You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by so...@apache.org on 2017/05/01 06:11:24 UTC
[33/50] [abbrv] openmeetings git commit: [OPENMEETINGS-1533] security
fixes
[OPENMEETINGS-1533] security fixes
Project: http://git-wip-us.apache.org/repos/asf/openmeetings/repo
Commit: http://git-wip-us.apache.org/repos/asf/openmeetings/commit/33065826
Tree: http://git-wip-us.apache.org/repos/asf/openmeetings/tree/33065826
Diff: http://git-wip-us.apache.org/repos/asf/openmeetings/diff/33065826
Branch: refs/heads/3.1.x
Commit: 33065826c2d03279e7dd1c31994094fb107107bb
Parents: ff9b359
Author: Maxim Solodovnik <so...@apache.org>
Authored: Fri Jan 20 05:53:40 2017 +0000
Committer: Maxim Solodovnik <so...@apache.org>
Committed: Fri Jan 20 05:53:40 2017 +0000
----------------------------------------------------------------------
.../openmeetings/db/dto/calendar/AppointmentDTO.java | 2 +-
.../openmeetings/webservice/CalendarWebService.java | 13 +++++++++++--
2 files changed, 12 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/openmeetings/blob/33065826/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
----------------------------------------------------------------------
diff --git a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
index dfa256b..45c7edf 100644
--- a/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
+++ b/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
@@ -100,7 +100,7 @@ public class AppointmentDTO implements Serializable {
a.setStart(start.getTime());
a.setEnd(end.getTime());
a.setDescription(description);
- a.setOwner(owner == null ? null : owner.get(userDao));
+ a.setOwner(owner == null ? null : userDao.get(owner.getId()));
a.setInserted(inserted);
a.setUpdated(updated);
a.setDeleted(deleted);
http://git-wip-us.apache.org/repos/asf/openmeetings/blob/33065826/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
----------------------------------------------------------------------
diff --git a/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java b/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
index 3baed72..366bbae 100644
--- a/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
+++ b/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MediaType;
import org.apache.cxf.feature.Features;
import org.apache.openmeetings.db.dao.calendar.AppointmentDao;
+import org.apache.openmeetings.db.dao.room.RoomDao;
import org.apache.openmeetings.db.dao.server.SessiondataDao;
import org.apache.openmeetings.db.dao.user.UserDao;
import org.apache.openmeetings.db.dto.calendar.AppointmentDTO;
@@ -72,6 +73,8 @@ public class CalendarWebService {
private SessiondataDao sessionDao;
@Autowired
private UserDao userDao;
+ @Autowired
+ private RoomDao roomDao;
/**
* Load appointments by a start / end range for the current SID
@@ -288,8 +291,7 @@ public class CalendarWebService {
Long userId = sessionDao.check(sid);
log.debug("save userId:" + userId);
User u = userDao.get(userId);
- if (!AuthLevelUtil.hasWebServiceLevel(u.getRights())
- && (appointment.getOwner() != null || appointment.getRoom().isPublic() || !appointment.getRoom().isAppointment()))
+ if (!AuthLevelUtil.hasWebServiceLevel(u.getRights()) && appointment.getOwner() != null)
{
//TODO maybe additional checks are required
log.error("USER/Room modification as SOAP");
@@ -300,6 +302,13 @@ public class CalendarWebService {
if (a.getOwner() == null) {
a.setOwner(u);
}
+ if (a.getRoom().getId() != null) {
+ if (a.getRoom().isAppointment()) {
+ a.getRoom().setIspublic(false);
+ } else {
+ a.setRoom(roomDao.get(a.getRoom().getId()));
+ }
+ }
return new AppointmentDTO(appointmentDao.update(a, u.getId()));
} else {
log.error("save : wrong user level");