You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openmeetings.apache.org by so...@apache.org on 2017/01/20 05:53:41 UTC
svn commit: r1779569 - in /openmeetings/application:
branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/
branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/
branches/3.2.x/openmeeti...
Author: solomax
Date: Fri Jan 20 05:53:40 2017
New Revision: 1779569
URL: http://svn.apache.org/viewvc?rev=1779569&view=rev
Log:
[OPENMEETINGS-1533] security fixes
Modified:
openmeetings/application/branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
openmeetings/application/branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
openmeetings/application/branches/3.2.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
openmeetings/application/branches/3.2.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
openmeetings/application/trunk/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
openmeetings/application/trunk/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
Modified: openmeetings/application/branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java (original)
+++ openmeetings/application/branches/3.1.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java Fri Jan 20 05:53:40 2017
@@ -100,7 +100,7 @@ public class AppointmentDTO implements S
a.setStart(start.getTime());
a.setEnd(end.getTime());
a.setDescription(description);
- a.setOwner(owner == null ? null : owner.get(userDao));
+ a.setOwner(owner == null ? null : userDao.get(owner.getId()));
a.setInserted(inserted);
a.setUpdated(updated);
a.setDeleted(deleted);
Modified: openmeetings/application/branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java (original)
+++ openmeetings/application/branches/3.1.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java Fri Jan 20 05:53:40 2017
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MediaType;
import org.apache.cxf.feature.Features;
import org.apache.openmeetings.db.dao.calendar.AppointmentDao;
+import org.apache.openmeetings.db.dao.room.RoomDao;
import org.apache.openmeetings.db.dao.server.SessiondataDao;
import org.apache.openmeetings.db.dao.user.UserDao;
import org.apache.openmeetings.db.dto.calendar.AppointmentDTO;
@@ -72,6 +73,8 @@ public class CalendarWebService {
private SessiondataDao sessionDao;
@Autowired
private UserDao userDao;
+ @Autowired
+ private RoomDao roomDao;
/**
* Load appointments by a start / end range for the current SID
@@ -288,8 +291,7 @@ public class CalendarWebService {
Long userId = sessionDao.check(sid);
log.debug("save userId:" + userId);
User u = userDao.get(userId);
- if (!AuthLevelUtil.hasWebServiceLevel(u.getRights())
- && (appointment.getOwner() != null || appointment.getRoom().isPublic() || !appointment.getRoom().isAppointment()))
+ if (!AuthLevelUtil.hasWebServiceLevel(u.getRights()) && appointment.getOwner() != null)
{
//TODO maybe additional checks are required
log.error("USER/Room modification as SOAP");
@@ -300,6 +302,13 @@ public class CalendarWebService {
if (a.getOwner() == null) {
a.setOwner(u);
}
+ if (a.getRoom().getId() != null) {
+ if (a.getRoom().isAppointment()) {
+ a.getRoom().setIspublic(false);
+ } else {
+ a.setRoom(roomDao.get(a.getRoom().getId()));
+ }
+ }
return new AppointmentDTO(appointmentDao.update(a, u.getId()));
} else {
log.error("save : wrong user level");
Modified: openmeetings/application/branches/3.2.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.2.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/branches/3.2.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java (original)
+++ openmeetings/application/branches/3.2.x/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java Fri Jan 20 05:53:40 2017
@@ -100,7 +100,7 @@ public class AppointmentDTO implements S
a.setStart(start.getTime());
a.setEnd(end.getTime());
a.setDescription(description);
- a.setOwner(owner == null ? null : owner.get(userDao));
+ a.setOwner(owner == null ? null : userDao.get(owner.getId()));
a.setInserted(inserted);
a.setUpdated(updated);
a.setDeleted(deleted);
Modified: openmeetings/application/branches/3.2.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
URL: http://svn.apache.org/viewvc/openmeetings/application/branches/3.2.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/branches/3.2.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java (original)
+++ openmeetings/application/branches/3.2.x/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java Fri Jan 20 05:53:40 2017
