You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by gm...@apache.org on 2014/08/02 17:55:15 UTC

svn commit: r1615325 - in /roller/trunk/app/src/main: java/org/apache/roller/weblogger/ui/struts2/editor/Members.java resources/ApplicationResources.properties

Author: gmazza
Date: Sat Aug  2 15:55:14 2014
New Revision: 1615325

URL: http://svn.apache.org/r1615325
Log:
Turned off ability of global admin to remove everyone from a blog, thereby preventing orphan blogs that no one can access.

Modified:
    roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java
    roller/trunk/app/src/main/resources/ApplicationResources.properties

Modified: roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java?rev=1615325&r1=1615324&r2=1615325&view=diff
==============================================================================
--- roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java (original)
+++ roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java Sat Aug  2 15:55:14 2014
@@ -65,26 +65,36 @@ public class Members extends UIAction im
     public String save() {
         
         log.debug("Attempting to process weblog permissions updates");
-        
+        int numAdmins = 0; // make sure at least one admin
         int removed = 0;
         int changed = 0;
         List<WeblogPermission> permsList = new ArrayList<WeblogPermission>();
         try {
             UserManager userMgr = WebloggerFactory.getWeblogger().getUserManager();   
-            List<WeblogPermission> permissions = userMgr.getWeblogPermissionsIncludingPending(getActionWeblog());
+            List<WeblogPermission> permsFromDB = userMgr.getWeblogPermissionsIncludingPending(getActionWeblog());
 
             // we have to copy the permissions list so that when we remove permissions
             // below we don't get ConcurrentModificationExceptions
-            for (WeblogPermission perm : permissions) {
+            for (WeblogPermission perm : permsFromDB) {
                 permsList.add(perm);
             }
-            // one iteration for each line (user) in the members table
+
+            /* Check to see at least one admin would remain defined as a result of the save.
+             * Not normally a problem, as only a blog admin can access this page and admins can't
+             * demote themselves. However, the blog server admin can always access this page and
+             * remove everyone even if not a member of the blog, causing orphan blogs unless this
+             * check is in place.
+             *
+             * Also checking here to make sure an Admin is not demoting or removing himself.
+             */
+            User user = getAuthenticatedUser();
+            boolean error = false;
             for (WeblogPermission perms : permsList) {
-                
                 String sval = getParameter("perm-" + perms.getUser().getId());
                 if (sval != null) {
-                    boolean error = false;
-                    User user = getAuthenticatedUser();
+                    if (sval.equals(WeblogPermission.ADMIN) && !perms.isPending()) {
+                        numAdmins++;
+                    }
                     if (perms.getUser().getUserName().equals(user.getUserName())) {
                         // can't modify self
                         if (!sval.equals(WeblogPermission.ADMIN)) {
@@ -92,6 +102,17 @@ public class Members extends UIAction im
                             addError("memberPermissions.noSelfModifications");
                         }
                     }
+                }
+            }
+            if (numAdmins == 0) {
+                addError("memberPermissions.oneAdminRequired");
+                error = true;
+            }
+            // one iteration for each line (user) in the members table
+            for (WeblogPermission perms : permsList) {
+
+                String sval = getParameter("perm-" + perms.getUser().getId());
+                if (sval != null) {
                     if (!error && !perms.hasAction(sval)) {
                         if ("-1".equals(sval)) {
                              userMgr.revokeWeblogPermission(

Modified: roller/trunk/app/src/main/resources/ApplicationResources.properties
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/ApplicationResources.properties?rev=1615325&r1=1615324&r2=1615325&view=diff
==============================================================================
--- roller/trunk/app/src/main/resources/ApplicationResources.properties (original)
+++ roller/trunk/app/src/main/resources/ApplicationResources.properties Sat Aug  2 15:55:14 2014
@@ -899,6 +899,7 @@ memberPermissions.limited=Limited
 memberPermissions.remove=Remove
 
 memberPermissions.noSelfModifications=Only another admin may alter your role.
+memberPermissions.oneAdminRequired=Blog must have at least one admin.
 memberPermissions.membersRemoved=Removed {0} user(s)
 memberPermissions.membersChanged=Changed permission for {0} user(s)