Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Genesys PGR
Genesys Backend
Commits
36b2f66b
Commit
36b2f66b
authored
Jun 09, 2016
by
Aleksandr Sharaban
Committed by
Matija Obreza
Jun 10, 2016
Browse files
Bug #32973: XSS User profile.
E-mail address validation added.
parent
2c8578fa
Changes
8
Hide whitespace changes
Inline
Side-by-side
pom.xml
View file @
36b2f66b
...
...
@@ -69,6 +69,7 @@
<commons.io.version>
2.4
</commons.io.version>
<commons.lang.version>
2.6
</commons.lang.version>
<commons.logging.version>
1.2
</commons.logging.version>
<commons.validator.version>
1.4.0
</commons.validator.version>
<jstl.version>
1.2
</jstl.version>
<servlet-api.version>
2.5
</servlet-api.version>
...
...
@@ -169,6 +170,12 @@
<version>
1.10
</version>
</dependency>
<dependency>
<groupId>
commons-validator
</groupId>
<artifactId>
commons-validator
</artifactId>
<version>
${commons.validator.version}
</version>
</dependency>
<!-- Logging dependencies -->
<dependency>
<groupId>
org.slf4j
</groupId>
...
...
src/main/java/org/genesys2/server/service/UserService.java
View file @
36b2f66b
...
...
@@ -64,7 +64,7 @@ public interface UserService {
UserWrapper
getWrappedById
(
long
userId
)
throws
UserException
;
@PreAuthorize
(
"hasRole('ADMINISTRATOR') || principal.user.id == #userId"
)
User
updateData
(
long
userId
,
String
name
,
String
email
);
User
updateData
(
long
userId
,
String
name
,
String
email
)
throws
UserException
;
User
getSystemUser
(
String
string
);
...
...
src/main/java/org/genesys2/server/service/impl/UserServiceImpl.java
View file @
36b2f66b
...
...
@@ -29,6 +29,7 @@ import org.apache.commons.collections4.ListUtils;
import
org.apache.commons.lang.StringUtils
;
import
org.apache.commons.logging.Log
;
import
org.apache.commons.logging.LogFactory
;
import
org.apache.commons.validator.routines.EmailValidator
;
import
org.genesys2.server.exception.NoUserFoundException
;
import
org.genesys2.server.exception.NotUniqueUserException
;
import
org.genesys2.server.exception.UserException
;
...
...
@@ -75,6 +76,8 @@ public class UserServiceImpl implements UserService {
private
final
List
<
UserRole
>
availableRoles
=
ListUtils
.
unmodifiableList
(
Arrays
.
asList
(
UserRole
.
values
()));
private
EmailValidator
emailValidator
=
EmailValidator
.
getInstance
();
/**
* Set number of milliseconds for user account lockout
*/
...
...
@@ -250,8 +253,15 @@ public class UserServiceImpl implements UserService {
@Override
@PreAuthorize
(
"hasRole('ADMINISTRATOR') || principal.user.id == #userId"
)
@Transactional
(
readOnly
=
false
)
public
User
updateData
(
long
userId
,
String
name
,
String
email
)
{
@Transactional
(
readOnly
=
false
,
rollbackFor
=
NotUniqueUserException
.
class
)
public
User
updateData
(
long
userId
,
String
name
,
String
email
)
throws
UserException
{
if
(!
emailValidator
.
isValid
(
email
))
{
throw
new
UserException
();
}
if
(
userPersistence
.
findByEmail
(
email
)
!=
null
)
{
throw
new
NotUniqueUserException
(
new
Throwable
(),
email
);
}
final
User
user
=
userPersistence
.
findOne
(
userId
);
user
.
setName
(
name
);
user
.
setEmail
(
email
);
...
...
src/main/java/org/genesys2/server/servlet/controller/UserProfileController.java
View file @
36b2f66b
...
...
@@ -19,6 +19,7 @@ package org.genesys2.server.servlet.controller;
import
java.util.List
;
import
org.apache.commons.lang.StringUtils
;
import
org.genesys2.server.exception.NotUniqueUserException
;
import
org.genesys2.server.exception.UserException
;
import
org.genesys2.server.model.impl.User
;
import
org.genesys2.server.service.EMailVerificationService
;
...
...
@@ -36,6 +37,7 @@ import org.springframework.web.bind.annotation.PathVariable;
import
org.springframework.web.bind.annotation.RequestMapping
;
import
org.springframework.web.bind.annotation.RequestMethod
;
import
org.springframework.web.bind.annotation.RequestParam
;
import
org.springframework.web.servlet.mvc.support.RedirectAttributes
;
@Controller
@RequestMapping
(
"/profile"
)
...
...
@@ -163,13 +165,21 @@ public class UserProfileController extends BaseController {
@RequestMapping
(
value
=
"/{uuid:.+}/update"
,
method
=
{
RequestMethod
.
