From 6b2e44980e51485db1a4e1e62b3db0d00d2bec10 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 24 Aug 2014 11:25:44 +0200
Subject: [PATCH] UPD: For privacy do not disclose target userid ( or name/dob
 by userid)

---
 src/org/cacert/gigi/pages/wot/AssurePage.java | 41 ++++++-------------
 .../cacert/gigi/pages/wot/AssureeSearch.templ |  2 +-
 .../cacert/gigi/pages/wot/TestAssurance.java  | 21 +++++-----
 3 files changed, 24 insertions(+), 40 deletions(-)

diff --git a/src/org/cacert/gigi/pages/wot/AssurePage.java b/src/org/cacert/gigi/pages/wot/AssurePage.java
index 28b3f4e9..3aa41350 100644
--- a/src/org/cacert/gigi/pages/wot/AssurePage.java
+++ b/src/org/cacert/gigi/pages/wot/AssurePage.java
@@ -39,16 +39,9 @@ public class AssurePage extends Page {
 
         PrintWriter out = resp.getWriter();
         String pi = req.getPathInfo().substring(PATH.length());
-        if (pi.length() > 1) {
-            int mid = Integer.parseInt(pi.substring(1));
-            AssuranceForm form = new AssuranceForm(req, mid);
-            outputForm(req, out, mid, form);
-
-        } else {
-            HashMap<String, Object> vars = new HashMap<String, Object>();
-            vars.put("DoB", ds);
-            t.output(out, getLanguage(req), vars);
-        }
+        HashMap<String, Object> vars = new HashMap<String, Object>();
+        vars.put("DoB", ds);
+        t.output(out, getLanguage(req), vars);
     }
 
     @Override
@@ -61,16 +54,13 @@ public class AssurePage extends Page {
         }
     }
 
-    private void outputForm(HttpServletRequest req, PrintWriter out, int mid, AssuranceForm form) {
+    private void outputForm(HttpServletRequest req, PrintWriter out, AssuranceForm form) {
         User myself = LoginPage.getUser(req);
-        AssuranceResult check = Notary.checkAssuranceIsPossible(myself, new User(mid));
+        AssuranceResult check = Notary.checkAssuranceIsPossible(myself, form.getAssuree());
         if (check != AssuranceResult.ASSURANCE_SUCCEDED) {
             out.println(translate(req, check.getMessage()));
             return;
         }
-        if (form == null || form.getAssuree().getId() != mid) {
-            form = new AssuranceForm(req, mid);
-        }
 
         form.output(out, getLanguage(req), new HashMap<String, Object>());
     }
@@ -78,23 +68,12 @@ public class AssurePage extends Page {
     @Override
     public void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
         PrintWriter out = resp.getWriter();
-        String pi = req.getPathInfo().substring(PATH.length());
-        if (pi.length() > 1) {
-            User myself = getUser(req);
-            int mid = Integer.parseInt(pi.substring(1));
-            if (mid == myself.getId()) {
-                out.println(translate(req, "Cannot assure myself."));
-                return;
-            }
-
+        if (req.getParameter("search") == null) {
             AssuranceForm form = Form.getForm(req, AssuranceForm.class);
-            if (mid != form.getAssuree().getId()) {
-                return;
-            }
             if (form.submit(out, req)) {
                 out.println(translate(req, "Assurance complete."));
             } else {
-                outputForm(req, resp.getWriter(), mid, form);
+                outputForm(req, resp.getWriter(), form);
             }
 
