You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@roller.apache.org by gm...@apache.org on 2014/08/02 17:55:15 UTC
svn commit: r1615325 - in /roller/trunk/app/src/main:
java/org/apache/roller/weblogger/ui/struts2/editor/Members.java
resources/ApplicationResources.properties
Author: gmazza
Date: Sat Aug 2 15:55:14 2014
New Revision: 1615325
URL: http://svn.apache.org/r1615325
Log:
Turned off ability of global admin to remove everyone from a blog, thereby preventing orphan blogs that no one can access.
Modified:
roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java
roller/trunk/app/src/main/resources/ApplicationResources.properties
Modified: roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java?rev=1615325&r1=1615324&r2=1615325&view=diff
==============================================================================
--- roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java (original)
+++ roller/trunk/app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/Members.java Sat Aug 2 15:55:14 2014
@@ -65,26 +65,36 @@ public class Members extends UIAction im
public String save() {
log.debug("Attempting to process weblog permissions updates");
-
+ int numAdmins = 0; // make sure at least one admin
int removed = 0;
int changed = 0;
List<WeblogPermission> permsList = new ArrayList<WeblogPermission>();
try {
UserManager userMgr = WebloggerFactory.getWeblogger().getUserManager();
- List<WeblogPermission> permissions = userMgr.getWeblogPermissionsIncludingPending(getActionWeblog());
+ List<WeblogPermission> permsFromDB = userMgr.getWeblogPermissionsIncludingPending(getActionWeblog());
// we have to copy the permissions list so that when we remove permissions
// below we don't get ConcurrentModificationExceptions
- for (WeblogPermission perm : permissions) {
+ for (WeblogPermission perm : permsFromDB) {
permsList.add(perm);
}
- // one iteration for each line (user) in the members table
+
+ /* Check to see at least one admin would remain defined as a result of the save.
+ * Not normally a problem, as only a blog admin can access this page and admins can't
+ * demote themselves. However, the blog server admin can always access this page and
+ * remove everyone even if not a member of the blog, causing orphan blogs unless this
+ * check is in place.
+ *
+ * Also checking here to make sure an Admin is not demoting or removing himself.
+ */
+ User user = getAuthenticatedUser();
+ boolean error = false;
for (WeblogPermission perms : permsList) {
-
String sval = getParameter("perm-" + perms.getUser().getId());
if (sval != null) {
- boolean error = false;
- User user = getAuthenticatedUser();
+ if (sval.equals(WeblogPermission.ADMIN) && !perms.isPending()) {
+ numAdmins++;
+ }
if (perms.getUser().getUserName().equals(user.getUserName())) {
// can't modify self
if (!sval.equals(WeblogPermission.ADMIN)) {
@@ -92,6 +102,17 @@ public class Members extends UIAction im
addError("memberPermissions.noSelfModifications");
}
}
+ }
+ }
+ if (numAdmins == 0) {
+ addError("memberPermissions.oneAdminRequired");
+ error = true;
+ }
+ // one iteration for each line (user) in the members table
+ for (WeblogPermission perms : permsList) {
+
+ String sval = getParameter("perm-" + perms.getUser().getId());
+ if (sval != null) {
if (!error && !perms.hasAction(sval)) {
if ("-1".equals(sval)) {
userMgr.revokeWeblogPermission(
Modified: roller/trunk/app/src/main/resources/ApplicationResources.properties
URL: http://svn.apache.org/viewvc/roller/trunk/app/src/main/resources/ApplicationResources.properties?rev=1615325&r1=1615324&r2=1615325&view=diff
==============================================================================
--- roller/trunk/app/src/main/resources/ApplicationResources.properties (original)
+++ roller/trunk/app/src/main/resources/ApplicationResources.properties Sat Aug 2 15:55:14 2014
@@ -899,6 +899,7 @@ memberPermissions.limited=Limited
memberPermissions.remove=Remove
memberPermissions.noSelfModifications=Only another admin may alter your role.
+memberPermissions.oneAdminRequired=Blog must have at least one admin.
memberPermissions.membersRemoved=Removed {0} user(s)
memberPermissions.membersChanged=Changed permission for {0} user(s)