add: prevent supporters from modifying their own accounts via support
[gigi.git] / src / org / cacert / gigi / pages / admin / support / SupportUserDetailsForm.java
1 package org.cacert.gigi.pages.admin.support;
2
3 import java.io.PrintWriter;
4 import java.util.Map;
5 import java.util.Set;
6
7 import javax.servlet.http.HttpServletRequest;
8
9 import org.cacert.gigi.GigiApiException;
10 import org.cacert.gigi.dbObjects.Group;
11 import org.cacert.gigi.dbObjects.Name;
12 import org.cacert.gigi.dbObjects.SupportedUser;
13 import org.cacert.gigi.dbObjects.User;
14 import org.cacert.gigi.localisation.Language;
15 import org.cacert.gigi.output.ArrayIterable;
16 import org.cacert.gigi.output.DateSelector;
17 import org.cacert.gigi.output.GroupIterator;
18 import org.cacert.gigi.output.GroupSelector;
19 import org.cacert.gigi.output.template.Form;
20 import org.cacert.gigi.output.template.Template;
21 import org.cacert.gigi.pages.LoginPage;
22
23 public class SupportUserDetailsForm extends Form {
24
25     private static final Template t = new Template(FindUserByDomainForm.class.getResource("SupportUserDetailsForm.templ"));
26
27     private SupportedUser user;
28
29     private DateSelector dobSelector;
30
31     private GroupSelector value = new GroupSelector("groupToModify", true);
32
33     public SupportUserDetailsForm(HttpServletRequest hsr, SupportedUser user) {
34         super(hsr);
35         this.user = user;
36         dobSelector = new DateSelector("dobd", "dobm", "doby", user.getTargetUser().getDoB());
37     }
38
39     @Override
40     public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
41         if (user.getTicket() == null) {
42             return false;
43         }
44         if (user.getTargetUser() == LoginPage.getUser(req)) {
45             throw new GigiApiException("Supporter may not modify himself.");
46         }
47         if ((req.getParameter("detailupdate") != null ? 1 : 0) + (req.getParameter("addGroup") != null ? 1 : 0) + (req.getParameter("removeGroup") != null ? 1 : 0) + (req.getParameter("resetPass") != null ? 1 : 0) != 1) {
48             throw new GigiApiException("More than one action requested!");
49         }
50         if (req.getParameter("addGroup") != null || req.getParameter("removeGroup") != null) {
51             value.update(req);
52             Group toMod = value.getGroup();
53             if (req.getParameter("addGroup") != null) {
54                 user.grant(toMod);
55             } else {
56                 user.revoke(toMod);
57             }
58             return true;
59         }
60         if (req.getParameter("resetPass") != null) {
61             String aword = req.getParameter("aword");
62             if (aword == null || aword.equals("")) {
63                 throw new GigiApiException("An A-Word is required to perform a password reset.");
64             }
65             user.triggerPasswordReset(aword, out, req);
66             return true;
67         }
68         dobSelector.update(req);
69         if ( !dobSelector.isValid()) {
70             throw new GigiApiException("Invalid date of birth!");
71         }
72         user.setDob(dobSelector.getDate());
73         return true;
74     }
75
76     @Override
77     protected void outputContent(PrintWriter out, Language l, Map<String, Object> vars) {
78         User user = this.user.getTargetUser();
79         vars.put("mail", user.getEmail());
80         vars.put("status", l.getTranslation(user.isValidEmail(user.getEmail()) ? "verified" : "not verified"));
81         vars.put("exNames", new ArrayIterable<Name>(user.getNames()) {
82
83             @Override
84             public void apply(Name t, Language l, Map<String, Object> vars) {
85                 vars.put("name", t);
86                 vars.put("points", Integer.toString(t.getAssurancePoints()));
87             }
88
89         });
90         vars.put("assurer", user.canAssure());
91         vars.put("dob", dobSelector);
92         vars.put("assurancepoints", user.getAssurancePoints());
93         vars.put("exppoints", user.getExperiencePoints());
94         final Set<Group> gr = user.getGroups();
95         vars.put("support-groups", new GroupIterator(gr.iterator(), true));
96         vars.put("groups", new GroupIterator(gr.iterator(), false));
97         vars.put("groupSelector", value);
98         t.output(out, l, vars);
99     }
100
101 }