From 08dd246cc6dbef3e83979622c9fd4fc10b749007 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Fri, 31 Oct 2014 09:50:18 +0100 Subject: [PATCH] Allow viewing of one's own orgas. --- .../cacert/gigi/pages/orga/ViewOrgPage.java | 53 +++++++++++++------ .../gigi/pages/orga/TestOrgaManagement.java | 34 ++++++++++++ 2 files changed, 70 insertions(+), 17 deletions(-) diff --git a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java index a26b7131..e283f4a6 100644 --- a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java +++ b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java @@ -3,6 +3,7 @@ package org.cacert.gigi.pages.orga; import java.io.IOException; import java.io.PrintWriter; import java.util.HashMap; +import java.util.List; import java.util.Map; import javax.servlet.http.HttpServletRequest; @@ -15,6 +16,7 @@ import org.cacert.gigi.localisation.Language; import org.cacert.gigi.output.Form; import org.cacert.gigi.output.template.IterableDataset; import org.cacert.gigi.output.template.Template; +import org.cacert.gigi.pages.LoginPage; import org.cacert.gigi.pages.Page; public class ViewOrgPage extends Page { @@ -31,12 +33,16 @@ public class ViewOrgPage extends Page { @Override public boolean isPermitted(User u) { - return u != null && u.isInGroup(CreateOrgPage.ORG_ASSURER); + return u != null && (u.isInGroup(CreateOrgPage.ORG_ASSURER) || u.getOrganisations().size() != 0); } @Override public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { + User u = LoginPage.getUser(req); + if ( !u.isInGroup(CreateOrgPage.ORG_ASSURER)) { + return; + } if (req.getParameter("affiliate") != null) { AffiliationForm form = Form.getForm(req, AffiliationForm.class); form.submit(resp.getWriter(), req); @@ -51,34 +57,29 @@ public class ViewOrgPage extends Page { @Override public void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { + User u = LoginPage.getUser(req); String idS = req.getPathInfo(); Language lang = getLanguage(req); PrintWriter out = resp.getWriter(); if (idS.length() < DEFAULT_PATH.length() + 2) { final Organisation[] orgas = Organisation.getOrganisations(0, 30); HashMap map = new HashMap<>(); - map.put("orgas", new IterableDataset() { - - int count = 0; - - @Override - public boolean next(Language l, Map vars) { - if (count >= orgas.length) - return false; - Organisation org = orgas[count++]; - vars.put("id", Integer.toString(org.getId())); - vars.put("name", org.getName()); - vars.put("country", org.getState()); - return true; - } - }); + final List myOrgs = u.getOrganisations(); + final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER); + if (orgAss) { + map.put("orgas", makeOrgDataset(orgas)); + } else { + map.put("orgas", makeOrgDataset(myOrgs.toArray(new Organisation[myOrgs.size()]))); + } this.orgas.output(out, lang, map); return; } idS = idS.substring(DEFAULT_PATH.length() + 1); int id = Integer.parseInt(idS); Organisation o = Organisation.getById(id); - if (o == null) { + final List myOrgs = u.getOrganisations(); + final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER); + if (o == null || ( !orgAss && !myOrgs.contains(o))) { resp.sendError(404); return; } @@ -87,4 +88,22 @@ public class ViewOrgPage extends Page { vars.put("affForm", new AffiliationForm(req, o)); mainTempl.output(out, lang, vars); } + + private IterableDataset makeOrgDataset(final Organisation[] orgas) { + return new IterableDataset() { + + int count = 0; + + @Override + public boolean next(Language l, Map vars) { + if (count >= orgas.length) + return false; + Organisation org = orgas[count++]; + vars.put("id", Integer.toString(org.getId())); + vars.put("name", org.getName()); + vars.put("country", org.getState()); + return true; + } + }; + } } diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java b/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java index 90355a49..45e25e69 100644 --- a/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java +++ b/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java @@ -1,8 +1,12 @@ package org.cacert.gigi.pages.orga; +import static org.hamcrest.CoreMatchers.*; import static org.junit.Assert.*; import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URL; +import java.net.URLConnection; import java.net.URLEncoder; import java.util.List; @@ -10,6 +14,7 @@ import org.cacert.gigi.dbObjects.Group; import org.cacert.gigi.dbObjects.Organisation; import org.cacert.gigi.dbObjects.Organisation.Affiliation; import org.cacert.gigi.dbObjects.User; +import org.cacert.gigi.testUtils.IOUtils; import org.cacert.gigi.testUtils.ManagedTest; import org.junit.Test; @@ -63,4 +68,33 @@ public class TestOrgaManagement extends ManagedTest { orgs = Organisation.getOrganisations(0, 30); assertEquals("name1", orgs[0].getName()); } + + @Test + public void testNonAssurerSeeOnlyOwn() throws IOException { + User u2 = User.getById(createVerifiedUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD)); + Organisation o1 = new Organisation("name21", "DE", "sder", "Rostov", u); + Organisation o2 = new Organisation("name12", "DE", "sder", "Rostov", u); + o1.addAdmin(u2, u2, false); + String session2 = login(u2.getEmail(), TEST_PASSWORD); + + URLConnection uc = new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH).openConnection(); + uc.addRequestProperty("Cookie", session2); + String content = IOUtils.readURL(uc); + assertThat(content, containsString("name21")); + assertThat(content, not(containsString("name12"))); + uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o1.getId()).openConnection(), session2); + assertEquals(200, ((HttpURLConnection) uc).getResponseCode()); + uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o2.getId()).openConnection(), session2); + assertEquals(404, ((HttpURLConnection) uc).getResponseCode()); + + uc = new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH).openConnection(); + uc.addRequestProperty("Cookie", session); + content = IOUtils.readURL(uc); + assertThat(content, containsString("name21")); + assertThat(content, containsString("name12")); + uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o1.getId()).openConnection(), session); + assertEquals(200, ((HttpURLConnection) uc).getResponseCode()); + uc = cookie(new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH + "/" + o2.getId()).openConnection(), session); + assertEquals(200, ((HttpURLConnection) uc).getResponseCode()); + } } -- 2.39.2