add: prevent supporters from modifying their own accounts via support

author Felix Dörre <felix@dogcraft.de>

Fri, 26 Aug 2016 08:08:24 +0000 (10:08 +0200)

committer Felix Dörre <felix@dogcraft.de>

Mon, 29 Aug 2016 11:33:35 +0000 (13:33 +0200)
author Felix Dörre <felix@dogcraft.de>
Fri, 26 Aug 2016 08:08:24 +0000 (10:08 +0200)
committer Felix Dörre <felix@dogcraft.de>
Mon, 29 Aug 2016 11:33:35 +0000 (13:33 +0200)
diff --git a/src/org/cacert/gigi/dbObjects/SupportedUser.java b/src/org/cacert/gigi/dbObjects/SupportedUser.java

index 940e67fc89b689c7bfa8e8e2ecdda5100fbab81d..67b5e1199e2167da36278dfef0af200bbce082c3 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/SupportedUser.java
+++ b/src/org/cacert/gigi/dbObjects/SupportedUser.java
@@ -127,7 +127,7 @@ public class SupportedUser {
          }
      }
  
-    public void revoke(Group toMod) {
+    public void revoke(Group toMod) throws GigiApiException {
          target.revokeGroup(supporter, toMod);
          String subject = "Change Group Permissions";
          // send notification to support
diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java

index 69b76ad2004ec9aa24c5401b7d8f1f0f42845c12..b259968816e7891f686e20ccffd693edb1a3c144 100644 (file)
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -448,6 +448,9 @@ public class User extends CertificateOwner {
          if (toGrant.isManagedBySupport() && !granter.isInGroup(Group.SUPPORTER)) {
              throw new GigiApiException("Group may only be managed by supporter");
          }
+        if (toGrant.isManagedBySupport() && granter == this) {
+            throw new GigiApiException("Group may only be managed by supporter that is not oneself");
+        }
          groups.add(toGrant);
          try (GigiPreparedStatement ps = new GigiPreparedStatement("INSERT INTO `user_groups` SET `user`=?, `permission`=?::`userGroup`, `grantedby`=?")) {
              ps.setInt(1, getId());
@@ -457,7 +460,10 @@ public class User extends CertificateOwner {
          }
      }
  
-    public void revokeGroup(User revoker, Group toRevoke) {
+    public void revokeGroup(User revoker, Group toRevoke) throws GigiApiException {
+        if (toRevoke.isManagedBySupport() && !revoker.isInGroup(Group.SUPPORTER)) {
+            throw new GigiApiException("Group may only be managed by supporter");
+        }
          groups.remove(toRevoke);
          try (GigiPreparedStatement ps = new GigiPreparedStatement("UPDATE `user_groups` SET `deleted`=CURRENT_TIMESTAMP, `revokedby`=? WHERE `deleted` IS NULL AND `permission`=?::`userGroup` AND `user`=?")) {
              ps.setInt(1, revoker.getId());
diff --git a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java

index ac7ffd00bb68e69b22478c7fc378ed9215d5d482..d3589c8e4ad6b9a187b681400f7251a6399c7634 100644 (file)
--- a/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
+++ b/src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java
@@ -18,6 +18,7 @@ import org.cacert.gigi.output.GroupIterator;
  import org.cacert.gigi.output.GroupSelector;
  import org.cacert.gigi.output.template.Form;
  import org.cacert.gigi.output.template.Template;
+import org.cacert.gigi.pages.LoginPage;
  
  public class SupportUserDetailsForm extends Form {
  
@@ -40,6 +41,9 @@ public class SupportUserDetailsForm extends Form {
          if (user.getTicket() == null) {
              return false;
          }
+        if (user.getTargetUser() == LoginPage.getUser(req)) {
+            throw new GigiApiException("Supporter may not modify himself.");
+        }
          if ((req.getParameter("detailupdate") != null ? 1 : 0) + (req.getParameter("addGroup") != null ? 1 : 0) + (req.getParameter("removeGroup") != null ? 1 : 0) + (req.getParameter("resetPass") != null ? 1 : 0) != 1) {
              throw new GigiApiException("More than one action requested!");
          }
diff --git a/util-testing/org/cacert/gigi/pages/Manager.java b/util-testing/org/cacert/gigi/pages/Manager.java

index 2fd78ba7195bf3b84618e5b8df46e00d8015ed15..ec709a1700733291bcfa0532ee4f3f30fd1cf4f6 100644 (file)
--- a/util-testing/org/cacert/gigi/pages/Manager.java
+++ b/util-testing/org/cacert/gigi/pages/Manager.java
@@ -296,16 +296,16 @@ public class Manager extends Page {
                  resp.getWriter().println("User not found.");
                  return;
              }
-            if (req.getParameter("addpriv") != null) {
-                try {
+            try {
+                if (req.getParameter("addpriv") != null) {
                      u.grantGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
-                } catch (GigiApiException e) {
-                    throw new Error(e);
+                    resp.getWriter().println("Privilege granted");
+                } else {
+                    u.revokeGroup(getSupporter(), Group.getByString(req.getParameter("priv")));
+                    resp.getWriter().println("Privilege revoked");
                  }
-                resp.getWriter().println("Privilege granted");
-            } else {
-                u.revokeGroup(u, Group.getByString(req.getParameter("priv")));
-                resp.getWriter().println("Privilege revoked");
+            } catch (GigiApiException e) {
+                throw new Error(e);
              }
          } else if (req.getParameter("fetch") != null) {
              String mail = req.getParameter("femail");
author	Felix Dörre <felix@dogcraft.de>
	Fri, 26 Aug 2016 08:08:24 +0000 (10:08 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Mon, 29 Aug 2016 11:33:35 +0000 (13:33 +0200)
src/org/cacert/gigi/dbObjects/SupportedUser.java		patch \| blob \| history
src/org/cacert/gigi/dbObjects/User.java		patch \| blob \| history
src/org/cacert/gigi/pages/admin/support/SupportUserDetailsForm.java		patch \| blob \| history
util-testing/org/cacert/gigi/pages/Manager.java		patch \| blob \| history