Commit 55cd0c73 authored by Vetle.Hjelmtvedt's avatar Vetle.Hjelmtvedt
Browse files

Merge branch 'task3' into 'master'

Task3

See merge request !7
parents d7331c98 c388b142
......@@ -156,7 +156,11 @@ public class Handler extends AbstractHandler
Util.lookup(account.value.channels,alias).get();
if(request.getMethod().equals("POST")) {
// This is a request to post something in the channel.
// Confirm that CSRF token matches session cookie
if (!session.identity.equals(UUID.fromString(request.getParameter("CSRFToken")))) {return;}
if(request.getParameter("newmessage") != null) {
String message = (new Maybe<String>
(request.getParameter("message"))).get();
......@@ -189,7 +193,7 @@ public class Handler extends AbstractHandler
printStandardTop(out, "inChat: " + alias);
out.println("<div class=\"main\">");
printChannelList(out, account.value, alias);
printChannel(out, channel, alias);
printChannel(out, channel, alias, session.identity);
out.println("</div>");
out.println("</body>");
out.println("</html>");
......@@ -208,6 +212,7 @@ public class Handler extends AbstractHandler
out.println("<form class=\"login\" action=\"/\" method=\"POST\">"
+ "<div class=\"name\"><input type=\"text\" name=\"channelname\" placeholder=\"Channel name\"></div>"
+ "<div class=\"submit\"><input type=\"submit\" name=\"createchannel\" value=\"Create Channel\"></div>"
+ " <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">"
+ "</form>");
out.println("</body>");
out.println("</html>");
......@@ -226,6 +231,7 @@ public class Handler extends AbstractHandler
out.println("<form class=\"login\" action=\"/join\" method=\"POST\">"
+ "<div class=\"name\"><input type=\"text\" name=\"channelid\" placeholder=\"Channel ID number:\"></div>"
+ "<div class=\"submit\"><input type=\"submit\" name=\"joinchannel\" value=\"Join channel\"></div>"
+ " <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">"
+ "</form>");
out.println("</body>");
out.println("</html>");
......@@ -251,6 +257,8 @@ public class Handler extends AbstractHandler
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"editmessage\" value=\"Edit\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\"" + messageid + "\">");
// Add anti-CSRF token here
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + session.identity + "\">");
out.println(" <textarea id=\"messageInput\" class=\"messagebox\" placeholder=\"Post a message in this channel!\" name=\"content\">" + originalContent + "</textarea>");
out.println(" <div class=\"controls\"><input style=\"float: right;\" type=\"submit\" name=\"edit\" value=\"Edit\"></div>");
out.println("</form>");
......@@ -315,7 +323,7 @@ public class Handler extends AbstractHandler
Stored<Channel> channel = inchat.waitNextChannelVersion(identity,version).get();
System.err.println("Got a new version.");
out.println(channel.version);
printChannelEvents(out,channel);
printChannelEvents(out,channel, session.identity);
response.setStatus(HttpServletResponse.SC_OK);
baseRequest.setHandled(true);
return ;
......@@ -433,16 +441,17 @@ public class Handler extends AbstractHandler
**/
private void printChannel(PrintWriter out,
Stored<Channel> channel,
String alias) {
String alias, UUID token) {
out.println("<main id=\"channel\" role=\"main\" class=\"channel\">");
printChannelEvents(out,channel);
printChannelEvents(out,channel, token);
out.println("<script src=\"/script.js\"></script>");
out.println("<script>subscribe(\"" + channel.identity +"\",\"" + channel.version + "\");</script>");
out.println("<form class=\"entry\" action=\"/channel/" + alias + "\" method=\"post\">");
out.println(" <div class=\"user\">You</div>");
out.println(" <input type=\"hidden\" name=\"newmessage\" value=\"Send\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <textarea id=\"messageInput\" class=\"messagebox\" placeholder=\"Post a message in this channel!\" name=\"message\"></textarea>");
out.println(" <div class=\"controls\"><input style=\"float: right;\" type=\"submit\" name=\"send\" value=\"Send\"></div>");
out.println("</form>");
......@@ -466,6 +475,7 @@ public class Handler extends AbstractHandler
out.println("<option value=\"observer\">Observer</option>");
out.println("<option value=\"banned\">Banned</option>");
out.println("<input type=\"submit\" name=\"setpermission\" value=\"Set!\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println("</select>");
out.println("</form>");
......@@ -476,19 +486,19 @@ public class Handler extends AbstractHandler
* Render the events of a channel as HTML.
*/
private void printChannelEvents(PrintWriter out,
Stored<Channel> channel) {
Stored<Channel> channel, UUID token) {
out.println("<div id=\"chanevents\">");
channel.value
.events
.reverse()
.forEach(printEvent(out,channel));
.forEach(printEvent(out,channel, token));
out.println("</div>");
}
/**
* Render an event as HTML.
*/
private Consumer<Stored<Channel.Event>> printEvent(PrintWriter out, Stored<Channel> channel) {
private Consumer<Stored<Channel.Event>> printEvent(PrintWriter out, Stored<Channel> channel, UUID token) {
return (e -> {
switch(e.value.type) {
case message:
......@@ -499,6 +509,7 @@ public class Handler extends AbstractHandler
out.println(" <div class=\"messagecontrols\">");
out.println(" <form style=\"grid-area: delete;\" action=\"/channel/" + channel.value.name + "\" method=\"POST\">");
out.println(" <input type=\"hidden\" name=\"message\" value=\""+ e.identity + "\">");
out.println(" <input type=\"hidden\" name=\"CSRFToken\" value=\"" + token + "\">");
out.println(" <input type=\"submit\" name=\"deletemessage\" value=\"Delete\">");
out.println(" </form><form style=\"grid-area: edit;\" action=\"/editMessage\" method=\"POST\">");
out.println(" ");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment