From b8c6525baba1a9beda23f31de5a85cb668826705 Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Thu, 3 Feb 2022 12:59:09 +0100
Subject: [PATCH] Add checks for retrieve user permissions
---
.../org/caosdb/server/resource/Webinterface.java | 4 +++-
.../server/transaction/ListUsersTransaction.java | 3 ++-
.../transaction/RetrieveUserTransaction.java | 16 +++++++++++++++-
3 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/main/java/org/caosdb/server/resource/Webinterface.java b/src/main/java/org/caosdb/server/resource/Webinterface.java
index adba714a..95901260 100644
--- a/src/main/java/org/caosdb/server/resource/Webinterface.java
+++ b/src/main/java/org/caosdb/server/resource/Webinterface.java
@@ -81,7 +81,9 @@ public class Webinterface extends ServerResource {
? MediaType.IMAGE_PNG
: path.endsWith(".html")
? MediaType.TEXT_HTML
- : path.endsWith(".yaml") ? MediaType.TEXT_YAML : MediaType.TEXT_XML;
+ : path.endsWith(".yaml")
+ ? MediaType.TEXT_YAML
+ : path.endsWith(".xml") ? MediaType.TEXT_XML : MediaType.ALL;
final FileRepresentation ret = new FileRepresentation(file, mt);
diff --git a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
index 439f3b3a..2ade4e85 100644
--- a/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/ListUsersTransaction.java
@@ -48,11 +48,12 @@ public class ListUsersTransaction extends AccessControlTransaction {
// remove roles
for (ProtoUser user : users) {
- if (user.roles != null)
+ if (user.roles != null) {
if (!currentUser.isPermitted(
ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
user.roles = null;
}
+ }
}
}
diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java b/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
index 55e4bf85..4847c4b3 100644
--- a/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
+++ b/src/main/java/org/caosdb/server/transaction/RetrieveUserTransaction.java
@@ -24,6 +24,9 @@
package org.caosdb.server.transaction;
import java.util.Set;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.ACMPermissions;
import org.caosdb.server.accessControl.Principal;
import org.caosdb.server.accessControl.UserSources;
import org.caosdb.server.database.backend.transaction.RetrieveUser;
@@ -42,10 +45,21 @@ public class RetrieveUserTransaction extends AccessControlTransaction {
@Override
protected void transaction() throws Exception {
- if (!UserSources.isUserExisting(this.principal)) {
+ Subject currentUser = SecurityUtils.getSubject();
+ if (!UserSources.isUserExisting(this.principal)
+ || !currentUser.isPermitted(
+ ACMPermissions.PERMISSION_RETRIEVE_USER_INFO(
+ this.principal.getRealm(), this.principal.getUsername()))) {
throw ServerMessages.ACCOUNT_DOES_NOT_EXIST;
}
this.user = execute(new RetrieveUser(this.principal), getAccess()).getUser();
+
+ if (user.roles != null) {
+ if (!currentUser.isPermitted(
+ ACMPermissions.PERMISSION_RETRIEVE_USER_ROLES(user.realm, user.name))) {
+ user.roles = null;
+ }
+ }
}
public static Element getUserElement(final ProtoUser user) {
--
GitLab