Commit ecbf5bb9 authored by vehjelmtvedt's avatar vehjelmtvedt
Browse files

various access control bug fixes

parent 6b4a814e
......@@ -53,7 +53,17 @@ public class Handler extends AbstractHandler
* This is the entry point for HTTP requests.
* Some requests require login, while some can be processed
* without a valid session.
*
* 6193.. - bruker2
* 97ab.. - bruker1
*
*
*/
public void handle(String target,
Request baseRequest,
HttpServletRequest request,
......@@ -181,8 +191,6 @@ public class Handler extends AbstractHandler
boolean ownerOfMsg = message.value.sender.equals(account.value.user.value.userName.toString());
if (permission || ownerOfMsg) {
channel = inchat.deleteEvent(channel, message);
} else {
return;
}
}
if(request.getParameter("editmessage") != null) {
......@@ -197,15 +205,15 @@ public class Handler extends AbstractHandler
boolean ownerOfMsg = event.value.sender.equals(account.value.user.value.userName.toString());
if (permission || ownerOfMsg) {
channel = inchat.editMessage(channel, event, message);
} else {
return;
}
}
if (request.getParameter("setpermission") != null){
String targetedUserName = request.getParameter("username");
String newRole = request.getParameter("role");
System.out.println(targetedUserName + " has now got role " + newRole);
channel = inchat.setRole(account, channel, targetedUserName, newRole.toUpperCase()).get();
// If user is not owner, deny the request
if (Util.lookupTriple(account.value.channels, channel.value.name).get().equals(Role.OWNER)) {
channel = inchat.setRole(account, channel, targetedUserName, newRole.toUpperCase()).get();
}
}
}
......@@ -555,7 +563,7 @@ public class Handler extends AbstractHandler
private boolean hasPermission(Role role, String request) {
// Permissions for a newmessage request
if (request.equals("newmessage")) {
return !role.equals(Role.BANNED);
return !(role.equals(Role.BANNED) || role.equals(Role.OBSERVER));
// Permissions for an editmessage or deletemessage request
} else if (request.equals("editmessage") || request.equals("deletemessage")) {
// Owner and mod can edit anything
......
......@@ -239,7 +239,6 @@ public class InChat {
});
if (updatedChannels.equals(targetAccount.value.channels)) {
updatedChannels.add(new Triple<>(channel.value.name, channel, targetRole));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment