control on invalid group id and user added on addAdmin

This commit is contained in:
lucio 2020-01-30 11:18:35 +01:00
parent b9d62994f9
commit 0711d8a702
1 changed files with 14 additions and 5 deletions

View File

@ -4,6 +4,7 @@ import java.security.Principal;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Objects;
import javax.inject.Inject; import javax.inject.Inject;
import javax.jcr.Node; import javax.jcr.Node;
@ -211,7 +212,8 @@ public class GroupManager {
JackrabbitSession session = null; JackrabbitSession session = null;
try { try {
Objects.nonNull(groupId);
Objects.nonNull(userId);
if (!isInfraManager() && !isValidGroupForContext(groupId) ) if (!isInfraManager() && !isValidGroupForContext(groupId) )
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation"); throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
@ -224,6 +226,11 @@ public class GroupManager {
Group group = (Group)usrManager.getAuthorizable(groupId); Group group = (Group)usrManager.getAuthorizable(groupId);
User authUser = (User)usrManager.getAuthorizable(userId); User authUser = (User)usrManager.getAuthorizable(userId);
if (group ==null)
throw new InvalidCallParameters("invalid group "+groupId);
if (authUser ==null)
throw new InvalidCallParameters("invalid user "+userId);
if (!group.isMember(authUser)) if (!group.isMember(authUser))
throw new InvalidCallParameters("user "+userId+" is not in the group "+groupId); throw new InvalidCallParameters("user "+userId+" is not in the group "+groupId);
@ -239,7 +246,7 @@ public class GroupManager {
}catch(StorageHubException she ){ }catch(StorageHubException she ){
log.error(she.getErrorMessage(), she); log.error(she.getErrorMessage(), she);
GXOutboundErrorResponse.throwException(she, Response.Status.fromStatusCode(she.getStatus())); GXOutboundErrorResponse.throwException(she, Response.Status.fromStatusCode(she.getStatus()));
}catch(RepositoryException re ){ }catch(Throwable re ){
log.error("adding admin to VREFolder", re); log.error("adding admin to VREFolder", re);
GXOutboundErrorResponse.throwException(new BackendGenericError("jcr error adding admin to VREFolder", re)); GXOutboundErrorResponse.throwException(new BackendGenericError("jcr error adding admin to VREFolder", re));
} finally { } finally {
@ -259,10 +266,12 @@ public class GroupManager {
JackrabbitSession session = null; JackrabbitSession session = null;
try { try {
Objects.nonNull(groupId);
Objects.nonNull(userId);
if (!isValidGroupForContext(groupId) && !isInfraManager()) if (!isValidGroupForContext(groupId) && !isInfraManager())
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation"); throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -283,7 +292,7 @@ public class GroupManager {
}catch(StorageHubException she ){ }catch(StorageHubException she ){
log.error(she.getErrorMessage(), she); log.error(she.getErrorMessage(), she);
GXOutboundErrorResponse.throwException(she, Response.Status.fromStatusCode(she.getStatus())); GXOutboundErrorResponse.throwException(she, Response.Status.fromStatusCode(she.getStatus()));
}catch(RepositoryException re ){ }catch(Throwable re ){
log.error("jcr error creating item", re); log.error("jcr error creating item", re);
GXOutboundErrorResponse.throwException(new BackendGenericError("jcr error creating item", re)); GXOutboundErrorResponse.throwException(new BackendGenericError("jcr error creating item", re));
}finally { }finally {