#176 changing some user properties require admin privilages

small refacctorings

build.xml

@@ -5,7 +5,7 @@
         <!-- TODO define script. See Help menu or http://ant.apache.org/ -->
     </target>
     <!-- set global properties for this build -->
-    <property name="version" value="1.2.36"/>
+    <property name="version" value="1.2.37"/>
     <property name="src" location="src/java"/>
     <property name="src-other" location="src/other"/>
     <property name="build" location="build/classes"/>

src/java/cricket.properties

@@ -1,2 +1,2 @@
-#Fri, 16 Feb 2018 00:20:13 +0100
-version=1.2.36
+#Tue, 06 Mar 2018 02:18:12 +0100
+version=1.2.37

src/java/org/cricketmsf/microsite/auth/SecurityFilter.java

@@ -33,27 +33,27 @@
  * @author Grzegorz Skorupa <g.skorupa at gmail.com>
  */
 public class SecurityFilter extends Filter {
-    
+
     private static final String PERMANENT_TOKEN_PREFIX = "==";
-    
+
     private String[] restrictedPost = null;
     private String[] restrictedPut = null;
     private String[] restrictedGet = null;
     private String[] restrictedDelete = null;
-    
+
     private boolean authRequired = false;
-    
+
     @Override
     public String description() {
         return "Default security filter";
     }
-    
+
     private void initialize() {
         ArrayList<String> aPost = new ArrayList<>();
         ArrayList<String> aPut = new ArrayList<>();
         ArrayList<String> aGet = new ArrayList<>();
         ArrayList<String> aDelete = new ArrayList<>();
-        
+
         String restr = (String) Kernel.getInstance().getProperties().getOrDefault("restricted-resources", "");
         if (!restr.isEmpty()) {
             String r[] = restr.split(" ");
@@ -115,7 +115,7 @@ private void initialize() {
             }
         }
     }
-    
+
     private boolean isRestrictedPath(String method, String path) {
         if (restrictedPost == null) {
             initialize();
@@ -174,27 +174,27 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
 
         String path = exchange.getRequestURI().getPath();
         //System.out.println("CHECK REQUEST FOR PATH:" + path);
-        Kernel.getInstance().dispatchEvent(Event.logInfo(getClass().getSimpleName(), "PATH="+path));
+        Kernel.getInstance().dispatchEvent(Event.logInfo(getClass().getSimpleName(), "PATH=" + path));
         boolean authorizationNotRequired = true;
         try {
             authorizationNotRequired = !isRestrictedPath(exchange.getRequestMethod(), path);
         } catch (Exception e) {
             e.printStackTrace();
         }
-        
+
         Map parameters = (Map) exchange.getAttribute("parameters");
-        
+
         SecurityFilterResult result = new SecurityFilterResult();
         if (authorizationNotRequired) {
             //System.out.println("AUTHORIZATION NOT REQUIRED");
             String inParamsToken = null;
-            
+
             try {
                 if (parameters != null) {
                     inParamsToken = (String) parameters.get("tid");
                 }
-                    //System.out.println(">>> INPARAMSTOKEN="+inParamsToken);
-                
+                //System.out.println(">>> INPARAMSTOKEN="+inParamsToken);
+
             } catch (NullPointerException e) {
             }
             if (inParamsToken != null) {
@@ -231,11 +231,15 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
         } else {
             try {
                 user = getUser(tokenID, tokenID.startsWith(PERMANENT_TOKEN_PREFIX));
-                if("public".equalsIgnoreCase(user.getUid())){
+                if ("public".equalsIgnoreCase(user.getUid())) {
                     issuer = getIssuer(tokenID);
                 }
             } catch (AuthException e) {
-                result.code = e.getCode();
+                result.code = 403;
+                result.message = e.getMessage();
+                return result;
+            } catch (Exception e) {
+                result.code = 403;
                 result.message = e.getMessage();
                 return result;
             }
@@ -252,7 +256,7 @@ public SecurityFilterResult checkRequest(HttpExchange exchange) {
         }
         return result;
     }
-    
+
     private User getUser(String token, boolean permanentToken) throws AuthException {
         //ask dedicated adapter
         AuthAdapterIface authAdapter = (AuthAdapterIface) Kernel.getInstance().getAdaptersMap().getOrDefault("authAdapter", null);
@@ -262,7 +266,7 @@ private User getUser(String token, boolean permanentToken) throws AuthException
             return null;
         }
     }
-    
+
     private User getIssuer(String token) throws AuthException {
         //ask dedicated adapter
         AuthAdapterIface authAdapter = (AuthAdapterIface) Kernel.getInstance().getAdaptersMap().getOrDefault("authAdapter", null);
@@ -272,12 +276,23 @@ private User getIssuer(String token) throws AuthException {
             return null;
         }
     }
-    
+
     @Override
     public void doFilter(HttpExchange exchange, Chain chain)
             throws IOException {
-        SecurityFilterResult result = checkRequest(exchange);
+        SecurityFilterResult result = null;
+        try {
+            result = checkRequest(exchange);
+        } catch (Exception e) {
+            exchange.sendResponseHeaders(400, e.getMessage().length());
+            exchange.getResponseBody().write(e.getMessage().getBytes());
+            exchange.getResponseBody().close();
+            exchange.close();
+        }
         if (result.code != 200) {
+            if (result.message == null) {
+                result.message = "authentication error";
+            }
             exchange.sendResponseHeaders(result.code, result.message.length());
             exchange.getResponseBody().write(result.message.getBytes());
             exchange.getResponseBody().close();
@@ -297,5 +312,5 @@ public void doFilter(HttpExchange exchange, Chain chain)
             }
         }
     }
-    
+
 }

src/java/org/cricketmsf/microsite/user/User.java

@@ -1,7 +1,17 @@
 /*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
+ * Copyright 2017 Grzegorz Skorupa <g.skorupa at gmail.com>.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 package org.cricketmsf.microsite.user;
 

src/java/org/cricketmsf/microsite/user/UserBusinessLogic.java

@@ -40,11 +40,7 @@ public static UserBusinessLogic getInstance() {
         return self;
     }
 
-    public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
-        RequestObject request = event.getRequest();
-        //handle(Event.logFinest(this.getClass().getSimpleName(), request.pathExt));
-        String uid = request.pathExt;
-        String requesterID = request.headers.getFirst("X-user-id");
+    private boolean isAdmin(RequestObject request) {
         List<String> requesterRoles = request.headers.get("X-user-role");
         //String requesterRole = request.headers.getFirst("X-user-role");
         boolean admin = false;
@@ -54,6 +50,14 @@ public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
                 break;
             }
         }
+        return admin;
+    }
+
+    public Object handleGetRequest(Event event, UserAdapterIface userAdapter) {
+        RequestObject request = event.getRequest();
+        String uid = request.pathExt;
+        String requesterID = request.headers.getFirst("X-user-id");
+        boolean admin = isAdmin(request);
 
         StandardResult result = new StandardResult();
         try {
@@ -77,8 +81,8 @@ public Object handleRegisterRequest(Event event, UserAdapterIface userAdapter, b
         //TODO: check requester rights
         //only admin can set: role or type differ than default (plus APPLICATION type)
         RequestObject request = event.getRequest();
-        //handle(Event.logFinest(this.getClass().getSimpleName(), request.pathExt));
         //System.out.println("X-cms-user="+request.headers.getFirst("X-user-id"));
+        boolean admin = isAdmin(request);
         StandardResult result = new StandardResult();
         String uid = request.pathExt;
         if (uid != null && !uid.isEmpty()) {
@@ -157,7 +161,7 @@ public Object handleDeleteRequest(Event event, UserAdapterIface userAdapter, boo
         RequestObject request = event.getRequest();
         String uid = request.pathExt;
         StandardResult result = new StandardResult();
-        if (uid == null) {
+        if (uid == null || !isAdmin(request)) {
             result.setCode(HttpAdapter.SC_BAD_REQUEST);
             return result;
         }
@@ -197,9 +201,15 @@ public Object handleUpdateRequest(Event event, UserAdapterIface userAdapter) {
             if (email != null) {
                 user.setEmail(email);
             }
-            if (role != null) {
+            if (role != null && isAdmin(request)) {
                 user.setRole(role);
             }
+            if (type != null && isAdmin(request)) {
+                try {
+                    user.setType(Integer.parseInt(type));
+                } catch (NumberFormatException e) {
+                }
+            }
             if (password != null) {
                 user.setPassword(HashMaker.md5Java(event.getRequestParameter("password")));
             }

src/java/org/cricketmsf/microsite/user/UserEvent.java

@@ -1,7 +1,17 @@
 /*
- * To change this license header, choose License Headers in Project Properties.
- * To change this template file, choose Tools | Templates
- * and open the template in the editor.
+ * Copyright 2017 Grzegorz Skorupa <g.skorupa at gmail.com>.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
  */
 package org.cricketmsf.microsite.user;
 

www/admin/js/app.js

@@ -22,28 +22,19 @@ var app = {
         "name": "",
         "token": "",
         "status": "logged-out",
-        "alerts": [],
-        "dashboardID": '',
-        "dashboards": []
+        "alerts": []
     },
     "offline": false,
-    "authAPI": "http://signode.unicloud.pl/api/auth",
-    "csAPI": "http://signode.unicloud.pl/api/cs",
-    "cmAPI": "http://signode.unicloud.pl/api/cm",
-    "userAPI": "http://signode.unicloud.pl/api/user",
+    "authAPI": "http://localhost:8080/api/auth",
+    "csAPI": "http://localhost:8080/api/cs",
+    "cmAPI": "http://localhost:8080/api/cm",
+    "userAPI": "http://localhost:8080/api/user",
     "currentPage": "main",
     "language": "en",
     "languages": ["en", "pl", "fr"],
     "debug": false,
     "localUid": 0,
-    "dconf": {"widgets":[]}, // configurations of user's widgets on the dashboard page
-     //   {},{},{},{},{},{},{},{},{},{},{},{}
-    //],
-    "widgets": [ // widgets on the dashboard page - hardcoded structure
-        [{}, {}, {}, {}],
-        [{}, {}, {}, {}],
-        [{}, {}, {}, {}]
-    ],
+    "requests": 0,
     "log": function(message){if(app.debug){console.log(message)}}
 }
 

www/js/data-api.js

@@ -10,6 +10,15 @@ function getData(url, query, token, callback, eventListener, errorEventName) {
         app.log("onerror " + this.status + " " + oEvent.toString())
         eventListener.trigger("auth"+this.status);
     }
+    oReq.onloadend = function(oEvent){
+        app.requests--;
+    }
+    oReq.onabort = function(oEvent){
+        app.requests--;
+    }
+    oReq.timeout = function(oEvent){
+        app.requests--;
+    }
     oReq.onreadystatechange = function () {
         if (this.readyState == 4) {
             if (this.status == 200) {