From a13bdbf6b5e598419ff8e70b4a6b0fecefb2d6ae Mon Sep 17 00:00:00 2001 From: Lukas Ettel <34522828+LukasEttel@users.noreply.github.com> Date: Fri, 20 Mar 2020 16:33:56 +0100 Subject: [PATCH] Fixed unauthoriced acsess to group-details Co-Authored-By: andibuls Co-Authored-By: xxnitram --- .gitignore | 2 ++ .../controller/Gruppen2Controller.java | 34 ++++++++++++++----- .../resources/templates/detailsNoMember.html | 13 +++++++ .../templates/privateGroupNoMember.html | 26 ++++++++++++++ 4 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 src/main/resources/templates/privateGroupNoMember.html diff --git a/.gitignore b/.gitignore index 3ed356b..26e2888 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,5 @@ out/ .vscode/ .floo .flooignore + +/mysql/* diff --git a/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java b/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java index 888e651..3783e8a 100644 --- a/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java +++ b/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java @@ -5,6 +5,7 @@ import mops.gruppen2.config.Gruppen2Config; import mops.gruppen2.domain.Group; import mops.gruppen2.domain.Role; import mops.gruppen2.domain.User; +import mops.gruppen2.domain.Visibility; import mops.gruppen2.domain.exception.EventException; import mops.gruppen2.domain.exception.GroupNotFoundException; import mops.gruppen2.domain.exception.WrongFileException; @@ -178,6 +179,18 @@ public class Gruppen2Controller { User user = new User(account.getName(), account.getGivenname(), account.getFamilyname(), account.getEmail()); Long parentId = group.getParent(); Group parent = new Group(); + if (!group.getMembers().contains(user)){ + if (group.getVisibility() == Visibility.PRIVATE){ + return "privateGroupNoMember"; + } + if (group != null) { + model.addAttribute("group", group); + model.addAttribute("parentId", parentId); + model.addAttribute("parent", parent); + return "detailsNoMember"; + } + return "detailsNoMember"; + } if (parentId != null) { parent = userService.getGroupById(parentId); } @@ -256,14 +269,19 @@ public class Gruppen2Controller { public String editMembers(Model model, KeycloakAuthenticationToken token, @PathVariable("id") Long groupId) throws EventException { Account account = keyCloakService.createAccountFromPrincipal(token); Group group = userService.getGroupById(groupId); - if (group.getRoles().get(account.getName()) == Role.ADMIN) { - model.addAttribute("account", account); - model.addAttribute("members", group.getMembers()); - model.addAttribute("group", group); - model.addAttribute("admin", Role.ADMIN); - return "editMembers"; - } else { - return "redirect:/details/"; + User user = new User(account.getName(),"", "", ""); + if (group.getMembers().contains(user)) { + if (group.getRoles().get(account.getName()) == Role.ADMIN) { + model.addAttribute("account", account); + model.addAttribute("members", group.getMembers()); + model.addAttribute("group", group); + model.addAttribute("admin", Role.ADMIN); + return "editMembers"; + } else { + return "redirect:/details/"; + } + }else { + return "privateGroupNoMember"; } } diff --git a/src/main/resources/templates/detailsNoMember.html b/src/main/resources/templates/detailsNoMember.html index be65b7f..2ce3528 100644 --- a/src/main/resources/templates/detailsNoMember.html +++ b/src/main/resources/templates/detailsNoMember.html @@ -62,6 +62,19 @@ +
+
+

Mitglieder

+
+

+ + von maximal + + Benutzern. +

+
+
+
diff --git a/src/main/resources/templates/privateGroupNoMember.html b/src/main/resources/templates/privateGroupNoMember.html new file mode 100644 index 0000000..28d48cb --- /dev/null +++ b/src/main/resources/templates/privateGroupNoMember.html @@ -0,0 +1,26 @@ + + + + + + + + + Seite nicht gefunden + + +
+
+
+

Kein Zugriff auf die Gruppe

+

Sorry, du hast keine Berechtigung auf diese Funktionen der Gruppe zuzugreifen


+
+
+
+

Zurück +

+
+
+ + \ No newline at end of file