             return;
@@ -116,8 +95,12 @@ public class AssurePage extends Page {
                 } else {
                     if (verified == 0) {
                         out.println(translate(req, "User is not yet verified. Please try again in 24 hours!"));
+                    } else if (getUser(req).getId() == id) {
+
+                    } else {
+                        AssuranceForm form = new AssuranceForm(req, id);
+                        outputForm(req, out, form);
                     }
-                    resp.sendRedirect(PATH + "/" + id);
                 }
             } else {
                 out.print("<div class='formError'>");
diff --git a/src/org/cacert/gigi/pages/wot/AssureeSearch.templ b/src/org/cacert/gigi/pages/wot/AssureeSearch.templ
index 281c472e..37994223 100644
--- a/src/org/cacert/gigi/pages/wot/AssureeSearch.templ
+++ b/src/org/cacert/gigi/pages/wot/AssureeSearch.templ
@@ -16,7 +16,7 @@
     <td width="125"><?=$DoB?></td>
   </tr>
   <tr>
-    <td colspan="2"><input type="submit" name="process" value="<?=_Next?>"></td>
+    <td colspan="2"><input type="submit" name="search" value="<?=_Next?>"></td>
   </tr>
   </tbody>
 </table>
diff --git a/tests/org/cacert/gigi/pages/wot/TestAssurance.java b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
index 55e0c6d9..3db48d65 100644
--- a/tests/org/cacert/gigi/pages/wot/TestAssurance.java
+++ b/tests/org/cacert/gigi/pages/wot/TestAssurance.java
@@ -46,23 +46,23 @@ public class TestAssurance extends ManagedTest {
     @Test
     public void testAssureSearch() throws IOException {
         String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1910");
-        assertTrue(loc, loc.endsWith(AssurePage.PATH + "/" + assuree));
+        assertTrue(loc, loc.contains("type=\"checkbox\" name=\"CCAAgreed\""));
     }
 
     @Test
     public void testAssureSearchEmail() throws IOException {
         String loc = search("email=1" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1910");
-        assertNull(loc);
+        assertTrue(loc, !loc.contains("type=\"checkbox\" name=\"CCAAgreed\""));
     }
 
     @Test
     public void testAssureSearchDob() throws IOException {
         String loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=2&month=1&year=1910");
-        assertNull(loc);
+        assertTrue(loc, !loc.contains("type=\"checkbox\" name=\"CCAAgreed\""));
         loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=2&year=1910");
-        assertNull(loc);
+        assertTrue(loc, !loc.contains("type=\"checkbox\" name=\"CCAAgreed\""));
         loc = search("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1911");
-        assertNull(loc);
+        assertTrue(loc, !loc.contains("type=\"checkbox\" name=\"CCAAgreed\""));
     }
 
     private String search(String query) throws MalformedURLException, IOException, UnsupportedEncodingException {
@@ -70,11 +70,10 @@ public class TestAssurance extends ManagedTest {
         URLConnection uc = u.openConnection();
         uc.setDoOutput(true);
         uc.addRequestProperty("Cookie", cookie);
-        uc.getOutputStream().write((query).getBytes());
+        uc.getOutputStream().write(("search&" + query).getBytes());
         uc.getOutputStream().flush();
 
-        String loc = uc.getHeaderField("Location");
-        return loc;
+        return IOUtils.readURL(uc);
     }
 
     @Test
@@ -162,7 +161,6 @@ public class TestAssurance extends ManagedTest {
         assertTrue(resp.contains(uniqueLoc));
     }
 
-
     @Test
     public void testAssurerListingValid() throws IOException {
         String uniqueLoc = createUniqueName();
@@ -185,9 +183,12 @@ public class TestAssurance extends ManagedTest {
     }
 
     private URLConnection buildupAssureFormConnection(boolean doCSRF) throws MalformedURLException, IOException {
-        URL u = new URL("https://" + getServerName() + AssurePage.PATH + "/" + assuree);
+        URL u = new URL("https://" + getServerName() + AssurePage.PATH);
         URLConnection uc = u.openConnection();
         uc.addRequestProperty("Cookie", cookie);
+        uc.setDoOutput(true);
+        uc.getOutputStream().write(("email=" + URLEncoder.encode(assureeM, "UTF-8") + "&day=1&month=1&year=1910&search").getBytes());
+
         String csrf = getCSRF(uc);
         uc = u.openConnection();
         uc.addRequestProperty("Cookie", cookie);
-- 
2.39.2