Skip to content
Snippets Groups Projects
Verified Commit b8c6525b authored by Timm Fitschen's avatar Timm Fitschen
Browse files

Add checks for retrieve user permissions

parent 5ff1f40e
No related branches found
No related tags found
2 merge requests!58REL: prepare release 0.7.2,!45F grpc f acm
Pipeline #18861 failed
...@@ -81,7 +81,9 @@ public class Webinterface extends ServerResource { ...@@ -81,7 +81,9 @@ public class Webinterface extends ServerResource {
? MediaType.IMAGE_PNG ? MediaType.IMAGE_PNG
: path.endsWith(".html") : path.endsWith(".html")
? MediaType.TEXT_HTML ? MediaType.TEXT_HTML
: path.endsWith(".yaml") ? MediaType.TEXT_YAML : MediaType.TEXT_XML; : path.endsWith(".yaml")
? MediaType.TEXT_YAML
: path.endsWith(".xml") ? MediaType.TEXT_XML : MediaType.ALL;
final FileRepresentation ret = new FileRepresentation(file, mt); final FileRepresentation ret = new FileRepresentation(file, mt);
......
...@@ -48,13 +48,14 @@ public class ListUsersTransaction extends AccessControlTransaction { ...@@ -48,13 +48,14 @@ public class ListUsersTransaction extends AccessControlTransaction {
// remove roles // remove roles
for (ProtoUser user : users) { for (ProtoUser user : users) {
if (user.roles != null) if (user.roles != null) {
if (!currentUser.isPermitted( if (!currentUser.isPermitted(
ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) { ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
user.roles = null; user.roles = null;
} }
} }
} }
}
public List<ProtoUser> getUsers() { public List<ProtoUser> getUsers() {
return users; return users;
......
...@@ -24,6 +24,9 @@ ...@@ -24,6 +24,9 @@
package org.caosdb.server.transaction; package org.caosdb.server.transaction;
import java.util.Set; import java.util.Set;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.caosdb.server.accessControl.ACMPermissions;
import org.caosdb.server.accessControl.Principal; import org.caosdb.server.accessControl.Principal;
import org.caosdb.server.accessControl.UserSources; import org.caosdb.server.accessControl.UserSources;
import org.caosdb.server.database.backend.transaction.RetrieveUser; import org.caosdb.server.database.backend.transaction.RetrieveUser;
...@@ -42,10 +45,21 @@ public class RetrieveUserTransaction extends AccessControlTransaction { ...@@ -42,10 +45,21 @@ public class RetrieveUserTransaction extends AccessControlTransaction {
@Override @Override
protected void transaction() throws Exception { protected void transaction() throws Exception {
if (!UserSources.isUserExisting(this.principal)) { Subject currentUser = SecurityUtils.getSubject();
if (!UserSources.isUserExisting(this.principal)
|| !currentUser.isPermitted(
ACMPermissions.PERMISSION_RETRIEVE_USER_INFO(
this.principal.getRealm(), this.principal.getUsername()))) {
throw ServerMessages.ACCOUNT_DOES_NOT_EXIST; throw ServerMessages.ACCOUNT_DOES_NOT_EXIST;
} }
this.user = execute(new RetrieveUser(this.principal), getAccess()).getUser(); this.user = execute(new RetrieveUser(this.principal), getAccess()).getUser();
if (user.roles != null) {
if (!currentUser.isPermitted(
ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
user.roles = null;
}
}
} }
public static Element getUserElement(final ProtoUser user) { public static Element getUserElement(final ProtoUser user) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment