From 6693ce661f3def2bdfffbffe3b10ba25dc26970e Mon Sep 17 00:00:00 2001 From: INOPIAE Date: Thu, 9 Aug 2018 16:34:48 +0200 Subject: [PATCH] add: make sure org admin cannot delete domain from org account Only an Org RA Agent should be able to delete a domain from an organisation account Change-Id: I2617f5e75afaea3a877036b4aa29d66abaefa3b6 --- .../account/domain/DomainManagementForm.java | 13 ++++++++ .../account/domain/DomainManagementForm.templ | 2 +- .../wpia/gigi/pages/orga/TestOrgDomain.java | 33 ++++++++++++++++++- tests/club/wpia/gigi/testUtils/OrgTest.java | 9 ++++- 4 files changed, 54 insertions(+), 3 deletions(-) diff --git a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.java b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.java index 95fce624..eebf2207 100644 --- a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.java +++ b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.java @@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest; import club.wpia.gigi.GigiApiException; import club.wpia.gigi.dbObjects.CertificateOwner; import club.wpia.gigi.dbObjects.Domain; +import club.wpia.gigi.dbObjects.Organisation; import club.wpia.gigi.localisation.Language; import club.wpia.gigi.output.template.Form; import club.wpia.gigi.output.template.IterableDataset; @@ -22,10 +23,13 @@ public class DomainManagementForm extends Form { private boolean foreign; + private boolean readOnly; + public DomainManagementForm(HttpServletRequest hsr, CertificateOwner target, boolean foreign) { super(hsr); this.target = target; this.foreign = foreign; + readOnly = (target instanceof Organisation && !foreign); } @Override @@ -35,6 +39,9 @@ public class DomainManagementForm extends Form { int delId = Integer.parseInt(dels); Domain d = Domain.getById(delId); if (d != null && d.getOwner() == target) { + if (readOnly) { + throw new GigiApiException("You are not allowed to delete a domain."); + } d.delete(); } else { throw new GigiApiException("Domain was not found."); @@ -70,6 +77,12 @@ public class DomainManagementForm extends Form { } }; vars.put("domains", dts); + if (readOnly) { + vars.put("buttonvisible", null); + } else { + vars.put("buttonvisible", "buttonvisible"); + } + t.output(out, l, vars); } } diff --git a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ index c003a48a..d022c271 100644 --- a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ +++ b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ @@ -10,7 +10,7 @@ - + diff --git a/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java b/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java index c758b7c6..a17586b2 100644 --- a/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java +++ b/tests/club/wpia/gigi/pages/orga/TestOrgDomain.java @@ -1,8 +1,10 @@ package club.wpia.gigi.pages.orga; +import static org.hamcrest.CoreMatchers.*; import static org.junit.Assert.*; import java.io.IOException; +import java.net.URLConnection; import java.net.URLEncoder; import org.junit.Test; @@ -10,7 +12,9 @@ import org.junit.Test; import club.wpia.gigi.GigiApiException; import club.wpia.gigi.dbObjects.Domain; import club.wpia.gigi.dbObjects.Organisation; -import club.wpia.gigi.pages.orga.ViewOrgPage; +import club.wpia.gigi.dbObjects.User; +import club.wpia.gigi.pages.account.domain.DomainOverview; +import club.wpia.gigi.testUtils.IOUtils; import club.wpia.gigi.testUtils.OrgTest; public class TestOrgDomain extends OrgTest { @@ -87,4 +91,31 @@ public class TestOrgDomain extends OrgTest { assertEquals(0, o1.getDomains().length); assertEquals(0, u.getDomains().length); } + + @Test + public void testDelAsAdmin() throws IOException, GigiApiException { + Organisation o = createUniqueOrg(); + String dom = createUniqueName() + ".de"; + Domain d = new Domain(u, o, dom); + assertEquals(1, o.getDomains().length); + User admin = createOrgAdmin(o); + String adminCookie = login(admin.getEmail(), TEST_PASSWORD); + assertNull(executeBasicWebInteraction(adminCookie, SwitchOrganisation.PATH, "org:" + o.getId() + "=y", 0)); + + // test that delete button is not displayed + URLConnection uc = get(adminCookie, DomainOverview.PATH); + uc.setDoOutput(true); + String res = IOUtils.readURL(uc); + assertThat(res, not(containsString("Delete"))); + + // test that domain cannot be deleted by organisation administrator + assertNull(executeBasicWebInteraction(adminCookie, SwitchOrganisation.PATH, "org:" + o.getId() + "=y", 0)); + uc = post(adminCookie, DomainOverview.PATH, "delete=" + d.getId(), 0); + res = IOUtils.readURL(uc); + assertThat(res, containsString("You are not allowed to delete a domain.")); + + // verify that domain still belongs to organisation + assertEquals(1, o.getDomains().length); + + } } diff --git a/tests/club/wpia/gigi/testUtils/OrgTest.java b/tests/club/wpia/gigi/testUtils/OrgTest.java index 6a0c4d1c..2d79c5a4 100644 --- a/tests/club/wpia/gigi/testUtils/OrgTest.java +++ b/tests/club/wpia/gigi/testUtils/OrgTest.java @@ -4,9 +4,10 @@ import java.io.IOException; import club.wpia.gigi.GigiApiException; import club.wpia.gigi.dbObjects.Country; +import club.wpia.gigi.dbObjects.Country.CountryCodeType; import club.wpia.gigi.dbObjects.Group; import club.wpia.gigi.dbObjects.Organisation; -import club.wpia.gigi.dbObjects.Country.CountryCodeType; +import club.wpia.gigi.dbObjects.User; public class OrgTest extends ClientTest { @@ -21,4 +22,10 @@ public class OrgTest extends ClientTest { Organisation o1 = new Organisation(createUniqueName(), Country.getCountryByCode("DE", CountryCodeType.CODE_2_CHARS), "pr", "city", "test@example.com", "", "", u); return o1; } + + public User createOrgAdmin(Organisation o) throws GigiApiException { + User ua = User.getById(createVerificationUser("testworker", "testname", createUniqueName() + "@testdom.com", TEST_PASSWORD)); + o.addAdmin(ua, u, true); + return ua; + } } -- 2.39.2