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MediaType;
import org.apache.cxf.feature.Features;
import org.apache.openmeetings.db.dao.calendar.AppointmentDao;
+import org.apache.openmeetings.db.dao.room.RoomDao;
import org.apache.openmeetings.db.dao.server.SessiondataDao;
import org.apache.openmeetings.db.dao.user.UserDao;
import org.apache.openmeetings.db.dto.calendar.AppointmentDTO;
@@ -73,6 +74,8 @@ public class CalendarWebService {
private SessiondataDao sessionDao;
@Autowired
private UserDao userDao;
+ @Autowired
+ private RoomDao roomDao;
/**
* Load appointments by a start / end range for the current SID
@@ -289,8 +292,7 @@ public class CalendarWebService {
Sessiondata sd = sessionDao.check(sid);
log.debug("save userId:" + sd);
User u = userDao.get(sd.getUserId());
- if (!AuthLevelUtil.hasWebServiceLevel(u.getRights())
- && (appointment.getOwner() != null || appointment.getRoom().isPublic() || !appointment.getRoom().isAppointment()))
+ if (!AuthLevelUtil.hasWebServiceLevel(u.getRights()) && appointment.getOwner() != null)
{
//TODO maybe additional checks are required
log.error("USER/Room modification as SOAP");
@@ -301,6 +303,13 @@ public class CalendarWebService {
if (a.getOwner() == null) {
a.setOwner(u);
}
+ if (a.getRoom().getId() != null) {
+ if (a.getRoom().isAppointment()) {
+ a.getRoom().setIspublic(false);
+ } else {
+ a.setRoom(roomDao.get(a.getRoom().getId()));
+ }
+ }
return new AppointmentDTO(appointmentDao.update(a, u.getId()));
} else {
log.error("save : wrong user level");
Modified: openmeetings/application/trunk/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java
URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/trunk/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java (original)
+++ openmeetings/application/trunk/openmeetings-db/src/main/java/org/apache/openmeetings/db/dto/calendar/AppointmentDTO.java Fri Jan 20 05:53:40 2017
@@ -100,7 +100,7 @@ public class AppointmentDTO implements S
a.setStart(start.getTime());
a.setEnd(end.getTime());
a.setDescription(description);
- a.setOwner(owner == null ? null : owner.get(userDao));
+ a.setOwner(owner == null ? null : userDao.get(owner.getId()));
a.setInserted(inserted);
a.setUpdated(updated);
a.setDeleted(deleted);
Modified: openmeetings/application/trunk/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java
URL: http://svn.apache.org/viewvc/openmeetings/application/trunk/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java?rev=1779569&r1=1779568&r2=1779569&view=diff
==============================================================================
--- openmeetings/application/trunk/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java (original)
+++ openmeetings/application/trunk/openmeetings-webservice/src/main/java/org/apache/openmeetings/webservice/CalendarWebService.java Fri Jan 20 05:53:40 2017
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MediaType;
import org.apache.cxf.feature.Features;
import org.apache.openmeetings.db.dao.calendar.AppointmentDao;
+import org.apache.openmeetings.db.dao.room.RoomDao;
import org.apache.openmeetings.db.dao.server.SessiondataDao;
import org.apache.openmeetings.db.dao.user.UserDao;
import org.apache.openmeetings.db.dto.calendar.AppointmentDTO;
@@ -73,6 +74,8 @@ public class CalendarWebService {
private SessiondataDao sessionDao;
@Autowired
private UserDao userDao;
+ @Autowired
+ private RoomDao roomDao;
/**
* Load appointments by a start / end range for the current SID
@@ -289,8 +292,7 @@ public class CalendarWebService {
Sessiondata sd = sessionDao.check(sid);
log.debug("save userId:" + sd);
User u = userDao.get(sd.getUserId());
- if (!AuthLevelUtil.hasWebServiceLevel(u.getRights())
- && (appointment.getOwner() != null || appointment.getRoom().isPublic() || !appointment.getRoom().isAppointment()))
+ if (!AuthLevelUtil.hasWebServiceLevel(u.getRights()) && appointment.getOwner() != null)
{
//TODO maybe additional checks are required
log.error("USER/Room modification as SOAP");
@@ -301,6 +303,13 @@ public class CalendarWebService {
if (a.getOwner() == null) {
a.setOwner(u);
}
+ if (a.getRoom().getId() != null) {
+ if (a.getRoom().isAppointment()) {
+ a.getRoom().setIspublic(false);
+ } else {
+ a.setRoom(roomDao.get(a.getRoom().getId()));
+ }
+ }
return new AppointmentDTO(appointmentDao.update(a, u.getId()));
} else {
log.error("save : wrong user level");