[Yanel-commits] rev 58512 - public/yanel/trunk/src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser
michi at wyona.com
michi at wyona.com
Fri May 27 15:59:18 CEST 2011
Author: michi
Date: 2011-05-27 15:59:18 +0200 (Fri, 27 May 2011)
New Revision: 58512
Modified:
public/yanel/trunk/src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser/EditYanelUserProfileResource.java
Log:
security hole fixed
Modified: public/yanel/trunk/src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser/EditYanelUserProfileResource.java
===================================================================
--- public/yanel/trunk/src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser/EditYanelUserProfileResource.java 2011-05-27 13:42:50 UTC (rev 58511)
+++ public/yanel/trunk/src/contributions/resources/yanel-user/src/java/org/wyona/yanel/impl/resources/yaneluser/EditYanelUserProfileResource.java 2011-05-27 13:59:18 UTC (rev 58512)
@@ -86,15 +86,21 @@
* Get user id from resource configuration
*/
private String getUserId() throws Exception {
+ String userId = null;
// 1)
- if (getEnvironment().getRequest().getParameter("id") != null) {
- return getEnvironment().getRequest().getParameter("id");
+ userId = getEnvironment().getRequest().getParameter("id");
+ if (userId != null) {
+ if (getRealm().getPolicyManager().authorize("/yanel/users/" + userId + ".html", getEnvironment().getIdentity(), new org.wyona.security.core.api.Usecase("view"))) { // INFO: Because the policymanager has no mean to check (or interpret) query strings we need to recheck programmatically
+ return userId;
+ } else {
+ //throw new Exception("User '" + getEnvironment().getIdentity().getUsername() + "' tries to access user profile '" + userId + "', but is not authorized!");
+ log.warn("User '" + getEnvironment().getIdentity().getUsername() + "' tries to access user profile '" + userId + "', but is not authorized!");
+ }
}
// 2)
ResourceConfiguration resConfig = getConfiguration();
- String userId = null;
if(resConfig != null) {
userId = getConfiguration().getProperty("user");
} else {
@@ -106,12 +112,11 @@
}
// 3)
- final String userName = getPath().substring(getPath().lastIndexOf("/") + 1, getPath().lastIndexOf(".html"));
- log.debug("User name: " + userName);
- if (userName != null && getRealm().getIdentityManager().getUserManager().existsUser(userName)) {
- return userName;
+ userId = getPath().substring(getPath().lastIndexOf("/") + 1, getPath().lastIndexOf(".html"));
+ if (userId != null && getRealm().getIdentityManager().getUserManager().existsUser(userId)) {
+ return userId;
} else {
- throw new Exception("No such user '" + userName + "'");
+ throw new Exception("No such user '" + userId + "'");
}
}
More information about the Yanel-commits
mailing list