Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ensure user update has correct permissions 

Signed-off-by: Olivier Lamy <olamy@apache.org>
This commit is contained in:
Olivier Lamy 2022-04-13 12:04:15 +10:00
parent 83afadd0eb
commit e8378c3ef8
3 changed files with 41 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java
View File

@ -27,46 +27,46 @@ package org.apache.archiva.redback.integration.security.role;
*/
public interface RedbackRoleConstants
{
public static final String ADMINISTRATOR_ACCOUNT_NAME = "admin";
String ADMINISTRATOR_ACCOUNT_NAME = "admin";
// roles
public static final String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator";
String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator";
public static final String USER_ADMINISTRATOR_ROLE = "User Administrator";
String USER_ADMINISTRATOR_ROLE = "User Administrator";
public static final String REGISTERED_USER_ROLE = "Registered User";
String REGISTERED_USER_ROLE = "Registered User";
/**
* @since 1.4
*/
public static final String REGISTERED_USER_ROLE_ID = "registered-user";
String REGISTERED_USER_ROLE_ID = "registered-user";
public static final String GUEST_ROLE = "Guest";
String GUEST_ROLE = "Guest";
// guest access operation
public static final String GUEST_ACCESS_OPERATION = "guest-access";
String GUEST_ACCESS_OPERATION = "guest-access";
// operations against configuration
public static final String CONFIGURATION_EDIT_OPERATION = "configuration-edit";
String CONFIGURATION_EDIT_OPERATION = "configuration-edit";
// operations against user
public static final String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create";
String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create";
public static final String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit";
String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit";
public static final String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role";
String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role";
public static final String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete";
String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete";
public static final String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list";
String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list";
// operations against user assignment.
public static final String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant";
String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant";
public static final String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop";
String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop";
// operations against rbac objects.
public static final String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin";
String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin";
public static final String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data";
String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data";
}

26
redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java
View File

@ -72,6 +72,7 @@ import javax.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
@ -372,6 +373,27 @@ public class DefaultUserService
public Boolean updateUser( User user )
throws RedbackServiceException
{
// check username == one in the session
RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get();
if ( redbackRequestInformation == null || redbackRequestInformation.getUser() == null )
{
log.warn( "RedbackRequestInformation from ThreadLocal is null" );
throw new RedbackServiceException( new ErrorMessage( "you must be logged to update your profile" ),
Response.Status.FORBIDDEN.getStatusCode() );
}
if ( user == null )
{
throw new RedbackServiceException( new ErrorMessage( "user parameter is mandatory" ),
Response.Status.BAD_REQUEST.getStatusCode() );
}
if ( !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), user.getUsername() )
&& !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME) )
{
throw new RedbackServiceException( new ErrorMessage( "you can update only your profile" ),
Response.Status.FORBIDDEN.getStatusCode() );
}
try
{
org.apache.archiva.redback.users.User rawUser = userManager.findUser( user.getUsername(), false );
@ -587,7 +609,7 @@ public class DefaultUserService
applicationUrl = getBaseUrl();
}
mailer.sendPasswordResetEmail( Arrays.asList( user.getEmail() ), authkey, applicationUrl );
mailer.sendPasswordResetEmail( Collections.singletonList( user.getEmail() ), authkey, applicationUrl );
log.info( "password reset request for username {}", username );
}
catch ( UserNotFoundException e )
@ -679,7 +701,7 @@ public class DefaultUserService
log.debug( "register user {} with email {} and app url {}", u.getUsername(), u.getEmail(), baseUrl );
mailer.sendAccountValidationEmail( Arrays.asList( u.getEmail() ), authkey, baseUrl );
mailer.sendAccountValidationEmail( Collections.singletonList( u.getEmail() ), authkey, baseUrl );
securityPolicy.setEnabled( false );
userManager.addUser( u );

2
redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java
View File

@ -94,8 +94,6 @@ public class RoleManagementServiceTest
catch ( ForbiddenException e )
{
assertEquals( 403, e.getResponse().getStatus() );
}
// assign the role and retry