add: check for valid entries in organisation form
authorINOPIAE <m.maengel@inopiae.de>
Fri, 1 Jul 2016 19:05:06 +0000 (21:05 +0200)
committerFelix Dörre <felix@dogcraft.de>
Sun, 3 Jul 2016 19:50:21 +0000 (21:50 +0200)
Change-Id: I52724e5ab62ac17e686a8db889fe34034366b087

src/org/cacert/gigi/database/DatabaseConnection.java
src/org/cacert/gigi/database/tableStructure.sql
src/org/cacert/gigi/database/upgrade/from_15.sql [new file with mode: 0644]
src/org/cacert/gigi/pages/orga/CreateOrgForm.java
tests/org/cacert/gigi/pages/orga/TestOrgManagement.java

index b4f2f0b..abd4c93 100644 (file)
@@ -122,7 +122,7 @@ public class DatabaseConnection {
 
     }
 
-    public static final int CURRENT_SCHEMA_VERSION = 15;
+    public static final int CURRENT_SCHEMA_VERSION = 16;
 
     public static final int CONNECTION_TIMEOUT = 24 * 60 * 60;
 
index 8cd2911..eddd1a6 100644 (file)
@@ -38,8 +38,8 @@ CREATE TABLE IF NOT EXISTS "organisations" (
   "id" int NOT NULL,
   "name" varchar(64) NOT NULL,
   "state" varchar(2) NOT NULL,
-  "province" varchar(100) NOT NULL,
-  "city" varchar(100) NOT NULL,
+  "province" varchar(128) NOT NULL,
+  "city" varchar(128) NOT NULL,
   "contactEmail" varchar(100) NOT NULL,
   "creator" int NOT NULL,
   "optional_name" text,
@@ -376,7 +376,7 @@ CREATE TABLE "schemeVersion" (
   "version" smallint NOT NULL,
   PRIMARY KEY ("version")
 );
-INSERT INTO "schemeVersion" (version)  VALUES(15);
+INSERT INTO "schemeVersion" (version)  VALUES(16);
 
 DROP TABLE IF EXISTS `passwordResetTickets`;
 CREATE TABLE `passwordResetTickets` (
diff --git a/src/org/cacert/gigi/database/upgrade/from_15.sql b/src/org/cacert/gigi/database/upgrade/from_15.sql
new file mode 100644 (file)
index 0000000..c7902bb
--- /dev/null
@@ -0,0 +1,2 @@
+ALTER TABLE "organisations" ALTER "province" TYPE varchar(128);
+ALTER TABLE "organisations" ALTER "city" TYPE varchar(128);
index 5e6b35a..57f39d6 100644 (file)
@@ -7,8 +7,10 @@ import javax.servlet.http.HttpServletRequest;
 
 import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Organisation;
+import org.cacert.gigi.email.EmailProvider;
 import org.cacert.gigi.localisation.Language;
 import org.cacert.gigi.output.template.Form;
+import org.cacert.gigi.output.template.SprintfCommand;
 import org.cacert.gigi.output.template.Template;
 import org.cacert.gigi.pages.LoginPage;
 
@@ -57,44 +59,63 @@ public class CreateOrgForm extends Form {
         if (action == null) {
             return false;
         }
-        if (action.equals("new")) {
-            o = req.getParameter("O");
-            c = req.getParameter("C");
-            st = req.getParameter("ST");
-            l = req.getParameter("L");
-            email = req.getParameter("contact");
-            optionalName = req.getParameter("optionalName");
-            postalAddress = req.getParameter("postalAddress");
 
+        if (action.equals("new")) {
+            checkCertData(req);
+            checkOrganisationData(req);
             Organisation ne = new Organisation(o, c, st, l, email, optionalName, postalAddress, LoginPage.getUser(req));
             result = ne;
             return true;
         } else if (action.equals("updateOrganisationData")) {
-            updateOrganisationData(out, req);
+            checkOrganisationData(req);
+            result.updateOrgData(email, optionalName, postalAddress);
             return true;
         } else if (action.equals("updateCertificateData")) {
-            updateCertificateData(out, req);
+            checkCertData(req);
+            result.updateCertData(o, c, st, l);
             return true;
         }
 
         return false;
     }
 
-    private void updateOrganisationData(PrintWriter out, HttpServletRequest req) throws GigiApiException {
-        email = req.getParameter("contact");
-        optionalName = req.getParameter("optionalName");
-        postalAddress = req.getParameter("postalAddress");
-
-        result.updateOrgData(email, optionalName, postalAddress);
+    private void checkOrganisationData(HttpServletRequest req) throws GigiApiException {
+        email = extractParam(req, "contact");
+        optionalName = extractParam(req, "optionalName");
+        postalAddress = extractParam(req, "postalAddress");
+        if ( !EmailProvider.MAIL.matcher(email).matches()) {
+            throw new GigiApiException("Contact email is not a valid email address");
+        }
     }
 
-    private void updateCertificateData(PrintWriter out, HttpServletRequest req) throws GigiApiException {
-        o = req.getParameter("O");
-        c = req.getParameter("C");
-        st = req.getParameter("ST");
-        l = req.getParameter("L");
+    private void checkCertData(HttpServletRequest req) throws GigiApiException {
+        o = extractParam(req, "O");
+        c = extractParam(req, "C");
+        st = extractParam(req, "ST");
+        l = extractParam(req, "L");
+
+        if (o.length() > 64 || o.length() < 1) {
+            throw new GigiApiException(SprintfCommand.createSimple("{0} not given or longer than {1} characters", "Organisation name", 64));
+        }
+        if (c.length() != 2) {
+            throw new GigiApiException(SprintfCommand.createSimple("{0} not given or not exactly {1} characters long", "Country code", 2));
+        }
 
-        result.updateCertData(o, c, st, l);
+        if (st.length() > 128 || st.length() < 1) {
+            throw new GigiApiException(SprintfCommand.createSimple("{0} not given or longer than {1} characters", "State/county", 128));
+        }
+
+        if (l.length() > 128 || l.length() < 1) {
+            throw new GigiApiException(SprintfCommand.createSimple("{0} not given or longer than {1} characters", "Town/suburb", 128));
+        }
+    }
+
+    private String extractParam(HttpServletRequest req, String name) {
+        String parameter = req.getParameter(name);
+        if (parameter == null) {
+            return "";
+        }
+        return parameter.trim();
     }
 
     public Organisation getResult() {
index 80db6bd..7276710 100644 (file)
@@ -36,10 +36,10 @@ public class TestOrgManagement extends OrgTest {
         for (Organisation i : Organisation.getOrganisations(0, 30)) {
             i.delete();
         }
-        executeBasicWebInteraction(cookie, CreateOrgPage.DEFAULT_PATH, "action=new&O=name&contact=mail&L=K%C3%B6ln&ST=" + URLEncoder.encode(DIFFICULT_CHARS, "UTF-8") + "&C=DE&comments=jkl%C3%B6loiuzfdfgjlh%C3%B6&optionalName=opname&postalAddress=postaladdress", 0);
+        executeBasicWebInteraction(cookie, CreateOrgPage.DEFAULT_PATH, "action=new&O=name&contact=mail@serv.tld&L=K%C3%B6ln&ST=" + URLEncoder.encode(DIFFICULT_CHARS, "UTF-8") + "&C=DE&comments=jkl%C3%B6loiuzfdfgjlh%C3%B6&optionalName=opname&postalAddress=postaladdress", 0);
         Organisation[] orgs = Organisation.getOrganisations(0, 30);
         assertEquals(1, orgs.length);
-        assertEquals("mail", orgs[0].getContactEmail());
+        assertEquals("mail@serv.tld", orgs[0].getContactEmail());
         assertEquals("name", orgs[0].getName());
         assertEquals("Köln", orgs[0].getCity());
         assertEquals(DIFFICULT_CHARS, orgs[0].getProvince());