improve security

2025-11-12 08:25:44 +01:00 · 2011-02-21 13:54:20 +01:00
parent a1070bd0f5
commit 4591df1163
3 changed files with 84 additions and 3 deletions
--- a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
+++ b/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
@@ -142,6 +142,36 @@ public class SecurityUtil
    return user;
  }

+  /**
+   * Method description
+   *
+   *
+   * @param contextProvider
+   *
+   * @return
+   */
+  public static boolean isAdmin(
+          Provider<? extends SecurityContext> contextProvider)
+  {
+    return isAdmin(contextProvider.get());
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param contextProvider
+   *
+   * @return
+   */
+  public static boolean isAdmin(SecurityContext contextProvider)
+  {
+    AssertUtil.assertIsNotNull(contextProvider);
+
+    return (contextProvider.getUser() != null)
+           && contextProvider.getUser().isAdmin();
+  }
+
  /**
   * Method description
   *
--- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/GroupResource.java
@@ -36,11 +36,14 @@ package sonia.scm.api.rest.resources;
 //~--- non-JDK imports --------------------------------------------------------

 import com.google.inject.Inject;
+import com.google.inject.Provider;
 import com.google.inject.Singleton;

 import sonia.scm.group.Group;
 import sonia.scm.group.GroupException;
 import sonia.scm.group.GroupManager;
+import sonia.scm.util.SecurityUtil;
+import sonia.scm.web.security.WebSecurityContext;

 //~--- JDK imports ------------------------------------------------------------

@@ -48,6 +51,8 @@ import java.util.Collection;

 import javax.ws.rs.Path;
 import javax.ws.rs.core.GenericEntity;
+import javax.ws.rs.core.Request;
+import javax.ws.rs.core.Response;

 /**
 *
@@ -68,12 +73,44 @@ public class GroupResource
   * Constructs ...
   *
   *
+   *
+   * @param securityContextProvider
   * @param groupManager
   */
  @Inject
-  public GroupResource(GroupManager groupManager)
+  public GroupResource(Provider<WebSecurityContext> securityContextProvider,
+                       GroupManager groupManager)
  {
    super(groupManager);
+    this.securityContextProvider = securityContextProvider;
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param request
+   * @param id
+   *
+   * @return
+   */
+  @Override
+  public Response get(Request request, String id)
+  {
+    Response response = null;
+
+    if (SecurityUtil.isAdmin(securityContextProvider))
+    {
+      response = super.get(request, id);
+    }
+    else
+    {
+      response = Response.status(Response.Status.FORBIDDEN).build();
+    }
+
+    return response;
  }

  //~--- methods --------------------------------------------------------------
@@ -121,4 +158,9 @@ public class GroupResource
  {
    return PATH_PART;
  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  private Provider<WebSecurityContext> securityContextProvider;
 }
--- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java
@@ -106,9 +106,18 @@ public class UserResource extends AbstractManagerResource<User, UserException>
  @Override
  public Response get(Request request, String id)
  {
-    SecurityUtil.assertIsAdmin(securityContextProvider);
+    Response response = null;

-    return super.get(request, id);
+    if (SecurityUtil.isAdmin(securityContextProvider))
+    {
+      response = super.get(request, id);
+    }
+    else
+    {
+      response = Response.status(Response.Status.FORBIDDEN).build();
+    }
+
+    return response;
  }

  //~--- methods --------------------------------------------------------------