Fixed unauthoriced acsess to group-details

Co-Authored-By: andibuls <andibuls@users.noreply.github.com> Co-Authored-By: xxnitram <xxnitram@users.noreply.github.com>
2020-03-20 16:33:56 +01:00
parent cb9750efc6
commit a13bdbf6b5
4 changed files with 67 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -32,3 +32,5 @@ out/
 .vscode/
 .floo
 .flooignore
+
+/mysql/*
--- a/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java
+++ b/src/main/java/mops/gruppen2/controller/Gruppen2Controller.java
@ -5,6 +5,7 @@ import mops.gruppen2.config.Gruppen2Config;
 import mops.gruppen2.domain.Group;
 import mops.gruppen2.domain.Role;
 import mops.gruppen2.domain.User;
+import mops.gruppen2.domain.Visibility;
 import mops.gruppen2.domain.exception.EventException;
 import mops.gruppen2.domain.exception.GroupNotFoundException;
 import mops.gruppen2.domain.exception.WrongFileException;
@ -178,6 +179,18 @@ public class Gruppen2Controller {
        User user = new User(account.getName(), account.getGivenname(), account.getFamilyname(), account.getEmail());
        Long parentId = group.getParent();
        Group parent = new Group();
+        if (!group.getMembers().contains(user)){
+            if (group.getVisibility() == Visibility.PRIVATE){
+                return "privateGroupNoMember";
+            }
+            if (group != null) {
+                model.addAttribute("group", group);
+                model.addAttribute("parentId", parentId);
+                model.addAttribute("parent", parent);
+                return "detailsNoMember";
+            }
+            return "detailsNoMember";
+        }
        if (parentId != null) {
            parent = userService.getGroupById(parentId);
        }
@ -256,6 +269,8 @@ public class Gruppen2Controller {
    public String editMembers(Model model, KeycloakAuthenticationToken token, @PathVariable("id") Long groupId) throws EventException {
        Account account = keyCloakService.createAccountFromPrincipal(token);
        Group group = userService.getGroupById(groupId);
+        User user = new User(account.getName(),"", "", "");
+        if (group.getMembers().contains(user)) {
            if (group.getRoles().get(account.getName()) == Role.ADMIN) {
                model.addAttribute("account", account);
                model.addAttribute("members", group.getMembers());
@ -265,6 +280,9 @@ public class Gruppen2Controller {
            } else {
                return "redirect:/details/";
            }
+        }else {
+            return "privateGroupNoMember";
+        }
    }

    @RolesAllowed({"ROLE_orga", "ROLE_studentin", "ROLE_actuator)"})
--- a/src/main/resources/templates/detailsNoMember.html
+++ b/src/main/resources/templates/detailsNoMember.html
@ -62,6 +62,19 @@
                    </div>
                </div>
            </div>
+            <div class="col-3" style="white-space: nowrap">
+                <div style="display: inline-block; margin: 0">
+                    <h2>Mitglieder</h2>
+                    <div>
+                        <h4>
+                            <a th:text="${group.getMembers().size()}"></a>
+                            <a>von maximal</a>
+                            <a th:text="${group.getUserMaximum()}"></a>
+                            <a>Benutzern.</a>
+                        </h4>
+                    </div>
+                </div>
+            </div>
        </div>
    </div>
 </main>
--- a/src/main/resources/templates/privateGroupNoMember.html
+++ b/src/main/resources/templates/privateGroupNoMember.html
@ -0,0 +1,26 @@
+<!DOCTYPE html>
+
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta charset="utf-8">
+    <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
+    <link crossorigin="anonymous" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css"
+          integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" rel="stylesheet">
+    <meta charset="UTF-8">
+    <title>Seite nicht gefunden</title>
+</head>
+<body>
+<div class="mx-auto" style="vertical-align: border-radius: 5px; center; horiz-align: center; top: 50%; left: 50%;">
+    <div class="jumbotron" style="background: aliceblue">
+        <div class="container">
+            <h1 class="display-3">Kein Zugriff auf die Gruppe</h1>
+            <p class="lead">Sorry, du hast keine Berechtigung auf diese Funktionen der Gruppe zuzugreifen</p><br>
+        </div>
+    </div>
+    <div class="container">
+        <p><a class="btn btn-primary btn-lg" href="#" onclick="window.history.back(-1);return false;" role="button">Zurück</a>
+        </p>
+    </div>
+</div>
+</body>
+</html>