From 280be756fb425fc8148ade698f51528e1e9106c2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sat, 18 Apr 2015 16:51:12 +0200
Subject: [PATCH] Add: Allow orga-masters to edit orga affiliations.

---
 src/org/cacert/gigi/dbObjects/Name.java       |  8 ++--
 .../cacert/gigi/dbObjects/Organisation.java   | 28 +++++++++++--
 .../cacert/gigi/pages/orga/ViewOrgPage.java   |  9 ++--
 tests/org/cacert/gigi/TestOrga.java           |  2 +-
 .../gigi/pages/orga/TestOrgaManagement.java   | 41 +++++++++++++++++--
 5 files changed, 73 insertions(+), 15 deletions(-)

diff --git a/src/org/cacert/gigi/dbObjects/Name.java b/src/org/cacert/gigi/dbObjects/Name.java
index ed0aec6d..f6046c91 100644
--- a/src/org/cacert/gigi/dbObjects/Name.java
+++ b/src/org/cacert/gigi/dbObjects/Name.java
@@ -9,13 +9,13 @@ import org.cacert.gigi.util.HTMLEncoder;
 
 public class Name implements Outputable {
 
-    private String fname;
+    private final String fname;
 
-    private String mname;
+    private final String mname;
 
-    private String lname;
+    private final String lname;
 
-    private String suffix;
+    private final String suffix;
 
     public Name(String fname, String lname, String mname, String suffix) {
         this.fname = fname;
diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java
index d96f95a1..60957e51 100644
--- a/src/org/cacert/gigi/dbObjects/Organisation.java
+++ b/src/org/cacert/gigi/dbObjects/Organisation.java
@@ -3,6 +3,7 @@ package org.cacert.gigi.dbObjects;
 import java.util.ArrayList;
 import java.util.List;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.database.DatabaseConnection;
 import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.database.GigiResultSet;
@@ -51,7 +52,10 @@ public class Organisation extends CertificateOwner {
 
     private String email;
 
-    public Organisation(String name, String state, String province, String city, String email, User creator) {
+    public Organisation(String name, String state, String province, String city, String email, User creator) throws GigiApiException {
+        if ( !creator.isInGroup(Group.ORGASSURER)) {
+            throw new GigiApiException("Only org-assurers may create organisations.");
+        }
         this.name = name;
         this.state = state;
         this.province = province;
@@ -109,7 +113,13 @@ public class Organisation extends CertificateOwner {
         return null;
     }
 
-    public synchronized void addAdmin(User admin, User actor, boolean master) {
+    public synchronized void addAdmin(User admin, User actor, boolean master) throws GigiApiException {
+        if ( !admin.canAssure()) {
+            throw new GigiApiException("Cannot add non-assurer.");
+        }
+        if ( !actor.isInGroup(Group.ORGASSURER) && !isMaster(actor)) {
+            throw new GigiApiException("Only org assurer or master-admin may add admins to an organisation.");
+        }
         GigiPreparedStatement ps1 = DatabaseConnection.getInstance().prepare("SELECT 1 FROM org_admin WHERE orgid=? AND memid=? AND deleted is null");
         ps1.setInt(1, getId());
         ps1.setInt(2, admin.getId());
@@ -125,7 +135,10 @@ public class Organisation extends CertificateOwner {
         ps2.execute();
     }
 
-    public void removeAdmin(User admin, User actor) {
+    public void removeAdmin(User admin, User actor) throws GigiApiException {
+        if ( !actor.isInGroup(Group.ORGASSURER) && !isMaster(actor)) {
+            throw new GigiApiException("Only org assurer or master-admin may delete admins from an organisation.");
+        }
         GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("UPDATE org_admin SET deleter=?, deleted=NOW() WHERE orgid=? AND memid=?");
         ps.setInt(1, actor.getId());
         ps.setInt(2, getId());
@@ -180,4 +193,13 @@ public class Organisation extends CertificateOwner {
         province = st;
         city = l;
     }
+
+    public boolean isMaster(User u) {
+        for (Affiliation i : getAllAdmins()) {
+            if (i.isMaster() && i.getTarget() == u) {
+                return true;
+            }
+        }
+        return false;
+    }
 }
diff --git a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
index 16c8bc53..3996095e 100644
--- a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
+++ b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
@@ -40,17 +40,20 @@ public class ViewOrgPage extends Page {
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         try {
             User u = LoginPage.getUser(req);
-            if ( !u.isInGroup(CreateOrgPage.ORG_ASSURER)) {
-                return;
-            }
             if (req.getParameter("do_affiliate") != null || req.getParameter("del") != null) {
                 AffiliationForm form = Form.getForm(req, AffiliationForm.class);
                 if (form.submit(resp.getWriter(), req)) {
                     resp.sendRedirect(DEFAULT_PATH + "/" + form.getOrganisation().getId());
                 }
+                return;
             } else {
+                if ( !u.isInGroup(CreateOrgPage.ORG_ASSURER)) {
+                    resp.sendError(403, "Access denied");
+                    return;
+                }
                 Form.getForm(req, CreateOrgForm.class).submit(resp.getWriter(), req);
             }
+
         } catch (GigiApiException e) {
             e.format(resp.getWriter(), getLanguage(req));
         }
diff --git a/tests/org/cacert/gigi/TestOrga.java b/tests/org/cacert/gigi/TestOrga.java
index d6143718..5f93228b 100644
--- a/tests/org/cacert/gigi/TestOrga.java
+++ b/tests/org/cacert/gigi/TestOrga.java
@@ -10,7 +10,7 @@ import org.junit.Test;
 public class TestOrga extends ManagedTest {
 
