dhis2-devs team mailing list archive

Thread
Date

[Branch ~dhis2-devs-core/dhis2/trunk] Rev 20635: Fixed errorenous settings parising, added required auth for POST on api/staticContent

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Mon, 12 Oct 2015 12:42:26 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 20635
committer: Halvdan Hoem Grelland <halvdanhg@xxxxxxxxx>
branch nick: dhis2
timestamp: Mon 2015-10-12 14:41:20 +0200
message:
  Fixed errorenous settings parising, added required auth for POST on api/staticContent
modified:
  dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/StaticContentController.java
  dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml


--
lp:dhis2
https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk

Your team DHIS 2 developers is subscribed to branch lp:dhis2.
To unsubscribe from this branch go to https://code.launchpad.net/~dhis2-devs-core/dhis2/trunk/+edit-subscription

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/StaticContentController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/StaticContentController.java	2015-10-09 10:49:19 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/StaticContentController.java	2015-10-12 12:41:20 +0000
@@ -47,6 +47,7 @@
 import org.hisp.dhis.webapi.utils.WebMessageUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.util.MimeType;
 import org.springframework.util.MimeTypeUtils;
@@ -77,9 +78,9 @@
     private static final String LOGO_BANNER = "logo_banner";
     private static final String LOGO_FRONT = "logo_front";
 
-    private static final Map<String, String> KEY_WHITELIST_MAP = ImmutableMap.<String, String>builder().
-        put( LOGO_BANNER, Setting.USE_CUSTOM_LOGO_BANNER.getDefaultValue().toString() ).
-        put( LOGO_FRONT, Setting.USE_CUSTOM_LOGO_FRONT.getDefaultValue().toString() ).build();
+    private static final Map<String, Setting> KEY_WHITELIST_MAP = ImmutableMap.<String, Setting>builder().
+        put( LOGO_BANNER, Setting.USE_CUSTOM_LOGO_BANNER ).
+        put( LOGO_FRONT, Setting.USE_CUSTOM_LOGO_FRONT ).build();
 
     /**
      * Serves the PNG associated with the key. If custom logo is not used the
@@ -93,18 +94,19 @@
         @PathVariable( "key" ) String key, HttpServletResponse response )
         throws WebMessageException
     {
+
         if ( !KEY_WHITELIST_MAP.containsKey( key ) )
         {
             throw new WebMessageException( WebMessageUtils.notFound( "Key does not exist" ) );
         }
 
-        Boolean useCustomFile = Boolean.parseBoolean( (String) systemSettingManager.getSystemSetting( KEY_WHITELIST_MAP.get( key ) ) );
+        boolean useCustomFile = (boolean) systemSettingManager.getSystemSetting( KEY_WHITELIST_MAP.get( key ) );
 
         if ( !useCustomFile ) // Serve default
         {
             try
             {
-                response.sendRedirect( this.getDefaultLogoUrl( key ) );
+                response.sendRedirect( getDefaultLogoUrl( key ) );
             }
             catch ( IOException e )
             {
@@ -147,6 +149,7 @@
      * @throws WebMessageException
      * @throws IOException
      */
+    @PreAuthorize( "hasRole('ALL') or hasRole('F_SYSTEM_SETTING')" )
     @ResponseStatus( HttpStatus.NO_CONTENT )
     @RequestMapping( value = "/{key}", method = RequestMethod.POST )
     public void updateStaticContent(
@@ -214,7 +217,7 @@
 
         if ( key.equals( LOGO_FRONT ) )
         {
-            relativeUrlToImage = "/dhis-web-commons/flags/" + systemSettingManager.getFlagImage();
+            relativeUrlToImage = "/dhis-web-commons/security/logo_front.png";
         }
 
         return relativeUrlToImage;

=== modified file 'dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml'
--- dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2015-08-21 11:26:35 +0000
+++ dhis-2/dhis-web/dhis-web-commons/src/main/resources/META-INF/dhis/security.xml	2015-10-12 12:41:20 +0000
@@ -115,6 +115,7 @@
     <sec:intercept-url pattern="/api/account/restore" access="permitAll()" />
     <sec:intercept-url pattern="/api/account/password" access="permitAll()" />
     <sec:intercept-url pattern="/api/account" access="permitAll()" />
+    <sec:intercept-url pattern="/api/staticContent/*" method="GET" access="permitAll()"/>
     <sec:intercept-url pattern="/**" access="isAuthenticated()" />
     <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
     <sec:custom-filter ref="automaticAccessFilter" before="LOGOUT_FILTER" />