Menu
▾
▴
[Ogoglio-commits] SF.net SVN: ogoglio: [373] maven/trunk/ogoglio-server
|
From: <tre...@us...> - 2007-09-06 13:16:20
|
Revision: 373
http://ogoglio.svn.sourceforge.net/ogoglio/?rev=373&view=rev
Author: trevorolio
Date: 2007-09-06 06:16:21 -0700 (Thu, 06 Sep 2007)
Log Message:
-----------
Improved the account checks when accepting or denying space modifications via web api.
Avoided a null pointer exception in populate mojo when the populate dir was not configured.
Modified Paths:
--------------
maven/trunk/ogoglio-server/src/main/java/com/ogoglio/persist/SpacePersistTasks.java
maven/trunk/ogoglio-server/src/main/java/com/ogoglio/sim/site/SimServlet.java
maven/trunk/ogoglio-server/src/main/java/com/ogoglio/site/SpaceServlet.java
Property Changed:
----------------
maven/trunk/ogoglio-server/
Property changes on: maven/trunk/ogoglio-server
___________________________________________________________________
Name: svn:ignore
-
target
mailTestFiles
tomcat5x.*
+
target
mailTestFiles
tomcat5x.*
velocity.log
Modified: maven/trunk/ogoglio-server/src/main/java/com/ogoglio/persist/SpacePersistTasks.java
===================================================================
--- maven/trunk/ogoglio-server/src/main/java/com/ogoglio/persist/SpacePersistTasks.java 2007-09-06 13:16:17 UTC (rev 372)
+++ maven/trunk/ogoglio-server/src/main/java/com/ogoglio/persist/SpacePersistTasks.java 2007-09-06 13:16:21 UTC (rev 373)
@@ -23,6 +23,7 @@
import com.ogoglio.appdev.persist.PersistException;
import com.ogoglio.xml.PossessionDocument;
import com.ogoglio.xml.SpaceDocument;
+import com.ogoglio.xml.SpaceMemberDocument;
public class SpacePersistTasks {
@@ -77,6 +78,7 @@
task.setSessionFactory(sessionFactory);
return (SpaceRecord) task.execute();
}
+
public static SpaceRecord[] findAllSpaces(SessionFactory sessionFactory) throws PersistException {
HibernateTask task = new HibernateTask() {
public Object run(Session hibernateSession) {
@@ -86,7 +88,7 @@
};
task.setSessionFactory(sessionFactory);
return (SpaceRecord[]) task.execute();
- }
+ }
public static SpaceRecord[] findSpacesByOwnerUsername(final String ownerUsername, final SessionFactory sessionFactory) throws PersistException {
HibernateTask task = new HibernateTask() {
@@ -182,7 +184,7 @@
Query possQuery = session.getNamedQuery(PossessionPersistTasks.POSSESSIONS_BY_SPACE_ID);
possQuery.setLong("spaceID", record.getSpaceID());
//??? Should this been done here?
- PossessionRecord[] possessionRecords = (PossessionRecord[])possQuery.list().toArray(new PossessionRecord[0]);
+ PossessionRecord[] possessionRecords = (PossessionRecord[]) possQuery.list().toArray(new PossessionRecord[0]);
for (int i = 0; i < possessionRecords.length; i++) {
possessionRecords[i].setSpaceID(PossessionDocument.NO_SPACE);
possessionRecords[i].setThingID(PossessionDocument.NO_THING);
@@ -192,7 +194,7 @@
return Boolean.TRUE;
}
};
-
+
task.setSessionFactory(sessionFactory);
return Boolean.TRUE == task.execute();
}
@@ -219,8 +221,7 @@
}
if (account != null) {
- if (account.isFrozen()) {
- //if (account.getFrozenUntil() != null && account.getFrozenUntil().getTime() > System.currentTimeMillis()) {
+ if (account.isFrozen()) {
return Boolean.FALSE;
}
@@ -249,4 +250,49 @@
task.setSessionFactory(sessionFactory);
return ((Boolean) task.execute()) == Boolean.TRUE;
}
+
+ public static boolean canWriteSpace(final AccountRecord account, final long spaceID, SessionFactory sessionFactory) throws PersistException {
+ if (account == null) { //happens for guests, who can never write
+ return false;
+ }
+ if(account.isFrozen()){ //tsk tsk
+ return false;
+ }
+
+ HibernateTask task = new HibernateTask() {
+ public Object run(Session hibernateSession) {
+ Query query = hibernateSession.getNamedQuery(SPACE_BY_SPACE_ID);
+ query.setLong("spaceID", spaceID);
+ SpaceRecord space = (SpaceRecord) query.uniqueResult();
+ if (space == null) {
+ return Boolean.FALSE;
+ }
+
+ if (account.getUsername().equals(space.getOwnerUsername())) {
+ return Boolean.TRUE;
+ }
+
+ if (!space.isPublished()) {
+ return Boolean.FALSE;
+ }
+
+ Query membersQuery = hibernateSession.getNamedQuery(SpaceMemberPersistTasks.SPACE_MEMBERS_BY_SPACE_ID);
+ membersQuery.setLong("spaceID", spaceID);
+ SpaceMemberRecord[] members = (SpaceMemberRecord[]) membersQuery.list().toArray(new SpaceMemberRecord[0]);
+
+ for (int i = 0; i < members.length; i++) {
+ if (account.getUsername().equals(members[i].getMemberUsername())) {
+ if(members[i].getRole() == SpaceMemberDocument.BUILDER_ROLE || members[i].getRole() == SpaceMemberDocument.EDITOR_ROLE){
+ return Boolean.TRUE;
+ }
+ return Boolean.FALSE;
+ }
+ }
+
+ return Boolean.FALSE;
+ }
+ };
+ task.setSessionFactory(sessionFactory);
+ return ((Boolean) task.execute()) == Boolean.TRUE;
+ }
}
Modified: maven/trunk/ogoglio-server/src/main/java/com/ogoglio/sim/site/SimServlet.java
===================================================================
--- maven/trunk/ogoglio-server/src/main/java/com/ogoglio/sim/site/SimServlet.java 2007-09-06 13:16:17 UTC (rev 372)
+++ maven/trunk/ogoglio-server/src/main/java/com/ogoglio/sim/site/SimServlet.java 2007-09-06 13:16:21 UTC (rev 373)
@@ -43,6 +43,7 @@
import com.ogoglio.sim.script.ScriptHTTPRequest;
import com.ogoglio.sim.script.ScriptHTTPResponse;
import com.ogoglio.site.AuthServlet;
+import com.ogoglio.site.AuthenticatedSiteResource;
import com.ogoglio.site.OgoglioServletBase;
import com.ogoglio.site.SpaceServlet;
import com.ogoglio.util.Log;
@@ -90,7 +91,7 @@
public void destroy() {
super.destroy();
sim.cleanup();
- Log.info("Destroy called on SimServlet. Cleaning up sim...");
+ Log.info("Destroy called on SimServlet. Cleaning up sim...");
}
public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
@@ -209,15 +210,15 @@
}
public void doDelete(HttpServletRequest request, HttpServletResponse response, String[] pathElementsauthedAccount) throws ServletException, IOException {
- long spaceID = Long.parseLong(pathElementsauthedAccount[pathElementsauthedAccount.length-1]);
-
- SpaceSimulator spaceSim = sim.getOrCreateSpaceSimulator(spaceID);
- spaceSim.setDeleted();
- sim.shutdownSpaceSim(spaceID);
- response.setStatus(HttpServletResponse.SC_OK);
- response.setContentLength(0);
- return;
- }
+ long spaceID = Long.parseLong(pathElementsauthedAccount[pathElementsauthedAccount.length - 1]);
+
+ SpaceSimulator spaceSim = sim.getOrCreateSpaceSimulator(spaceID);
+ spaceSim.setDeleted();
+ sim.shutdownSpaceSim(spaceID);
+ response.setStatus(HttpServletResponse.SC_OK);
+ response.setContentLength(0);
+ return;
+ }
}
private class SettingsResource extends SiteResource {
@@ -760,9 +761,19 @@
public void doGet(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
doScriptService(request, response, pathElements);
}
-
+
