Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix user admin check (#1206) - cherry-picked from 1852400
  • Loading branch information
syjer authored and cbellone committed Mar 31, 2023
1 parent 7d12c36 commit c9a16ab
Show file tree
Hide file tree
Showing 10 changed files with 136 additions and 43 deletions.
Expand Up @@ -53,8 +53,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
String username = req.getParameter("username");
if (!userManager.usernameExists(username)) {
var organizationModification = new OrganizationModification(null, UUID.randomUUID().toString(), username, username, null, null);
int orgId = userManager.createOrganization(organizationModification);
userManager.insertUser(orgId, username, "", "", username, Role.OWNER, User.Type.DEMO, req.getParameter("password"), null, null);
int orgId = userManager.createOrganization(organizationModification, null);
userManager.insertUser(orgId, username, "", "", username, Role.OWNER, User.Type.DEMO, req.getParameter("password"), null, null, null);
}
}

Expand Down
21 changes: 10 additions & 11 deletions src/main/java/alfio/controller/api/admin/UsersApiController.java
Expand Up @@ -137,15 +137,15 @@ public ResponseEntity<String> bulkCreate(@RequestBody BulkApiKeyCreation request
Optional<User> userOptional = userManager.findOptionalEnabledUserByUsername(principal.getName())
.filter(u -> userManager.isOwnerOfOrganization(u, request.organizationId));
if(userOptional.isPresent()) {
userManager.bulkInsertApiKeys(request.organizationId, request.role, request.descriptions);
userManager.bulkInsertApiKeys(request.organizationId, request.role, request.descriptions, principal);
return ResponseEntity.ok("OK");
}
return ResponseEntity.badRequest().build();
}

@PostMapping("/organizations/new")
public String insertOrganization(@RequestBody OrganizationModification om) {
userManager.createOrganization(om);
public String insertOrganization(@RequestBody OrganizationModification om, Principal principal) {
userManager.createOrganization(om, principal);
return OK;
}

Expand Down Expand Up @@ -180,7 +180,7 @@ public String editUser(@RequestBody UserModification userModification, Principal
userManager.editUser(userModification.getId(), userModification.getOrganizationId(),
userModification.getUsername(), userModification.getFirstName(), userModification.getLastName(),
userModification.getEmailAddress(), userModification.getDescription(),
Role.valueOf(userModification.getRole()), principal.getName());
Role.valueOf(userModification.getRole()), principal);
return OK;
}

Expand All @@ -193,7 +193,7 @@ public UserWithPasswordAndQRCode insertUser(@RequestBody UserModification userMo
userModification.getFirstName(), userModification.getLastName(),
userModification.getEmailAddress(), requested,
type == null ? User.Type.INTERNAL : type,
userModification.getValidToAsDateTime(), userModification.getDescription());
userModification.getValidToAsDateTime(), userModification.getDescription(), principal);
String qrCode = type != User.Type.API_KEY ? Base64.getEncoder().encodeToString(generateQRCode(userWithPassword, baseUrl)) : null;
return new UserWithPasswordAndQRCode(userWithPassword, qrCode);
}
Expand Down Expand Up @@ -236,13 +236,13 @@ private static byte[] generateQRCode(UserWithPassword userWithPassword, String b

@DeleteMapping("/users/{id}")
public String deleteUser(@PathVariable("id") int userId, Principal principal) {
userManager.deleteUser(userId, principal.getName());
userManager.deleteUser(userId, principal);
return OK;
}

@PostMapping("/users/{id}/enable/{enable}")
public String enableUser(@PathVariable("id") int userId, @PathVariable("enable")boolean enable, Principal principal) {
userManager.enable(userId, principal.getName(), enable);
userManager.enable(userId, enable, principal);
return OK;
}

Expand All @@ -267,19 +267,18 @@ public UserModification loadCurrentUser(Principal principal) {
@PostMapping("/users/current/update-password")
public ValidationResult updateCurrentUserPassword(@RequestBody PasswordModification passwordModification, Principal principal) {
return userManager.validateNewPassword(principal.getName(), passwordModification.oldPassword, passwordModification.newPassword, passwordModification.newPasswordConfirm)
.ifSuccess(() -> userManager.updateCurrentUserPassword(principal.getName(), passwordModification.newPassword));
.ifSuccess(() -> userManager.updateCurrentUserPassword(passwordModification.newPassword, principal));
}

@PostMapping("/users/current/edit")
public void updateCurrentUser(@RequestBody UserModification userModification, Principal principal) {
User user = userManager.findUserByUsername(principal.getName());
userManager.updateUserContactInfo(user.getId(), userModification.getFirstName(), userModification.getLastName(), userModification.getEmailAddress());
userManager.updateCurrentUserContactInfo(userModification.getFirstName(), userModification.getLastName(), userModification.getEmailAddress(), principal);

}

@PutMapping("/users/{id}/reset-password")
public UserWithPasswordAndQRCode resetPassword(@PathVariable("id") int userId, @RequestParam("baseUrl") String baseUrl, Principal principal) {
UserWithPassword userWithPassword = userManager.resetPassword(userId, principal.getName());
UserWithPassword userWithPassword = userManager.resetPassword(userId, principal);
return new UserWithPasswordAndQRCode(userWithPassword, Base64.getEncoder().encodeToString(generateQRCode(userWithPassword, baseUrl)));
}

Expand Down
Expand Up @@ -43,11 +43,11 @@ public OrganizationsApiV1Controller(UserManager userManager,
}

@PostMapping("/create")
public ResponseEntity<Organization> createOrganization(@RequestBody OrganizationModification om) {
public ResponseEntity<Organization> createOrganization(@RequestBody OrganizationModification om, Principal principal) {
if (om == null || !om.isValid(true)) {
return ResponseEntity.badRequest().build();
}
int orgId = userManager.createOrganization(om);
int orgId = userManager.createOrganization(om, principal);
return ResponseEntity.ok(userManager.findOrganizationById(orgId, UserManager.ADMIN_USERNAME));
}

Expand All @@ -62,8 +62,8 @@ public ResponseEntity<Organization> getSingleOrganization(@PathVariable("id") in
}

@PutMapping("/{id}/api-key")
public OrganizationApiKey createApiKeyForOrganization(@PathVariable("id") int organizationId) {
var user = userManager.insertUser(organizationId, null, null, null, null, Role.fromRoleName("ROLE_API_CLIENT"), User.Type.API_KEY, null, "Auto-generated API Key");
public OrganizationApiKey createApiKeyForOrganization(@PathVariable("id") int organizationId, Principal principal) {
var user = userManager.insertUser(organizationId, null, null, null, null, Role.fromRoleName("ROLE_API_CLIENT"), User.Type.API_KEY, null, "Auto-generated API Key", principal);
return new OrganizationApiKey(organizationId, user.getUsername());
}

Expand Down

0 comments on commit c9a16ab

Please sign in to comment.