various access control bug fixes

ecbf5bb9 · vehjelmtvedt · 6b4a814e · ecbf5bb9 · ecbf5bb9
Commit ecbf5bb9 authored Nov 14, 2021 by vehjelmtvedt
--- a/src/main/java/inf226/inchat/Handler.java
+++ b/src/main/java/inf226/inchat/Handler.java
@@ -53,7 +53,17 @@ public class Handler extends AbstractHandler
   * This is the entry point for HTTP requests.
   * Some requests require login, while some can be processed
   * without a valid session.
+   *
+   * 6193.. - bruker2
+   * 97ab.. - bruker1
+   *
+   *
   */
+
+
+
+
+
  public void handle(String target,
                     Request baseRequest,
                     HttpServletRequest request,
@@ -181,8 +191,6 @@ public class Handler extends AbstractHandler
                        boolean ownerOfMsg = message.value.sender.equals(account.value.user.value.userName.toString());
                        if (permission || ownerOfMsg) {
                            channel = inchat.deleteEvent(channel, message);
-                        } else {
-                            return;
                        }
                    }
                    if(request.getParameter("editmessage") != null) {
@@ -197,15 +205,15 @@ public class Handler extends AbstractHandler
                        boolean ownerOfMsg = event.value.sender.equals(account.value.user.value.userName.toString());
                        if (permission || ownerOfMsg) {
                            channel = inchat.editMessage(channel, event, message);
-                        } else {
-                            return;
                        }
                    }
                    if (request.getParameter("setpermission") != null){
                        String targetedUserName = request.getParameter("username");
                        String newRole = request.getParameter("role");
-                        System.out.println(targetedUserName + " has now got role " + newRole);
-                        channel = inchat.setRole(account, channel, targetedUserName, newRole.toUpperCase()).get();
+                        // If user is not owner, deny the request
+                        if (Util.lookupTriple(account.value.channels, channel.value.name).get().equals(Role.OWNER)) {
+                            channel = inchat.setRole(account, channel, targetedUserName, newRole.toUpperCase()).get();
+                        }
                    }
                    
                }
@@ -555,7 +563,7 @@ public class Handler extends AbstractHandler
    private boolean hasPermission(Role role, String request) {
        // Permissions for a newmessage request
        if (request.equals("newmessage")) {
-            return !role.equals(Role.BANNED);
+            return !(role.equals(Role.BANNED) || role.equals(Role.OBSERVER));
        // Permissions for an editmessage or deletemessage request
        } else if (request.equals("editmessage") || request.equals("deletemessage")) {
            // Owner and mod can edit anything

--- a/src/main/java/inf226/inchat/InChat.java
+++ b/src/main/java/inf226/inchat/InChat.java
@@ -239,7 +239,6 @@ public class InChat {
            });


-
            if (updatedChannels.equals(targetAccount.value.channels)) {
                updatedChannels.add(new Triple<>(channel.value.name, channel, targetRole));
            }