From: <hei...@us...> - 2011-05-04 14:06:29
|
Revision: 7673 http://geonetwork.svn.sourceforge.net/geonetwork/?rev=7673&view=rev Author: heikkidoeleman Date: 2011-05-04 14:06:18 +0000 (Wed, 04 May 2011) Log Message: ----------- #503 Security hole in metadata insert Modified Paths: -------------- trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java Modified: trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java =================================================================== --- trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java 2011-05-04 14:05:04 UTC (rev 7672) +++ trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java 2011-05-04 14:06:18 UTC (rev 7673) @@ -33,6 +33,7 @@ import org.fao.geonet.GeonetContext; import org.fao.geonet.constants.Geonet; import org.fao.geonet.constants.Params; +import org.fao.geonet.exceptions.UnAuthorizedException; import org.fao.geonet.kernel.DataManager; import org.fao.geonet.lib.Lib; import org.fao.geonet.util.ISODate; @@ -405,17 +406,24 @@ } try { - if (dm.existsMetadataUuid(dbms, uuid) - && !uuidAction.equals(Params.NOTHING)) { - dm.deleteMetadata(dbms, dm.getMetadataId(dbms, uuid)); - Log.debug(Geonet.MEF, "Deleting existing metadata with UUID : " - + uuid); + if (dm.existsMetadataUuid(dbms, uuid) && !uuidAction.equals(Params.NOTHING)) { + // user has privileges to replace the existing metadata + if(dm.getAccessManager().canEdit(context, dm.getMetadataId(dbms, uuid))) { + dm.deleteMetadata(dbms, dm.getMetadataId(dbms, uuid)); + Log.debug(Geonet.MEF, "Deleting existing metadata with UUID : " + uuid); + } + // user does not hav privileges to replace the existing metadata + else { + throw new UnAuthorizedException("User has no privilege to replace existing metadata", null); + } } - } catch (Exception e) { - throw new Exception( - " Existing metadata with same UUID could not be deleted."); } + catch (Exception e) { + throw new Exception(" Existing metadata with same UUID could not be deleted."); + } + + Log.debug(Geonet.MEF, "Adding metadata with uuid:" + uuid); // Try to insert record with localId provided, if not use a new id. This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |