Protect guest repositories from being changed anonymously

radkovo · radkovo · commit fd51f3ad8ac1 · 2022-08-03T13:22:05.000+02:00
diff --git a/FitLayoutWebService/src/main/java/cz/vutbr/fit/layout/web/data/UserInfo.java b/FitLayoutWebService/src/main/java/cz/vutbr/fit/layout/web/data/UserInfo.java
@@ -22,7 +22,7 @@ public class UserInfo
 {
     /**
      * The user ID used for an unathorized user. This is not used when the REST endpoind is
-     * disabled for anonymous sers.
+     * disabled for anonymous users.
      */
     public static String ANONYMOUS_USER = "guest";
 
@@ -108,5 +108,10 @@ public void setExpires(Date expires)
     {
         this.expires = expires;
     }
+
+    public Set<String> getRoles()
+    {
+        return roles;
+    }
     
 }
diff --git a/FitLayoutWebService/src/main/java/cz/vutbr/fit/layout/web/ejb/StorageProviderMulti.java b/FitLayoutWebService/src/main/java/cz/vutbr/fit/layout/web/ejb/StorageProviderMulti.java
@@ -125,7 +125,7 @@ public RepositoryInfo getRepositoryInfo(UserInfo user, String repoId)
     {
         if (isReady())
         {
-            return findUserRepository(user.getUserId(), repoId);
+            return findUserRepository(user.getUserId(), repoId, true);
         }
         else
             return null;
@@ -203,9 +203,13 @@ private void createRepositoryWithId(String id, String owner, RepositoryInfo info
     public RepositoryInfo updateRepository(UserInfo user, String repoId, RepositoryInfo info)
             throws RepositoryException
     {
+        final boolean isadmin = (user.getRoles() != null && user.getRoles().contains("admin"));
+        if (!isadmin && user.isAnonymous())
+            return null; // only admin can modify guest repositories
+        
         if (isReady())
         {
-            RepositoryInfo current = findUserRepository(user.getUserId(), repoId);
+            RepositoryInfo current = findUserRepository(user.getUserId(), repoId, isadmin);
             if (current != null)
             {
                 current.updateWith(info);
@@ -267,11 +271,19 @@ private RepositoryInfo findRepository(String uuid)
         }
     }
     
-    private RepositoryInfo findUserRepository(String userId, String repoId)
+    /**
+     * Finds the user repositor and gets the info.
+     * 
+     * @param userId the repository user ID
+     * @param repoId the repository ID
+     * @param allowAnonymous try to look for anonymous user repository if the user's repository does not exist?
+     * @return the repository info or {@code null} if it does not exist
+     */
+    private RepositoryInfo findUserRepository(String userId, String repoId, boolean allowAnonymous)
     {
         var info = manager.getRepositoryInfo(userId + SEP + repoId);
         //if the repository is not defined for the user, try to find it for anonymous guest
-        if (info == null && !UserInfo.ANONYMOUS_USER.equals(userId))
+        if (info == null && allowAnonymous && !UserInfo.ANONYMOUS_USER.equals(userId))
             info = manager.getRepositoryInfo(UserInfo.ANONYMOUS_USER + SEP + repoId);
         
         if (info != null)

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ public class UserInfo`
`22`	`22`	`{`
`23`	`23`	`/**`
`24`	`24`	`* The user ID used for an unathorized user. This is not used when the REST endpoind is`
`25`		`- * disabled for anonymous sers.`
	`25`	`+ * disabled for anonymous users.`
`26`	`26`	`*/`
`27`	`27`	`public static String ANONYMOUS_USER = "guest";`
`28`	`28`
`@@ -108,5 +108,10 @@ public void setExpires(Date expires)`
`108`	`108`	`{`
`109`	`109`	`this.expires = expires;`
`110`	`110`	`}`
	`111`	`+`
	`112`	`+ public Set<String> getRoles()`
	`113`	`+ {`
	`114`	`+ return roles;`
	`115`	`+ }`
`111`	`116`
`112`	`117`	`}`
Original file line number	Diff line number	Diff line change
`@@ -125,7 +125,7 @@ public RepositoryInfo getRepositoryInfo(UserInfo user, String repoId)`
`125`	`125`	`{`
`126`	`126`	`if (isReady())`
`127`	`127`	`{`
`128`		`- return findUserRepository(user.getUserId(), repoId);`
	`128`	`+ return findUserRepository(user.getUserId(), repoId, true);`
`129`	`129`	`}`
`130`	`130`	`else`
`131`	`131`	`return null;`
`@@ -203,9 +203,13 @@ private void createRepositoryWithId(String id, String owner, RepositoryInfo info`
`203`	`203`	`public RepositoryInfo updateRepository(UserInfo user, String repoId, RepositoryInfo info)`
`204`	`204`	`throws RepositoryException`
`205`	`205`	`{`
	`206`	`+ final boolean isadmin = (user.getRoles() != null && user.getRoles().contains("admin"));`
	`207`	`+ if (!isadmin && user.isAnonymous())`
	`208`	`+ return null; // only admin can modify guest repositories`
	`209`	`+`
`206`	`210`	`if (isReady())`
`207`	`211`	`{`
`208`		`- RepositoryInfo current = findUserRepository(user.getUserId(), repoId);`
	`212`	`+ RepositoryInfo current = findUserRepository(user.getUserId(), repoId, isadmin);`
`209`	`213`	`if (current != null)`
`210`	`214`	`{`
`211`	`215`	`current.updateWith(info);`
`@@ -267,11 +271,19 @@ private RepositoryInfo findRepository(String uuid)`
`267`	`271`	`}`
`268`	`272`	`}`
`269`	`273`
`270`		`- private RepositoryInfo findUserRepository(String userId, String repoId)`
	`274`	`+ /**`
	`275`	`+ * Finds the user repositor and gets the info.`
	`276`	`+ *`
	`277`	`+ * @param userId the repository user ID`
	`278`	`+ * @param repoId the repository ID`
	`279`	`+ * @param allowAnonymous try to look for anonymous user repository if the user's repository does not exist?`
	`280`	`+ * @return the repository info or {@code null} if it does not exist`
	`281`	`+ */`
	`282`	`+ private RepositoryInfo findUserRepository(String userId, String repoId, boolean allowAnonymous)`
`271`	`283`	`{`
`272`	`284`	`var info = manager.getRepositoryInfo(userId + SEP + repoId);`
`273`	`285`	`//if the repository is not defined for the user, try to find it for anonymous guest`
`274`		`- if (info == null && !UserInfo.ANONYMOUS_USER.equals(userId))`
	`286`	`+ if (info == null && allowAnonymous && !UserInfo.ANONYMOUS_USER.equals(userId))`
`275`	`287`	`info = manager.getRepositoryInfo(UserInfo.ANONYMOUS_USER + SEP + repoId);`
`276`	`288`
`277`	`289`	`if (info != null)`