public void doPost(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
- doScriptService(request, response, pathElements);
+ try {
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if (authedAccount == null) {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+ doScriptService(request, response, pathElements);
+ } catch (PersistException e) {
+ e.printStackTrace();
+ response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
+ }
}
public void doScriptService(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
@@ -774,39 +785,33 @@
return;
}
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount == null) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
SpaceSimulator simulator = sim.getOrCreateSpaceSimulator(spaceRecord);
long thingID = Long.parseLong(pathElements[4]);
ThingDocument thingDoc = simulator.getThingDocument(thingID);
- if(thingDoc == null){
+ if (thingDoc == null) {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
return;
}
-
+
Map parameterMap = request.getParameterMap();
//Tomcat is f'ing broken in that if there are no parameters it actually adds one with the key String "null" and a "" value: TFS
- if(parameterMap.size() == 1 && (parameterMap.containsKey("null"))){
+ if (parameterMap.size() == 1 && (parameterMap.containsKey("null"))) {
parameterMap = new HashMap();
}
ScriptHTTPResponse scriptResponse = simulator.callThingHTTPService(thingID, request.getMethod(), parameterMap);
response.setStatus(scriptResponse.getStatus());
- if(scriptResponse.getStatus() != 200){
+ if (scriptResponse.getStatus() != 200) {
return;
}
sendStringResponse(scriptResponse.getMessage(), scriptResponse.getMIMEType(), response);
- } catch (PersistException e){
+ } catch (PersistException e) {
e.printStackTrace();
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
- }
+ }
}
-
+
private class ThingResource extends SiteResource {
public ThingResource() {
@@ -825,7 +830,7 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount != null && !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount != null && !SpacePersistTasks.canWriteSpace(authedAccount, requestedSpaceID, getSessionFactory())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -877,18 +882,18 @@
public void doPost(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
try {
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount == null) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
long requestedSpaceID = Long.parseLong(pathElements[pathElements.length - 3]);
SpaceRecord spaceRecord = SpacePersistTasks.findSpaceBySpaceID(requestedSpaceID, getSessionFactory());
if (spaceRecord == null) {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
return;
}
+
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if (authedAccount != null && !SpacePersistTasks.canWriteSpace(authedAccount, requestedSpaceID, getSessionFactory())) {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
SpaceSimulator simulator = sim.getOrCreateSpaceSimulator(spaceRecord);
ThingDocument proposedDoc = new ThingDocument(parseXML(request.getInputStream()));
@@ -930,7 +935,7 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount != null && !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount != null && !SpacePersistTasks.canWriteSpace(authedAccount, requestedSpaceID, getSessionFactory())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -980,15 +985,14 @@
public void doDelete(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
try {
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
-
long requestedSpaceID = Long.parseLong(pathElements[2]);
SpaceRecord spaceRecord = SpacePersistTasks.findSpaceBySpaceID(requestedSpaceID, getSessionFactory());
if (spaceRecord == null) {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
return;
}
- if (authedAccount != null && !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if (authedAccount != null && !SpacePersistTasks.canWriteSpace(authedAccount, requestedSpaceID, getSessionFactory())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -1036,18 +1040,19 @@
public void doPost(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws ServletException, IOException {
try {
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount == null) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
long requestedSpaceID = Long.parseLong(pathElements[2]);
SpaceRecord spaceRecord = SpacePersistTasks.findSpaceBySpaceID(requestedSpaceID, getSessionFactory());
if (spaceRecord == null) {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
return;
}
+
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if (authedAccount != null && !SpacePersistTasks.canWriteSpace(authedAccount, requestedSpaceID, getSessionFactory())) {
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
SpaceSimulator simulator = sim.getOrCreateSpaceSimulator(spaceRecord);
DoorDocument proposedDoc = new DoorDocument(parseXML(request.getInputStream()));
@@ -1148,7 +1153,7 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount != null && !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
Modified: maven/trunk/ogoglio-server/src/main/java/com/ogoglio/site/SpaceServlet.java
===================================================================
--- maven/trunk/ogoglio-server/src/main/java/com/ogoglio/site/SpaceServlet.java 2007-09-06 13:16:17 UTC (rev 372)
+++ maven/trunk/ogoglio-server/src/main/java/com/ogoglio/site/SpaceServlet.java 2007-09-06 13:16:21 UTC (rev 373)
@@ -58,6 +58,7 @@
public static final String INCLUDE_CHILDREN_PARAM = "children";
private MessageProxy messageProxy = null;
+
public void init(ServletConfig config) throws ServletException {
super.init(config);
try {
@@ -102,7 +103,12 @@
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
-
+ String accountLevel = authedAccount.getAccountlevel();
+ if(!AccountDocument.ACCOUNT_LEVEL_ADMIN.equals(accountLevel) && !AccountDocument.ACCOUNT_LEVEL_ADVANCED.equals(accountLevel) && !AccountDocument.ACCOUNT_LEVEL_PRO.equals(accountLevel)){
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
XMLElement spaceElement = parseXML(request.getInputStream());
if (!SpaceDocument.NAME.equals(spaceElement.getName())) {
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
@@ -133,21 +139,20 @@
sendStringResponse(DocumentFactory.documentFromRecord(record).toElement().toString(), "text/xml", response);
}
-
public void doPost(HttpServletRequest request, HttpServletResponse response, String[] pathElements, AccountRecord authedAccount) throws PersistException, IOException {
- if(authedAccount == null || !AccountDocument.ACCOUNT_LEVEL_ADMIN.equals(authedAccount.getAccountlevel())) {
+ if (authedAccount == null || !AccountDocument.ACCOUNT_LEVEL_ADMIN.equals(authedAccount.getAccountlevel())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
ServiceStateDocument proposedDoc = new ServiceStateDocument(parseXML(request.getInputStream()));
ServiceStateRecord record = ServiceStateTasks.updateServiceState(proposedDoc, getSessionFactory());
- if(record == null) {
+ if (record == null) {
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
return;
}
sendStringResponse(DocumentFactory.documentFromRecord(record).toElement().toString(), "text/xml", response);
}
-}
+ }
private class SpaceResource extends AuthenticatedSiteResource {
public SpaceResource() {
@@ -191,7 +196,7 @@
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
+ if (!canUseMethodOnSpace(request.getMethod(), authedAccount, spaceRecord)) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -235,7 +240,7 @@
return;
}
- if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !spaceRecord.getOwnerUsername().equals(authedAccount.getUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -261,6 +266,15 @@
}
}
+ private boolean canUseMethodOnSpace(String method, AccountRecord authedAccount, SpaceRecord spaceRecord) throws PersistException {
+ if(("HEAD".equals(method) || "GET".equals(method))){
+ return SpacePersistTasks.canReadSpace(authedAccount, spaceRecord.getSpaceID(), getSessionFactory());
+ } else if("POST".equals(method) || "DELETE".equals(method) || "PUT".equals(method)){
+ return SpacePersistTasks.canWriteSpace(authedAccount, spaceRecord.getSpaceID(), getSessionFactory());
+ }
+ return false;
+ }
+
private class DoorsResource extends DescendingSiteResource { //NOTE this will proxy eveything below "door" in the URL space
public DoorsResource() {
@@ -289,11 +303,10 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (!canRead(authedAccount, spaceRecord)) {
+ if(!canUseMethodOnSpace(method, authedAccount, spaceRecord)){
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
-
SimRecord simRecord = SpacePersistTasks.findOrAssignSim(spaceRecord, getSessionFactory());
