This repository has been archived by the owner. It is now read-only.
Permalink
Browse files

[fix] prevent students from adding other users/changing other user's …

…details from their profile page.
  • Loading branch information...
smee committed Jul 23, 2010
1 parent 6856143 commit e3df61729f4c553243d0c6fb6f3bd0e67d4aae45
@@ -8,6 +8,7 @@
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationTrustResolver;
import org.acegisecurity.AuthenticationTrustResolverImpl;
+import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContext;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.userdetails.UsernameNotFoundException;
@@ -186,14 +187,18 @@ public ActionForward save(ActionMapping mapping, ActionForm form,
// See https://appfuse.dev.java.net/issues/show_bug.cgi?id=128
ActionMessages errors = form.validate(mapping, request);
+ UserForm userForm = (UserForm) form;
+ // does the user try to change attributes of another user? Allow only for role admin.
+ if (!request.getRemoteUser().equals(userForm.getUsername()) && !validateAdminRole()) {
+ errors.add(ActionMessages.GLOBAL_MESSAGE, new ActionMessage("errors.changeuser.notadmin"));
+ }
if (!errors.isEmpty()) {
saveErrors(request, errors);
return mapping.findForward("edit");
}
// Extract attributes and parameters we will need
ActionMessages messages = new ActionMessages();
- UserForm userForm = (UserForm) form;
User user = new User();
// Exceptions are caught by ActionExceptionHandler
@@ -274,6 +279,20 @@ public ActionForward save(ActionMapping mapping, ActionForm form,
}
}
+ /**
+ * @return
+ */
+ protected boolean validateAdminRole() {
+ // make sure no non-admin tries to save a new user!
+ boolean isAdmin=false;
+ for( GrantedAuthority authority: SecurityContextHolder.getContext().getAuthentication().getAuthorities()){
+ if(authority.getAuthority().equals("admin")) {
+ isAdmin=true;
+ }
+ }
+ return isAdmin;
+ }
+
public ActionForward search(ActionMapping mapping, ActionForm form,
HttpServletRequest request,
HttpServletResponse response)
@@ -23,6 +23,7 @@ errors.zip={0} ist eine ungültige Postleitzahl.
# -- for field level messages --
errors.header=<span class="fieldError">
errors.footer=</span>
+errors.changeuser.notadmin=Sie sind kein Administrator, k&ouml;nnen also keine anderen Benutzerdaten &auml;ndern!
# -- other errors --
errors.cancel=Operation abgebrochen.
@@ -1,6 +1,6 @@
# Empty resources file so JSTL resolves the default locale correctly.
# http://raibledesigns.com/page/rd/sunsets/i18n_synching_up_struts_and#comment2
-
+errors.changeuser.notadmin=You are no administrator. You must not change other user's personal details!
# -- loginConfig
loginConfig.title = Login Configuration
loginConfig.heading = Login Configuration
@@ -53,7 +53,15 @@
<li>
<examServer:label styleClass="desc" key="userForm.username"/>
<html:errors property="username"/>
- <html:text styleClass="text large" property="username" styleId="username"/>
+ <c:choose>
+ <c:when test="${param.from == 'list'}">
+ <html:text styleClass="text large" property="username" styleId="username"/>
+ </c:when>
+ <c:otherwise>
+ <html:text styleClass="text large" property="username" styleId="username" disabled="true" readonly="true"/>
+ </c:otherwise>
+ </c:choose>
+
</li>
<li>
<div>

0 comments on commit e3df617

Please sign in to comment.