[GeoNetwork-commit] SF.net SVN: geonetwork:[7673] trunk/web/src/main/java/org/fao/geonet/kernel /me

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Revision: 7673
          http://geonetwork.svn.sourceforge.net/geonetwork/?rev=7673&view=rev
Author:   heikkidoeleman
Date:     2011-05-04 14:06:18 +0000 (Wed, 04 May 2011)

Log Message:
-----------
#503 Security hole in metadata insert

Modified Paths:
--------------
    trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java

Modified: trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java
===================================================================

--- trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java	2011-05-04 14:05:04 UTC (rev 7672)
+++ trunk/web/src/main/java/org/fao/geonet/kernel/mef/Importer.java	2011-05-04 14:06:18 UTC (rev 7673)
@@ -33,6 +33,7 @@
 import org.fao.geonet.GeonetContext;
 import org.fao.geonet.constants.Geonet;
 import org.fao.geonet.constants.Params;
+import org.fao.geonet.exceptions.UnAuthorizedException;
 import org.fao.geonet.kernel.DataManager;
 import org.fao.geonet.lib.Lib;
 import org.fao.geonet.util.ISODate;
@@ -405,17 +406,24 @@
 		}
 
 		try {
-			if (dm.existsMetadataUuid(dbms, uuid)
-					&& !uuidAction.equals(Params.NOTHING)) {
-				dm.deleteMetadata(dbms, dm.getMetadataId(dbms, uuid));
-				Log.debug(Geonet.MEF, "Deleting existing metadata with UUID : "
-						+ uuid);
+			if (dm.existsMetadataUuid(dbms, uuid) && !uuidAction.equals(Params.NOTHING)) {
+                // user has privileges to replace the existing metadata
+                if(dm.getAccessManager().canEdit(context, dm.getMetadataId(dbms, uuid))) {
+                    dm.deleteMetadata(dbms, dm.getMetadataId(dbms, uuid));
+                    Log.debug(Geonet.MEF, "Deleting existing metadata with UUID : " + uuid);
+                }
+                // user does not hav privileges to replace the existing metadata
+                else {
+                    throw new UnAuthorizedException("User has no privilege to replace existing metadata", null);
+                }
 			}
-		} catch (Exception e) {
-			throw new Exception(
-					" Existing metadata with same UUID could not be deleted.");
 		}
+        catch (Exception e) {
+			throw new Exception(" Existing metadata with same UUID could not be deleted.");
+		}
 
+
+
 		Log.debug(Geonet.MEF, "Adding metadata with uuid:" + uuid);
 		
 		// Try to insert record with localId provided, if not use a new id.


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.




[GeoNetwork-commit] SF.net SVN: geonetwork:[7673] trunk/web/src/main/java/org/fao/geonet/kernel /me

[GeoNetwork-commit] SF.net SVN: geonetwork:[7673] trunk/web/src/main/java/org/fao/geonet/kernel /mef/Importer.java