← Back to team overview

dhis2-devs team mailing list archive

  1. dhis2-devs team
  2. Mailing list archive
  3. Message #19796

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 8781: Not permitting restore if user has critical authorities

  Thread PreviousDate PreviousThread Next 
------------------------------------------------------------
revno: 8781
committer: Lars Helge Øverland <larshelge@xxxxxxxxx>
branch nick: dhis2
timestamp: Wed 2012-10-31 08:41:46 +0300
message:
  Not permitting restore if user has critical authorities
modified:
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java
  dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java
  dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java
  dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml
  dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java	2012-09-03 19:53:34 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserAuthorityGroup.java	2012-10-31 05:41:46 +0000
@@ -53,6 +53,11 @@
 {
     public static final String AUTHORITY_ALL = "ALL";
 
+    public static final String[] CRITICAL_AUTHS = { "ALL", "F_SCHEDULING_ADMIN", 
+        "F_PERFORM_MAINTENANCE", "F_MERGE_ORGANISATION_UNITS", "F_ELIMINATE_DUPLICATE_DATA_ELEMENTS", 
+        "F_ARCHIVE_DATA", "F_SQLVIEW_MANAGEMENT", "F_SYSTEM_SETTING", 
+        "F_USERROLE_LIST", "F_USERROLE_DELETE", "F_USERROLE_ADD", "F_USERROLE_UPDATE" };
+    
     /**
      * Required and unique.
      */

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java	2012-10-29 14:34:57 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserCredentials.java	2012-10-31 05:41:46 +0000
@@ -129,6 +129,19 @@
 
         return authorities;
     }
+    
+    /**
+     * Tests whether this user credentials has any of the authorities in the
+     * given set.
+     * 
+     * @param auths the authorities to compare with.
+     * @return true or false.
+     */
+    public boolean hasAnyAuthority( Collection<String> auths )
+    {
+        Set<String> all = new HashSet<String>( getAllAuthorities() );
+        return all.removeAll( auths );
+    }
 
     /**
      * Indicates whether this user credentials is a super user, implying that the

=== modified file 'dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java'
--- dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2012-10-30 15:04:28 +0000
+++ dhis-2/dhis-services/dhis-service-core/src/main/java/org/hisp/dhis/security/DefaultSecurityService.java	2012-10-31 05:41:46 +0000
@@ -27,6 +27,7 @@
  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+import java.util.Arrays;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
@@ -43,6 +44,7 @@
 import org.hisp.dhis.system.util.ValidationUtils;
 import org.hisp.dhis.system.velocity.VelocityManager;
 import org.hisp.dhis.user.User;
+import org.hisp.dhis.user.UserAuthorityGroup;
 import org.hisp.dhis.user.UserCredentials;
 import org.hisp.dhis.user.UserService;
 
@@ -122,7 +124,11 @@
             return false;
         }
         
-        // TODO deny restore if credentials contain certain authorities
+        if ( credentials.hasAnyAuthority( Arrays.asList( UserAuthorityGroup.CRITICAL_AUTHS ) ) )
+        {
+            log.info( "Not allowed to recover credentials with critical authorities" );
+            return false;
+        }
         
         String[] result = initRestore( credentials );
         

=== modified file 'dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm'
--- dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm	2012-10-30 14:13:06 +0000
+++ dhis-2/dhis-web/dhis-web-commons-resources/src/main/webapp/dhis-web-commons/useraccount/recovery.vm	2012-10-31 05:41:46 +0000
@@ -40,7 +40,7 @@
 
 <div id="recoveryErrorMessage" style="display:none">
 Sorry, we were not able to restore your account. The user name might be invalid, 
-your account might not permit restore or you might not have entered a valid email 
+your account might not permit restore or you might have entered an invalid email 
 address for your account.
 </div>
 

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml	2012-10-22 18:48:19 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-settings/src/main/resources/struts.xml	2012-10-31 05:41:46 +0000
@@ -27,6 +27,7 @@
       <result name="success" type="velocity-json">
 		/dhis-web-commons/ajax/jsonResponseSuccess.vm</result>
 	  <param name="onExceptionReturn">plainTextError</param>
+	  <param name="requiredAuthorities">F_SYSTEM_SETTING</param>
     </action>
 	
 	<!-- Appearance settings -->
@@ -42,6 +43,7 @@
       <result name="success" type="velocity-json">
 		/dhis-web-commons/ajax/jsonResponseSuccess.vm</result>
 	  <param name="onExceptionReturn">plainTextError</param>
+	  <param name="requiredAuthorities">F_SYSTEM_SETTING</param>
     </action>
 	
 	<!-- Email settings -->
@@ -57,6 +59,7 @@
       <result name="success" type="velocity-json">
 		/dhis-web-commons/ajax/jsonResponseSuccess.vm</result>
 	  <param name="onExceptionReturn">plainTextError</param>
+	  <param name="requiredAuthorities">F_SYSTEM_SETTING</param>
     </action>
     
     <!-- Access settings -->
@@ -72,6 +75,7 @@
       <result name="success" type="velocity-json">
         /dhis-web-commons/ajax/jsonResponseSuccess.vm</result>
       <param name="onExceptionReturn">plainTextError</param>
+      <param name="requiredAuthorities">F_SYSTEM_SETTING</param>
     </action>
     
   </package>

=== modified file 'dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java'
--- dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java	2012-10-17 19:06:30 +0000
+++ dhis-2/dhis-web/dhis-web-maintenance/dhis-web-maintenance-user/src/main/java/org/hisp/dhis/user/action/AddUserAction.java	2012-10-31 05:41:46 +0000
@@ -180,6 +180,8 @@
         UserCredentials currentUserCredentials = currentUserService.getCurrentUser() != null ? currentUserService
             .getCurrentUser().getUserCredentials() : null;
 
+        // TODO check permissions
+            
         // ---------------------------------------------------------------------
         // Prepare values
         // ---------------------------------------------------------------------
  Thread PreviousDate PreviousThread Next