIdValues[0];
}

// if user doesn't have permissions, redirect
if (StringUtils.isNotBlank(formId)) {
long lFormId = Long.parseLong(formId);
if (lFormId > -1) {
if (!canEditNewsConfiguration(request, lFormId)) {
log.warn("User [ {} ] with IP [ {} ] tried to edit news configuration [ {} ] without permission!",
request.getRemoteUser(),
request.getProperty("REMOTE_ADDR"),
lFormId);
PortletURL redirectUrl = response.createRenderURL();
redirectUrl.setParameter("action", "editPreferences");
request.setAttribute("redirectUrl", redirectUrl.toString());
}
}
}

return "editNewsUrl";
}

Expand All @@ -110,11 +140,19 @@ public void onSubmitAction(ActionRequest request, ActionResponse response,

if (form.getId() > -1) {

config = (UserDefinedNewsConfiguration) newsStore.getNewsConfiguration(form.getId());
definition = (UserDefinedNewsDefinition) config.getNewsDefinition();
definition.addParameter("url", form.getUrl());
definition.setName(form.getName());
log.debug("Updating");
if (canEditNewsConfiguration(request, form.getId())) {
config = (UserDefinedNewsConfiguration) newsStore.getNewsConfiguration(form.getId());
log.debug("User [ {} ] is updating news", request.getRemoteUser());
definition = (UserDefinedNewsDefinition) config.getNewsDefinition();
definition.addParameter("url", form.getUrl());
definition.setName(form.getName());
} else {
log.warn("User [ {} ] with IP [ {} ] tried to edit news configuration [ {} ] without permission!",
request.getRemoteUser(),
request.getProperty("REMOTE_ADDR"),
form.getId());
return;
}

} else {

Expand Down Expand Up @@ -143,4 +181,19 @@ public void onSubmitAction(ActionRequest request, ActionResponse response,

}

private boolean isPredefinedNewsConfiguration(NewsConfiguration newsConfiguration) {
return newsConfiguration.getNewsDefinition() instanceof PredefinedNewsDefinition;
}

private boolean canEditNewsConfiguration(PortletRequest request, long configurationId) {
boolean isAdmin = request.isUserInRole(AbstractNewsController.NEWS_ADMIN_ROLE);
NewsConfiguration configuration = newsStore.getNewsConfiguration(configurationId);
if (isPredefinedNewsConfiguration(configuration)) {
return isAdmin;
} else {
UserDefinedNewsConfiguration userConfiguration = (UserDefinedNewsConfiguration) configuration;
return isAdmin || userConfiguration.getNewsSet().getUserId().equals(request.getRemoteUser());
}
}

}
8 changes: 7 additions & 1 deletion src/main/java/org/jasig/portlet/newsreader/service/SharedNewsSetServiceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,19 @@ public NewsSet getNewsSet(String fname, PortletRequest request) {
set.setUserId(userId);
set.setName(fname);
newsStore.storeNewsSet(set);
//TODO: the persisted set (line above) isn't always available to the line below. Hibernate being lazy?
set = newsStore.getNewsSet(userId, fname); // get set_id
}

// Persistent set is now loaded but may still need re-initalising since last use.
// by adding setId to session, we signal that initialisation has taken place.
if (session.getAttribute("setId", PortletSession.PORTLET_SCOPE) == null) {
logger.debug("re-initalising loaded newsSet "+set.getName());
if (set != null) {
logger.debug("re-initalising loaded newsSet " + set.getName());
} else {
logger.debug("attempting to re-initialize loaded newsSet, but it is null");
}

@SuppressWarnings("unchecked")
final Set<String> roles = rolesService.getUserRoles(request);

Expand Down
6 changes: 6 additions & 0 deletions src/main/webapp/WEB-INF/jsp/editNewsUrl.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@
<portlet:param name="action" value="editUrl"/>
</portlet:actionURL>

<c:if test="${not empty redirectUrl}">
<script type="text/javascript">
window.location.href = '${redirectUrl}';
</script>
</c:if>

<div class="container-fluid newsreader-container">
<div class="row newsreader-portlet-toolbar">
<div class="col-md-8 no-col-padding">
Expand Down

0 comments on commit 960f69c

Please sign in to comment.