From 7f0229055197cf353db26e61b1f5d84ddf5b58df Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Fri, 4 Dec 2015 13:00:35 +0100
Subject: [PATCH] upd: restrict permissions of org "master" admin on
 organisation

---
 .../cacert/gigi/dbObjects/Organisation.java   |  2 +-
 src/org/cacert/gigi/dbObjects/User.java       |  6 ++++-
 src/org/cacert/gigi/pages/orga/EditOrg.templ  |  6 ++---
 .../cacert/gigi/pages/orga/ViewOrgPage.java   | 25 +++++++++++++------
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/src/org/cacert/gigi/dbObjects/Organisation.java b/src/org/cacert/gigi/dbObjects/Organisation.java
index 6b5b28f4..ae99b115 100644
--- a/src/org/cacert/gigi/dbObjects/Organisation.java
+++ b/src/org/cacert/gigi/dbObjects/Organisation.java
@@ -109,7 +109,7 @@ public class Organisation extends CertificateOwner {
         if (co instanceof Organisation) {
             return (Organisation) co;
         }
-        return null;
+        throw new IllegalArgumentException("Organisation not found.");
     }
 
     public synchronized void addAdmin(User admin, User actor, boolean master) throws GigiApiException {
diff --git a/src/org/cacert/gigi/dbObjects/User.java b/src/org/cacert/gigi/dbObjects/User.java
index 55e567f5..e6f06921 100644
--- a/src/org/cacert/gigi/dbObjects/User.java
+++ b/src/org/cacert/gigi/dbObjects/User.java
@@ -409,8 +409,12 @@ public class User extends CertificateOwner {
     }
 
     public List<Organisation> getOrganisations() {
+        return getOrganisations(false);
+    }
+
+    public List<Organisation> getOrganisations(boolean isAdmin) {
         List<Organisation> orgas = new ArrayList<>();
-        try (GigiPreparedStatement query = new GigiPreparedStatement("SELECT `orgid` FROM `org_admin` WHERE `memid`=? AND `deleted` IS NULL")) {
+        try (GigiPreparedStatement query = new GigiPreparedStatement("SELECT `orgid` FROM `org_admin` WHERE `memid`=? AND `deleted` IS NULL" + (isAdmin ? " AND master='y'" : ""))) {
             query.setInt(1, getId());
             try (GigiResultSet res = query.executeQuery()) {
                 while (res.next()) {
diff --git a/src/org/cacert/gigi/pages/orga/EditOrg.templ b/src/org/cacert/gigi/pages/orga/EditOrg.templ
index 1971bb79..eaaa93f2 100644
--- a/src/org/cacert/gigi/pages/orga/EditOrg.templ
+++ b/src/org/cacert/gigi/pages/orga/EditOrg.templ
@@ -1,5 +1,5 @@
-<?=$editForm?>
-<br/>
+<? if($editForm) { ?><?=$editForm?>
+<br/><? } else { ?><h1><?=$orgName?></h1><? } ?>
 <?=$affForm?>
 <br/>
-<?=$addDom?>
\ No newline at end of file
+<? if($addDom) { ?><?=$addDom?><? } ?>
diff --git a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
index 9e470240..815a2ceb 100644
--- a/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
+++ b/src/org/cacert/gigi/pages/orga/ViewOrgPage.java
@@ -34,7 +34,7 @@ public class ViewOrgPage extends Page {
 
     @Override
     public boolean isPermitted(AuthorizationContext ac) {
-        return ac != null && (ac.isInGroup(CreateOrgPage.ORG_ASSURER) || ac.getActor().getOrganisations().size() != 0);
+        return ac != null && (ac.isInGroup(CreateOrgPage.ORG_ASSURER) || ac.getActor().getOrganisations(true).size() != 0);
     }
 
     @Override
@@ -74,7 +74,7 @@ public class ViewOrgPage extends Page {
         if (idS.length() < DEFAULT_PATH.length() + 2) {
             final Organisation[] orgas = Organisation.getOrganisations(0, 30);
             HashMap<String, Object> map = new HashMap<>();
-            final List<Organisation> myOrgs = u.getOrganisations();
+            final List<Organisation> myOrgs = u.getOrganisations(true);
             final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER);
             if (orgAss) {
                 map.put("orgas", makeOrgDataset(orgas));
@@ -86,17 +86,28 @@ public class ViewOrgPage extends Page {
         }
         idS = idS.substring(DEFAULT_PATH.length() + 1);
         int id = Integer.parseInt(idS);
-        Organisation o = Organisation.getById(id);
+        Organisation o;
+        try {
+            o = Organisation.getById(id);
+        } catch (IllegalArgumentException e) {
+            resp.sendError(404);
+            return;
+        }
         final List<Organisation> myOrgs = u.getOrganisations();
         final boolean orgAss = u.isInGroup(CreateOrgPage.ORG_ASSURER);
-        if (o == null || ( !orgAss && !myOrgs.contains(o))) {
+        if ( !orgAss && !myOrgs.contains(o)) {
             resp.sendError(404);
             return;
         }
         HashMap<String, Object> vars = new HashMap<>();
-        vars.put("editForm", new CreateOrgForm(req, o));
-        vars.put("affForm", new AffiliationForm(req, o));
-        vars.put("addDom", new OrgDomainAddForm(req, o));
+        if (orgAss) {
+            vars.put("editForm", new CreateOrgForm(req, o));
+            vars.put("affForm", new AffiliationForm(req, o));
+            vars.put("addDom", new OrgDomainAddForm(req, o));
+        } else {
+            vars.put("affForm", new AffiliationForm(req, o));
+            vars.put("orgName", o.getName());
+        }
         mainTempl.output(out, lang, vars);
     }
 
-- 
2.39.2