Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-12 00:15:44 +01:00
Code Issues Packages Projects Releases Activity

fix security issue

Browse Source
This commit is contained in:
Sebastian Sdorra
2011-02-19 17:19:09 +01:00
parent e3979bca19
commit eb906db6f7
2 changed files with 89 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
scm-webapp/src/main/java/sonia/scm/api/rest/resources/AbstractManagerResource.java
View File

@@ -41,6 +41,7 @@ import org.slf4j.LoggerFactory;
import sonia.scm.LastModifiedAware;
import sonia.scm.Manager;
import sonia.scm.ModelObject;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.Util;
//~--- JDK imports ------------------------------------------------------------
@@ -56,7 +57,6 @@ import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.EntityTag;
@@ -145,20 +145,27 @@ public abstract class AbstractManagerResource<T extends ModelObject,
{
preCreate(item);
Response response = null;
try
{
manager.create(item);
response = Response.created(
uriInfo.getAbsolutePath().resolve(
getPathPart().concat("/").concat(getId(item)))).build();
}
catch (ScmSecurityException ex)
{
logger.warn("create is not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
}
catch (Exception ex)
{
logger.error("error during create", ex);
throw new WebApplicationException(ex);
response = Response.serverError().build();
}
return Response.created(
uriInfo.getAbsolutePath().resolve(
getPathPart().concat("/").concat(getId(item)))).build();
return response;
}
/**
@@ -173,27 +180,32 @@ public abstract class AbstractManagerResource<T extends ModelObject,
@Path("{id}")
public Response delete(@PathParam("id") String name)
{
Response response = null;
T item = manager.get(name);
if (item == null)
if (item != null)
{
throw new WebApplicationException(Response.Status.NOT_FOUND);
}
preDelete(item);
try
{
manager.delete(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
{
logger.warn("delete not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
}
catch (Exception ex)
{
logger.error("error during create", ex);
throw new WebApplicationException(ex);
logger.error("error during create", ex);
response = Response.serverError().build();
}
}
return Response.noContent().build();
return response;
}
/**
@@ -215,18 +227,28 @@ public abstract class AbstractManagerResource<T extends ModelObject,
public Response update(@Context UriInfo uriInfo,
@PathParam("id") String name, T item)
{
Response response = null;
preUpate(item);
try
{
manager.modify(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
{
logger.warn("delete not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
}
catch (Exception ex)
{
throw new WebApplicationException(ex);
logger.error("error during create", ex);
logger.error("error during create", ex);
response = Response.serverError().build();
}
return Response.noContent().build();
return response;
}
//~--- get methods ----------------------------------------------------------
@@ -246,17 +268,13 @@ public abstract class AbstractManagerResource<T extends ModelObject,
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
public Response get(@Context Request request, @PathParam("id") String id)
{
Response response = null;
T item = manager.get(id);
if (item == null)
if (item != null)
{
throw new WebApplicationException(Response.Status.NOT_FOUND);
}
prepareForReturn(item);
Response response = null;
if (disableCache)
{
response = Response.ok(item).build();
@@ -265,6 +283,11 @@ public abstract class AbstractManagerResource<T extends ModelObject,
{
response = createCacheResponse(request, item, item);
}
}
else
{
response = Response.status(Response.Status.NOT_FOUND).build();
}
return response;
}

32
scm-webapp/src/main/java/sonia/scm/api/rest/resources/UserResource.java
View File

@@ -36,6 +36,7 @@ package sonia.scm.api.rest.resources;
//~--- non-JDK imports --------------------------------------------------------
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import sonia.scm.security.EncryptionHandler;
@@ -43,7 +44,9 @@ import sonia.scm.user.User;
import sonia.scm.user.UserException;
import sonia.scm.user.UserManager;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.SecurityUtil;
import sonia.scm.util.Util;
import sonia.scm.web.security.WebSecurityContext;
//~--- JDK imports ------------------------------------------------------------
@@ -51,6 +54,8 @@ import java.util.Collection;
import javax.ws.rs.Path;
import javax.ws.rs.core.GenericEntity;
import javax.ws.rs.core.Request;
import javax.ws.rs.core.Response;
/**
*
@@ -75,13 +80,35 @@ public class UserResource extends AbstractManagerResource<User, UserException>
*
* @param userManager
* @param encryptionHandler
* @param securityContextProvider
*/
@Inject
public UserResource(UserManager userManager,
EncryptionHandler encryptionHandler)
EncryptionHandler encryptionHandler,
Provider<WebSecurityContext> securityContextProvider)
{
super(userManager);
this.encryptionHandler = encryptionHandler;
this.securityContextProvider = securityContextProvider;
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @param request
* @param id
*
* @return
*/
@Override
public Response get(Request request, String id)
{
SecurityUtil.assertIsAdmin(securityContextProvider);
return super.get(request, id);
}
//~--- methods --------------------------------------------------------------
@@ -224,4 +251,7 @@ public class UserResource extends AbstractManagerResource<User, UserException>
/** Field description */
private EncryptionHandler encryptionHandler;
/** Field description */
private Provider<WebSecurityContext> securityContextProvider;
}