import java.io.IOException;
import java.io.PrintWriter;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.cacert.gigi.output.Form;
import org.cacert.gigi.output.template.IterableDataset;
import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
import org.cacert.gigi.pages.Page;
public class ViewOrgPage extends Page {
@Override
public boolean isPermitted(User u) {
- return u != null && u.isInGroup(CreateOrgPage.ORG_ASSURER);
+ return u != null && (u.isInGroup(CreateOrgPage.ORG_ASSURER) || u.getOrganisations().size() != 0);
}
@Override
public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
try {
+ User u = LoginPage.getUser(req);
+ if ( !u.isInGroup(CreateOrgPage.ORG_ASSURER)) {
+ return;
+ }
if (req.getParameter("affiliate") != null) {
AffiliationForm form = Form.getForm(req, AffiliationForm.class);
form.submit(resp.getWriter(), req);
@Override
public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
+ User u = LoginPage.getUser(req);
String idS = req.getPathInfo();
Language lang = getLanguage(req);
PrintWriter out = resp.getWriter();
if (idS.length() < DEFAULT_PATH.length() + 2) {
final Organisation[] orgas = Organisation.getOrganisations(0, 30);
HashMap<String, Object> map = new HashMap<>();
- map.put("orgas", new IterableDataset() {
-
- int count = 0;
-
- @Override
- public boolean next(Language l, Map<String, Object> vars) {
- if (count >= orgas.length)
- return false;
- Organisation org = orgas[count++];
- vars.put("id", Integer.toString(org.getId()));
- vars.put("name", org.getName());
- vars.put("country", org.getState());
- return true;
- }
- });
+ final List<Organisation> myOrgs = u.getOrganisations();
+ final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER);
+ if (orgAss) {
+ map.put("orgas", makeOrgDataset(orgas));
+ } else {
+ map.put("orgas", makeOrgDataset(myOrgs.toArray(new Organisation[myOrgs.size()])));
+ }
this.orgas.output(out, lang, map);
return;
}
idS = idS.substring(DEFAULT_PATH.length() + 1);
int id = Integer.parseInt(idS);
Organisation o = Organisation.getById(id);
- if (o == null) {
+ final List<Organisation> myOrgs = u.getOrganisations();
+ final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER);
+ if (o == null || ( !orgAss && !myOrgs.contains(o))) {
resp.sendError(404);
return;
}
vars.put("affForm", new AffiliationForm(req, o));
mainTempl.output(out, lang, vars);
}
+
+ private IterableDataset makeOrgDataset(final Organisation[] orgas) {
+ return new IterableDataset() {
+
+ int count = 0;
+
+ @Override
+ public boolean next(Language l, Map<String, Object> vars) {
+ if (count >= orgas.length)
+ return false;
+ Organisation org = orgas[count++];
+ vars.put("id", Integer.toString(org.getId()));
+ vars.put("name", org.getName());
+ vars.put("country", org.getState());
+ return true;
+ }
+ };
+ }
}
package org.cacert.gigi.pages.orga;
+import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.*;
import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.net.URLConnection;
import java.net.URLEncoder;
import java.util.List;
import org.cacert.gigi.dbObjects.Organisation;
import org.cacert.gigi.dbObjects.Organisation.Affiliation;
import org.cacert.gigi.dbObjects.User;
+import org.cacert.gigi.testUtils.IOUtils;
import org.cacert.gigi.testUtils.ManagedTest;
import org.junit.Test;
orgs = Organisation.getOrganisations(0, 30);
assertEquals("name1", orgs[0].getName());
}
+
+ @Test
+ public void testNonAssurerSeeOnlyOwn() throws IOException {
+ User u2 = User.getById(createVerifiedUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+ Organisation o1 = new Organisation("name21", "DE", "sder", "Rostov", u);
+ Organisation o2 = new Organisation("name12", "DE", "sder", "Rostov", u);
+ o1.addAdmin(u2, u2, false);
+ String session2 = login(u2.getEmail(), TEST_PASSWORD);
+
+ URLConnection uc = new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH).openConnection();
+ uc.addRequestProperty("Cookie", session2);
+ String content = IOUtils.readURL(uc);
+ assertThat(content, containsString("name21"));
+ assertThat(content, not(containsString("name12")));
+ uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o1.getId()).openConnection(), session2);
+ assertEquals(200, ((HttpURLConnection) uc).getResponseCode());
+ uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o2.getId()).openConnection(), session2);
+ assertEquals(404, ((HttpURLConnection) uc).getResponseCode());
+
+ uc = new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH).openConnection();
+ uc.addRequestProperty("Cookie", session);
+ content = IOUtils.readURL(uc);
+ assertThat(content, containsString("name21"));
+ assertThat(content, containsString("name12"));
+ uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o1.getId()).openConnection(), session);
+ assertEquals(200, ((HttpURLConnection) uc).getResponseCode());
+ uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o2.getId()).openConnection(), session);
+ assertEquals(200, ((HttpURLConnection) uc).getResponseCode());
+ }
}