Fix several minor security bugs.

This commit is contained in:
Paulo Gustavo Veiga 2012-06-12 22:33:51 -03:00
parent cbdd6dd146
commit c4d2acec7b
3 changed files with 165 additions and 128 deletions

View File

@ -24,7 +24,7 @@ public class RestCollaboration {
public RestCollaboration(@NotNull Collaboration collaboration) {
this.email = collaboration.getCollaborator().getEmail();
this.role = collaboration.getRole().name();
this.role = collaboration.getRole().getLabel();
}
public RestCollaboration() {

View File

@ -166,12 +166,16 @@ public class MindmapServiceImpl
mindmap.getCollaborations().add(collaboration);
mindmapManager.saveMindmap(mindmap);
try {
// Sent collaboration email ...
final Map<String, Object> model = new HashMap<String, Object>();
model.put("role", role);
model.put("map", mindmap);
model.put("message", "message");
mailer.sendEmail(mailer.getSiteEmail(), email, "Collaboration", model, "newColaborator.vm");
} catch (Exception e) {
e.printStackTrace();
}
} else if (collaboration.getRole() != role) {
// If the relationship already exists and the role changed then only update the role

View File

@ -28,6 +28,11 @@
<div id="sharingContainer">
<table class="table" id="collabsTable">
<colgroup>
<col width="70%"/>
<col width="20%"/>
<col width="10%"/>
</colgroup>
</table>
</div>
@ -52,18 +57,24 @@
<script type="text/javascript">
$("#errorMsg").hide();
var messages = {
owner: 'Is owner',
editor: 'Can edit',
viewer: 'Can view'};
function onClickShare(aElem) {
var role = $(aElem).attr('data-role');
var roleDec = role == 'viewer' ? "Can view" : "Can edit";
var roleDec = messages[role];
var btnElem = $(aElem).parent().parent().parent().find(".dropdown-toggle");
btnElem.text(roleDec).append(' <span class="caret"> </span>');
return role;
}
function addCollaboration(email, role) {
// Add row to the table ...
var rowStr;
var tableElem = $("#collabsTable");
if (role != "owner") {
// Add row to the table ...
var rowTemplate = '\
<tr data-collab="{email}" data-role="{role}">\
<td>{email}</td>\
@ -71,21 +82,22 @@
<div class="btn-group">\
<a class="btn dropdown-toggle" data-toggle="dropdown" href="#""></a>\
<ul class="dropdown-menu">\
<li><a href="#" data-role="editor">Can edit</a></li>\
<li><a href="#" data-role="viewer">Can view</a></li>\
<li><a href="#" data-role="editor">' + messages['editor'] + '</a></li>\
<li><a href="#" data-role="viewer">' + messages['viewer'] + '</a></li>\
</ul>\
</div>\
</td>\
<td><a href="#">x</a></td>\
</tr>';
var rowStr = rowTemplate.replace(/{email}/g, email);
rowStr = rowTemplate.replace(/{email}/g, email);
rowStr = rowStr.replace(/{role}/g, role);
var elem = tableElem.append(rowStr);
// Register change role event ...
var rowElem = $("#collabsTable tr:last");
$(rowElem.find(".dropdown-menu a").click(function() {
reportError(null);
var role = onClickShare(this);
rowElem.attr('data-role', role);
event.preventDefault();
@ -94,10 +106,20 @@
// Register remove event ...
rowElem.find("td:last a").click(function(event) {
reportError(null);
var email = rowElem.attr('data-collab');
removeCollab(email);
event.preventDefault();
});
} else {
rowStr = '<tr data-collab=' + email + ' data-role="' + role + '">\
<td>' + email + ' (You)</td>\
<td><button class="btn btn-secondary">' + messages[role] + '</button></td>\
<td></td>\
</tr>';
tableElem.append(rowStr);
}
}
var removeCollab = function(email) {
@ -112,8 +134,12 @@
type: 'GET',
contentType:"text/plain",
success : function(data, textStatus, jqXHR) {
// Init table will all values ...
var collabs = data.collaborations;
// Owner roles is the first in the table ...
var collabs = data.collaborations.sort(function(a, b) {
return a.role > b.role;
});
// Add all the colums in the table ...
for (var i = 0; i < collabs.length; i++) {
var collab = collabs[i];
addCollaboration(collab.email, collab.role);
@ -131,8 +157,7 @@
var emailsStr = $("#collabEmails").val();
var role = $("#shareRole").attr('data-role');
// Clear previous state ...
$("#errorMsg").text("").hide();
reportError(null);
// Split emails ...
var valid = true;
@ -150,10 +175,11 @@
}
// Is there a collab with the same email ?
var useExists = jQuery.grep(model,
var useExists = jQuery.grep(model.collaborations,
function(val) {
return val.email == email;
return val.email.trim() == email.trim();
}).length > 0;
if (useExists) {
reportError(email + " is already in the shared list");
valid = false;
@ -192,8 +218,12 @@
}
function reportError(msg) {
if (msg) {
$('#errorMsg').show();
$('#errorMsg').append("<p>" + msg + "</p>");
} else {
$("#errorMsg").text("").hide();
}
}
function buildCollabModel() {
@ -214,20 +244,23 @@
// Hook for interaction with the main parent window ...
var submitDialogForm = function() {
console.log(buildCollabModel());
var collabs = buildCollabModel();
collabs.collaborations = jQuery.grep(collabs.collaborations, function() {
return this.role != 'owner';
});
jQuery.ajax("service/maps/${mindmap.id}/collabs", {
async:false,
dataType: 'json',
type: 'PUT',
data: JSON.stringify(buildCollabModel()),
data: JSON.stringify(collabs),
contentType:"application/json",
success : function(data, textStatus, jqXHR) {
$('#share-dialog-modal').modal('hide');
},
error: function(jqXHR, textStatus, errorThrown) {
alert(textStatus);
reportError(textStatus);
}
});
}
</script>