if (simRecord == null) {
Log.error("Could not assign a sim to space " + spaceRecord.getSpaceID());
@@ -349,7 +362,7 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (!canRead(authedAccount, spaceRecord)) {
+ if(!canUseMethodOnSpace(method, authedAccount, spaceRecord)){
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -385,10 +398,6 @@
}
}
- private boolean canRead(AccountRecord authedAccount, SpaceRecord spaceRecord) throws PersistException {
- return SpacePersistTasks.canReadSpace(authedAccount, spaceRecord.getSpaceID(), getSessionFactory());
- }
-
private class LogResource extends DescendingSiteResource { //NOTE this will proxy eveything below "log" in the URL space
public LogResource() {
@@ -397,12 +406,6 @@
public void doGet(HttpServletRequest request, HttpServletResponse response, String[] pathElements) throws IOException {
try {
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount == null) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
long spaceID = Long.parseLong(pathElements[1]);
SpaceRecord spaceRecord = SpacePersistTasks.findSpaceBySpaceID(spaceID, getSessionFactory());
if (spaceRecord == null) {
@@ -410,7 +413,8 @@
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if(!canUseMethodOnSpace(request.getMethod(), authedAccount, spaceRecord)){
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -466,11 +470,6 @@
private void doProxy(HttpServletRequest request, String method, HttpServletResponse response, String[] pathElements) throws IOException {
try {
- AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (authedAccount == null) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
long spaceID = Long.parseLong(pathElements[1]);
SpaceRecord spaceRecord = SpacePersistTasks.findSpaceBySpaceID(spaceID, getSessionFactory());
if (spaceRecord == null) {
@@ -478,7 +477,8 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
+ if(authedAccount == null || !spaceRecord.getOwnerUsername().equals(authedAccount.getUsername())){
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -538,7 +538,7 @@
}
AccountRecord authedAccount = AuthServlet.getAuthedAccountRecord(request, getSessionFactory());
- if (!canRead(authedAccount, spaceRecord)) {
+ if(!canUseMethodOnSpace(request.getMethod(), authedAccount, spaceRecord)){
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -592,7 +592,7 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
@@ -614,16 +614,11 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
String memberUsername = pathElements[pathElements.length - 1];
SpaceMemberRecord memberRec = SpaceMemberPersistTasks.findSpaceMemberByUsername(spaceID, memberUsername, sessionFactory);
if (memberRec == null) {
@@ -646,16 +641,11 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
String memberUsername = pathElements[pathElements.length - 1];
SpaceMemberRecord memberRec = SpaceMemberPersistTasks.findSpaceMemberByUsername(spaceID, memberUsername, getSessionFactory());
if (memberRec == null) {
@@ -687,16 +677,11 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
SpaceMemberDocument newMemberDoc = new SpaceMemberDocument(parseXML(request.getInputStream()));
SpaceMemberRecord rec = SpaceMemberPersistTasks.createSpaceMember(spaceID, newMemberDoc.getMemberUsername(), newMemberDoc.isBanned(), getSessionFactory());
@@ -716,16 +701,11 @@
return;
}
- if (!authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
+ if (authedAccount == null || !authedAccount.getUsername().equals(spaceRecord.getOwnerUsername())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
- if (!canRead(authedAccount, spaceRecord)) {
- response.setStatus(HttpServletResponse.SC_FORBIDDEN);
- return;
- }
-
XMLElement result = new XMLElement("list");
SpaceMemberRecord[] memberRecords = SpaceMemberPersistTasks.findSpaceMembersBySpaceID(spaceRecord.getSpaceID(), getSessionFactory());
for (int i = 0; i < memberRecords.length; i++) {
@@ -743,7 +723,7 @@
}
public void doGet(HttpServletRequest request, HttpServletResponse response, String[] pathElements, AccountRecord authedAccount) throws PersistException, ServletException, IOException {
- if (!AccountDocument.ACCOUNT_LEVEL_ADMIN.equals(authedAccount.getAccountlevel())) {
+ if (authedAccount == null || !AccountDocument.ACCOUNT_LEVEL_ADMIN.equals(authedAccount.getAccountlevel())) {
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