     @Test
-    public void testAddRm() {
+    public void testAddRm() throws GigiApiException {
         User u1 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
         User u2 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
         User u3 = User.getById(createVerifiedUser("fn", "ln", createUniqueName() + "@email.org", TEST_PASSWORD));
diff --git a/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java b/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java
index ccb94145..c8a6c139 100644
--- a/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java
+++ b/tests/org/cacert/gigi/pages/orga/TestOrgaManagement.java
@@ -10,6 +10,7 @@ import java.net.URLConnection;
 import java.net.URLEncoder;
 import java.util.List;
 
+import org.cacert.gigi.GigiApiException;
 import org.cacert.gigi.dbObjects.Group;
 import org.cacert.gigi.dbObjects.Organisation;
 import org.cacert.gigi.dbObjects.Organisation.Affiliation;
@@ -21,7 +22,7 @@ import org.junit.Test;
 public class TestOrgaManagement extends ClientTest {
 
     public TestOrgaManagement() throws IOException {
-        u.grantGroup(u, Group.getByString("orgassurer"));
+        u.grantGroup(u, Group.ORGASSURER);
         makeAssurer(u.getId());
         clearCaches();
         cookie = login(email, TEST_PASSWORD);
@@ -68,11 +69,11 @@ public class TestOrgaManagement extends ClientTest {
     }
 
     @Test
-    public void testNonAssurerSeeOnlyOwn() throws IOException {
-        User u2 = User.getById(createVerifiedUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+    public void testNonAssurerSeeOnlyOwn() throws IOException, GigiApiException {
+        User u2 = User.getById(createAssuranceUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
         Organisation o1 = new Organisation("name21", "DE", "sder", "Rostov", "email", u);
         Organisation o2 = new Organisation("name12", "DE", "sder", "Rostov", "email", u);
-        o1.addAdmin(u2, u2, false);
+        o1.addAdmin(u2, u, false);
         String session2 = login(u2.getEmail(), TEST_PASSWORD);
 
         URLConnection uc = new URL("https://" + getServerName() + ViewOrgPage.DEFAULT_PATH).openConnection();
@@ -97,4 +98,36 @@ public class TestOrgaManagement extends ClientTest {
         o1.delete();
         o2.delete();
     }
+
+    @Test
+    public void testAffiliationRights() throws IOException, GigiApiException {
+        User u2 = User.getById(createAssuranceUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+        User u3 = User.getById(createAssuranceUser("testmaster", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+        User u4_dummy = User.getById(createVerifiedUser("testmaster", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD));
+        Organisation o1 = new Organisation("name21", "DE", "sder", "Rostov", "email", u);
+        o1.addAdmin(u3, u, true);
+        try {
+            // must fail because u4 is no assurer
+            o1.addAdmin(u4_dummy, u3, false);
+            fail("No exception!");
+        } catch (GigiApiException e) {
+        }
+        o1.addAdmin(u2, u3, false);
+        try {
+            // must fail because u2 may not add admins
+            o1.addAdmin(u3, u2, false);
+            fail("No exception!");
+        } catch (GigiApiException e) {
+        }
+        try {
+            // must fail because u4 is no assurer
+            o1.addAdmin(u4_dummy, u, false);
+            fail("No exception!");
+        } catch (GigiApiException e) {
+        }
+        o1.removeAdmin(u2, u3);
+        o1.removeAdmin(u3, u3);
+        assertEquals(0, o1.getAllAdmins().size());
+        o1.delete();
+    }
 }
-- 
2.39.2