You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@archiva.apache.org by ol...@apache.org on 2022/04/13 02:05:48 UTC
[archiva-redback-core] branch redback-2.6.x updated: ensure user update has correct permissions
This is an automated email from the ASF dual-hosted git repository.
olamy pushed a commit to branch redback-2.6.x
in repository https://gitbox.apache.org/repos/asf/archiva-redback-core.git
The following commit(s) were added to refs/heads/redback-2.6.x by this push:
new e8378c3e ensure user update has correct permissions
e8378c3e is described below
commit e8378c3ef8ed328790e6cce8732cd58cf1c8438d
Author: Olivier Lamy <ol...@apache.org>
AuthorDate: Wed Apr 13 12:04:15 2022 +1000
ensure user update has correct permissions
Signed-off-by: Olivier Lamy <ol...@apache.org>
---
.../security/role/RedbackRoleConstants.java | 34 +++++++++++-----------
.../redback/rest/services/DefaultUserService.java | 26 +++++++++++++++--
.../rest/services/RoleManagementServiceTest.java | 2 --
3 files changed, 41 insertions(+), 21 deletions(-)
diff --git a/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java b/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java
index b7241b96..3f532305 100644
--- a/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java
+++ b/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java
@@ -27,46 +27,46 @@ package org.apache.archiva.redback.integration.security.role;
*/
public interface RedbackRoleConstants
{
- public static final String ADMINISTRATOR_ACCOUNT_NAME = "admin";
+ String ADMINISTRATOR_ACCOUNT_NAME = "admin";
// roles
- public static final String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator";
+ String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator";
- public static final String USER_ADMINISTRATOR_ROLE = "User Administrator";
+ String USER_ADMINISTRATOR_ROLE = "User Administrator";
- public static final String REGISTERED_USER_ROLE = "Registered User";
+ String REGISTERED_USER_ROLE = "Registered User";
/**
* @since 1.4
*/
- public static final String REGISTERED_USER_ROLE_ID = "registered-user";
+ String REGISTERED_USER_ROLE_ID = "registered-user";
- public static final String GUEST_ROLE = "Guest";
+ String GUEST_ROLE = "Guest";
// guest access operation
- public static final String GUEST_ACCESS_OPERATION = "guest-access";
+ String GUEST_ACCESS_OPERATION = "guest-access";
// operations against configuration
- public static final String CONFIGURATION_EDIT_OPERATION = "configuration-edit";
+ String CONFIGURATION_EDIT_OPERATION = "configuration-edit";
// operations against user
- public static final String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create";
+ String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create";
- public static final String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit";
+ String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit";
- public static final String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role";
+ String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role";
- public static final String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete";
+ String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete";
- public static final String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list";
+ String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list";
// operations against user assignment.
- public static final String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant";
+ String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant";
- public static final String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop";
+ String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop";
// operations against rbac objects.
- public static final String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin";
+ String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin";
- public static final String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data";
+ String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data";
}
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java
index d85ad416..c11d7102 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java
@@ -72,6 +72,7 @@ import javax.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import java.util.Set;
@@ -372,6 +373,27 @@ public class DefaultUserService
public Boolean updateUser( User user )
throws RedbackServiceException
{
+
+ // check username == one in the session
+ RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get();
+ if ( redbackRequestInformation == null || redbackRequestInformation.getUser() == null )
+ {
+ log.warn( "RedbackRequestInformation from ThreadLocal is null" );
+ throw new RedbackServiceException( new ErrorMessage( "you must be logged to update your profile" ),
+ Response.Status.FORBIDDEN.getStatusCode() );
+ }
+ if ( user == null )
+ {
+ throw new RedbackServiceException( new ErrorMessage( "user parameter is mandatory" ),
+ Response.Status.BAD_REQUEST.getStatusCode() );
+ }
+ if ( !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), user.getUsername() )
+ && !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME) )
+ {
+ throw new RedbackServiceException( new ErrorMessage( "you can update only your profile" ),
+ Response.Status.FORBIDDEN.getStatusCode() );
+ }
+
try
{
org.apache.archiva.redback.users.User rawUser = userManager.findUser( user.getUsername(), false );
@@ -587,7 +609,7 @@ public class DefaultUserService
applicationUrl = getBaseUrl();
}
- mailer.sendPasswordResetEmail( Arrays.asList( user.getEmail() ), authkey, applicationUrl );
+ mailer.sendPasswordResetEmail( Collections.singletonList( user.getEmail() ), authkey, applicationUrl );
log.info( "password reset request for username {}", username );
}
catch ( UserNotFoundException e )
@@ -679,7 +701,7 @@ public class DefaultUserService
log.debug( "register user {} with email {} and app url {}", u.getUsername(), u.getEmail(), baseUrl );
- mailer.sendAccountValidationEmail( Arrays.asList( u.getEmail() ), authkey, baseUrl );
+ mailer.sendAccountValidationEmail( Collections.singletonList( u.getEmail() ), authkey, baseUrl );
securityPolicy.setEnabled( false );
userManager.addUser( u );
diff --git a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java
index 0d02005b..bf2ec3cd 100644
--- a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java
+++ b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java
@@ -94,8 +94,6 @@ public class RoleManagementServiceTest
catch ( ForbiddenException e )
{
assertEquals( 403, e.getResponse().getStatus() );
-
-
}
// assign the role and retry