upd: use a more strict pattern for handling forms

[gigi.git] / src / org / cacert / gigi / pages / LoginPage.java

diff --git a/src/org/cacert/gigi/pages/LoginPage.java b/src/org/cacert/gigi/pages/LoginPage.java
index 141c6ca18cc6466ffae0248458347b10511228f7..b19de897aa5e7b3f71f9ba122d1fb70a00938696 100644 (file)
--- a/src/org/cacert/gigi/pages/LoginPage.java
+++ b/src/org/cacert/gigi/pages/LoginPage.java
@@ -25,6 +25,7 @@ import org.cacert.gigi.pages.main.RegisterPage;
 import org.cacert.gigi.util.AuthorizationContext;
 import org.cacert.gigi.util.PasswordHash;
 import org.cacert.gigi.util.RateLimit;
+import org.cacert.gigi.util.RateLimit.RateLimitException;
 import org.cacert.gigi.util.ServerConstants;
 
 public class LoginPage extends Page {
@@ -38,10 +39,9 @@ public class LoginPage extends Page {
         }
 
         @Override
-        public boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException {
+        public boolean submit(HttpServletRequest req) throws GigiApiException {
             if (RegisterPage.RATE_LIMIT.isLimitExceeded(req.getRemoteAddr())) {
-                outputError(out, req, "Rate Limit Exceeded");
-                return false;
+                throw new RateLimitException();
             }
             tryAuthWithUnpw(req);
             return false;
@@ -56,6 +56,8 @@ public class LoginPage extends Page {
 
     public static final String LOGIN_RETURNPATH = "login-returnpath";
 
+    private static final String SUBMIT_EXCEPTION = "login-submit-exception";
+
     public LoginPage() {
         super("Password Login");
     }
@@ -69,6 +71,13 @@ public class LoginPage extends Page {
         }
     }
 
+    @Override
+    public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+        if (Form.printFormErrors(req, resp.getWriter())) {
+            Form.getForm(req, LoginForm.class).output(resp.getWriter(), getLanguage(req), new HashMap<String, Object>());
+        }
+    }
+
     @Override
     public boolean beforeTemplate(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         String redir = (String) req.getSession().getAttribute(LOGIN_RETURNPATH);
@@ -78,9 +87,8 @@ public class LoginPage extends Page {
                 tryAuthWithCertificate(req, cert);
             }
             if (req.getMethod().equals("POST")) {
-                try {
-                    Form.getForm(req, LoginForm.class).submit(resp.getWriter(), req);
-                } catch (GigiApiException e) {
+                if ( !Form.getForm(req, LoginForm.class).submitExceptionProtected(req)) {
+                    return false;
                 }
             }
         }
@@ -105,7 +113,7 @@ public class LoginPage extends Page {
         return false;
     }
 
-    private void tryAuthWithUnpw(HttpServletRequest req) {
+    private void tryAuthWithUnpw(HttpServletRequest req) throws GigiApiException {
         String un = req.getParameter("username");
         String pw = req.getParameter("password");
         try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT `password`, `id` FROM `users` WHERE `email`=? AND verified='1'")) {
@@ -124,9 +132,11 @@ public class LoginPage extends Page {
                     }
                     loginSession(req, User.getById(rs.getInt(2)));
                     req.getSession().setAttribute(LOGIN_METHOD, new TranslateCommand("Password"));
+                    return;
                 }
             }
         }
+        throw new GigiApiException("Username and password didn't match.");
     }
 
     public static User getUser(HttpServletRequest req) {
@@ -178,7 +188,7 @@ public class LoginPage extends Page {
         return uc;
     }
 
-    private static final Group LOGIN_BLOCKED = Group.getByString("blockedlogin");
+    private static final Group LOGIN_BLOCKED = Group.BLOCKEDLOGIN;
 
     private void loginSession(HttpServletRequest req, User user) {
         if (user.isInGroup(LOGIN_BLOCKED)) {