Permalink
Browse files

#1084 Prevent that an admin user can share a collection to it's owner

- Before: Code checked that a collection cannot be shared to the
  user who is sharing the collection. In case of an admin
  user sharing an other user's collection it was still possible
  to share a collection to its owner. As a result the owner's
  admin grant for the collection was overwritten in Jena with an
  edit grant and this edit grant could be removed by revoking the
  sharing. This created owners without grants to their own
  collections.
- Now: Code checks that a collection cannot be shared to it's owner.
  • Loading branch information...
MPDLbrede committed Nov 8, 2018
1 parent 1f344f3 commit 2a46899c6172a7b90071080565f3a4e8f2d9a624
@@ -24,6 +24,7 @@
import de.mpg.imeji.logic.notification.email.EmailService;
import de.mpg.imeji.logic.security.authorization.util.SecurityUtil;
import de.mpg.imeji.logic.security.sharing.invitation.InvitationService;
import de.mpg.imeji.logic.security.user.UserService;
import de.mpg.imeji.logic.security.usergroup.UserGroupService;
import de.mpg.imeji.logic.util.ObjectHelper;
import de.mpg.imeji.logic.util.StringHelper;
@@ -41,8 +42,10 @@
private URI uri;
// The object (collection, album or item) which is going to be shared
private Object shareTo;
// the user whom the shared object belongs
// the user to whom the shared object belongs
private URI owner;
// the email of the owner/user to whom the object belongs
private String ownersEmail;
private String title;
private String collectionUrl;
private boolean isAdmin;
@@ -90,6 +93,7 @@ public void initShareCollection() {
this.shareTo = collection;
this.title = collection.getTitle();
this.owner = collection.getCreatedBy();
this.ownersEmail = new UserService().retrieve(this.owner, Imeji.adminUser).getEmail();
this.collectionUrl = getNavigation().getCollectionUrl() + collection.getIdString() + "?q=";
this.sharedObject = collection;
this.searchResultUrl = !StringHelper.isNullOrEmptyTrim(q) || !StringHelper.isNullOrEmptyTrim(fq)
@@ -109,7 +113,7 @@ public void initShareCollection() {
* @throws ImejiException
*/
public void init() throws ImejiException {
input = new ShareInput(uri.toString(), getSessionUser(), getLocale(), instanceName);
input = new ShareInput(uri.toString(), ownersEmail, getSessionUser(), getLocale(), instanceName);
shareList = new ShareList(owner, uri.toString(), getSessionUser(), getLocale());
isAdmin = SecurityUtil.authorization().administrate(getSessionUser(), shareTo);
pageUrl = PrettyContext.getCurrentInstance().getRequestURL().toString()
@@ -34,6 +34,7 @@
private List<String> invalidEntries = new ArrayList<>();
private List<String> unknownEmails = new ArrayList<>();
private final String objectUri;
private final String objectOwnerEmail;
private final Locale locale;
private final User user;
private final String instanceName;
@@ -43,8 +44,9 @@
*
* @param objectUri
*/
public ShareInput(String objectUri, User user, Locale locale, String instanceName) {
public ShareInput(String objectUri, String objectOwnerEmail, User user, Locale locale, String instanceName) {
this.objectUri = objectUri;
this.objectOwnerEmail = objectOwnerEmail;
this.user = user;
this.locale = locale;
this.instanceName = instanceName;
@@ -127,7 +129,7 @@ private void parseInput() {
unknownEmails.clear();
invalidEntries.clear();
for (final String value : input.split("\\s*[|,;\\n]\\s*")) {
if (EmailService.isValidEmail(value) && !value.equalsIgnoreCase(user.getEmail())) {
if (EmailService.isValidEmail(value) && !value.equalsIgnoreCase(this.objectOwnerEmail)) {
final boolean exists = retrieveUser(value) != null;
if (exists) {
validEmails.add(value);

0 comments on commit 2a46899

Please sign in to comment.