X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2Foutput%2Ftemplate%2FForm.java;h=9e58a3cdf2fa44c9a2f3f360ade984c582f0a84d;hp=f330fe865a9e36e42ff874528338db347cdb1ea9;hb=17a15662212d973d12ed4cea3f5eaa9c0d1169ed;hpb=182e0bf4bc672b3e92cbcee950383a2ad8fef7fb diff --git a/src/org/cacert/gigi/output/template/Form.java b/src/org/cacert/gigi/output/template/Form.java index f330fe86..9e58a3cd 100644 --- a/src/org/cacert/gigi/output/template/Form.java +++ b/src/org/cacert/gigi/output/template/Form.java @@ -2,29 +2,61 @@ package org.cacert.gigi.output.template; import java.io.IOException; import java.io.PrintWriter; +import java.util.HashMap; import java.util.Map; -import javax.servlet.ServletRequest; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.cacert.gigi.GigiApiException; import org.cacert.gigi.localisation.Language; +import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; import org.cacert.gigi.util.RandomToken; +/** + * A generic HTML-form that handles CSRF-token creation. + */ public abstract class Form implements Outputable { + public static class PermamentFormException extends RuntimeException { + + public PermamentFormException(GigiApiException cause) { + super(cause); + } + + @Override + public synchronized GigiApiException getCause() { + return (GigiApiException) super.getCause(); + } + } + public static final String CSRF_FIELD = "csrf"; + private static final String SUBMIT_EXCEPTION = "form-submit-exception"; + private final String csrf; private final String action; + /** + * Creates a new {@link Form}. + * + * @param hsr + * the request to register the form against. + */ public Form(HttpServletRequest hsr) { this(hsr, null); } + /** + * Creates a new {@link Form}. + * + * @param hsr + * the request to register the form against. + * @param action + * the target path where the form should be submitted. + */ public Form(HttpServletRequest hsr, String action) { csrf = RandomToken.generateToken(32); this.action = action; @@ -32,7 +64,83 @@ public abstract class Form implements Outputable { hs.setAttribute("form/" + getClass().getName() + "/" + csrf, this); } - public abstract boolean submit(PrintWriter out, HttpServletRequest req) throws GigiApiException; + /** + * Update the forms internal state based on submitted data. + * + * @param req + * the request to take the initial data from. + * @return true, iff the form succeeded and the user should be redirected. + * @throws GigiApiException + * if form data had problems or operations went wrong. + */ + public abstract boolean submit(HttpServletRequest req) throws GigiApiException; + + /** + * Calls {@link #submit(PrintWriter, HttpServletRequest)} while catching and + * displaying errors ({@link GigiApiException}), and re-outputing the form + * via {@link #output(PrintWriter, Language, Map)}. + * + * @param out + * the target to write the form and errors to + * @param req + * the request that this submit originated (for submit and for + * language) + * @return as {@link #submit(PrintWriter, HttpServletRequest)}: true, iff + * the form succeeded and the user should be redirected. + */ + public boolean submitProtected(PrintWriter out, HttpServletRequest req) { + try { + boolean succeeded = submit(req); + if (succeeded) { + HttpSession hs = req.getSession(); + hs.removeAttribute("form/" + getClass().getName() + "/" + csrf); + return true; + } + } catch (GigiApiException e) { + e.format(out, LoginPage.getLanguage(req)); + } + output(out, LoginPage.getLanguage(req), new HashMap()); + return false; + } + + public boolean submitExceptionProtected(HttpServletRequest req) { + try { + if (submit(req)) { + HttpSession hs = req.getSession(); + hs.removeAttribute("form/" + getClass().getName() + "/" + csrf); + return true; + } + return false; + } catch (PermamentFormException e) { + req.setAttribute(SUBMIT_EXCEPTION, e); + return false; + } catch (GigiApiException e) { + req.setAttribute(SUBMIT_EXCEPTION, e); + return false; + } + } + + /** + * Prints any errors in any form submits on this request. + * + * @param req + * The request to extract the errors from. + * @param out + * the output stream to the user to write the errors to. + * @return true if no permanent errors occurred and the form should be + * reprinted. + */ + public static boolean printFormErrors(HttpServletRequest req, PrintWriter out) { + Object o = req.getAttribute(SUBMIT_EXCEPTION); + if (o != null && (o instanceof PermamentFormException)) { + ((PermamentFormException) o).getCause().format(out, Page.getLanguage(req)); + return false; + } + if (o != null && (o instanceof GigiApiException)) { + ((GigiApiException) o).format(out, Page.getLanguage(req)); + } + return true; + } protected String getCsrfFieldName() { return CSRF_FIELD; @@ -45,52 +153,40 @@ public abstract class Form implements Outputable { } else { out.println("
"); } - failed = false; outputContent(out, l, vars); out.print("
"); } + /** + * Outputs the forms contents. + * + * @param out + * Stream to the user. + * @param l + * {@link Language} to translate text to. + * @param vars + * Variables supplied from the outside. + */ protected abstract void outputContent(PrintWriter out, Language l, Map vars); - boolean failed; - - protected void outputError(PrintWriter out, ServletRequest req, String text, Object... contents) { - if ( !failed) { - failed = true; - out.println("
"); - } - out.print("
"); - if (contents.length == 0) { - out.print(Page.translate(req, text)); - } else { - out.print(String.format(Page.translate(req, text), contents)); - } - out.println("
"); - } - - protected void outputErrorPlain(PrintWriter out, String text) { - if ( !failed) { - failed = true; - out.println("
"); - } - out.print("
"); - out.print(text); - out.println("
"); - } - - public boolean isFailed(PrintWriter out) { - if (failed) { - out.println("
"); - } - return failed; - } - protected String getCSRFToken() { return csrf; } + /** + * Re-fetches a form e.g. when a Post-request is received. + * + * @param req + * the request that is directed to the form. + * @param target + * the {@link Class} of the expected form. + * @return the form where this request is directed to. + * @throws CSRFException + * if no CSRF-token is found or the token is wrong. + */ + @SuppressWarnings("unchecked") public static T getForm(HttpServletRequest req, Class target) throws CSRFException { String csrf = req.getParameter(CSRF_FIELD); if (csrf == null) { @@ -100,14 +196,23 @@ public abstract class Form implements Outputable { if (hs == null) { throw new CSRFException(); } - Form f = (Form) hs.getAttribute("form/" + target.getName() + "/" + csrf); + Object f = hs.getAttribute("form/" + target.getName() + "/" + csrf); if (f == null) { throw new CSRFException(); } + if ( !(f instanceof Form)) { + throw new CSRFException(); + } + if ( !target.isInstance(f)) { + throw new CSRFException(); + } + // Dynamic Cast checked by previous if statement return (T) f; } public static class CSRFException extends IOException { + private static final long serialVersionUID = 59708247477988362L; + } }