POST
})
@PreAuthorize
(
"hasRole('ADMINISTRATOR') || principal.user.uuid == #uuid"
)
public
String
update
(
ModelMap
model
,
@PathVariable
(
"uuid"
)
String
uuid
,
@RequestParam
(
"name"
)
String
name
,
@RequestParam
(
"email"
)
String
email
,
@RequestParam
(
"pwd1"
)
String
pwd1
,
@RequestParam
(
"pwd2"
)
String
pwd2
)
{
@RequestParam
(
"pwd1"
)
String
pwd1
,
@RequestParam
(
"pwd2"
)
String
pwd2
,
RedirectAttributes
redirectAttributes
)
{
final
User
user
=
userService
.
getUserByUuid
(
uuid
);
if
(
user
==
null
)
{
throw
new
ResourceNotFoundException
();
}
userService
.
updateData
(
user
.
getId
(),
name
,
email
);
try
{
userService
.
updateData
(
user
.
getId
(),
name
,
email
);
}
catch
(
NotUniqueUserException
e
)
{
redirectAttributes
.
addFlashAttribute
(
"emailError"
,
"User with e-mail address "
+
e
.
getEmail
()
+
" already exists"
);
return
"redirect:/profile/"
+
user
.
getUuid
()
+
"/edit"
;
}
catch
(
UserException
e
)
{
redirectAttributes
.
addFlashAttribute
(
"emailError"
,
"E-mail address is incorrect"
);
return
"redirect:/profile/"
+
user
.
getUuid
()
+
"/edit"
;
}
if
(
StringUtils
.
isNotBlank
(
pwd1
))
{
if
(
pwd1
.
equals
(
pwd2
))
{
...
...
src/main/java/org/genesys2/server/servlet/controller/admin/UserProfileController.java
View file @
36b2f66b
...
...
@@ -19,6 +19,7 @@ package org.genesys2.server.servlet.controller.admin;
import
java.util.List
;
import
org.apache.commons.lang.StringUtils
;
import
org.genesys2.server.exception.NotUniqueUserException
;
import
org.genesys2.server.exception.UserException
;
import
org.genesys2.server.model.impl.User
;
import
org.genesys2.server.service.EMailVerificationService
;
...
...
@@ -36,6 +37,7 @@ import org.springframework.web.bind.annotation.PathVariable;
import
org.springframework.web.bind.annotation.RequestMapping
;
import
org.springframework.web.bind.annotation.RequestMethod
;
import
org.springframework.web.bind.annotation.RequestParam
;
import
org.springframework.web.servlet.mvc.support.RedirectAttributes
;
@Controller
(
"adminUsersController"
)
@RequestMapping
(
UserProfileController
.
URLBASE
)
...
...
@@ -153,13 +155,21 @@ public class UserProfileController extends BaseController {
@RequestMapping
(
value
=
"/{uuid:.+}/update"
,
method
=
{
RequestMethod
.
POST
})
public
String
update
(
ModelMap
model
,
@PathVariable
(
"uuid"
)
String
uuid
,
@RequestParam
(
"name"
)
String
name
,
@RequestParam
(
"email"
)
String
email
,
@RequestParam
(
"pwd1"
)
String
pwd1
,
@RequestParam
(
"pwd2"
)
String
pwd2
)
{
@RequestParam
(
"pwd1"
)
String
pwd1
,
@RequestParam
(
"pwd2"
)
String
pwd2
,
RedirectAttributes
redirectAttributes
)
{
final
User
user
=
userService
.
getUserByUuid
(
uuid
);
if
(
user
==
null
)
{
throw
new
ResourceNotFoundException
();
}
userService
.
updateData
(
user
.
getId
(),
name
,
email
);
try
{
userService
.
updateData
(
user
.
getId
(),
name
,
email
);
}
catch
(
NotUniqueUserException
e
)
{
redirectAttributes
.
addFlashAttribute
(
"emailError"
,
"User with e-mail address "
+
e
.
getEmail
()
+
" already exists"
);
return
"redirect:"
+
URLBASE
+
user
.
getUuid
()
+
"/edit"
;
}
catch
(
UserException
e
)
{
redirectAttributes
.
addFlashAttribute
(
"emailError"
,
"E-mail address is incorrect"
);
return
"redirect:"
+
URLBASE
+
user
.
getUuid
()
+
"/edit"
;
}
if
(
StringUtils
.
isNotBlank
(
pwd1
))
{
if
(
pwd1
.
equals
(
pwd2
))
{
...
...
src/main/java/org/genesys2/server/servlet/controller/rest/UsersController.java
View file @
36b2f66b
...
...
@@ -115,7 +115,13 @@ public class UsersController extends RestController {
throw
new
ResourceNotFoundException
();
}
userService
.
updateData
(
user
.
getId
(),
userData
.
getName
(),
userData
.
getEmail
());
try
{
userService
.
updateData
(
user
.
getId
(),
userData
.
getName
(),
userData
.
getEmail
());
}
catch
(
NotUniqueUserException
e
)
{
LOG
.
warn
(
"User with e-mail address "
+
e
.
getEmail
()
+
" already exists"
);
}
catch
(
UserException
e
)
{
LOG
.
warn
(
"E-mail address is incorrect"
);
}
if
(
StringUtils
.
isNotBlank
(
userData
.
getPwd1
()))
{
if
(
userData
.
getPwd1
().
equals
(
userData
.
getPwd2
()))
{
...
...
src/main/webapp/WEB-INF/jsp/1/admin/users/edit.jsp
View file @
36b2f66b
...
...
@@ -7,6 +7,9 @@
<title><spring:message
code=
"userprofile.update.title"
/></title>
</head>
<body>
<c:if
test=
"
${
not
empty
emailError
}
"
>
<div
class=
"alert alert-danger"
>
${emailError}
</div>
</c:if>
<form
role=
"form"
class=
"form-horizontal validate"
action=
"
<c:url
value=
"/admin/users/${user.uuid}/update"
/>
"
method=
"post"
>
<div
class=
"form-group"
>
<label
for=
"name"
class=
"col-lg-2 control-label"
><spring:message
code=
"registration.full-name"
/></label>
...
...
src/main/webapp/WEB-INF/jsp/user/edit.jsp
View file @
36b2f66b
...
...
@@ -12,6 +12,9 @@
<spring:message
code=
"userprofile.update.title"
/>
</h1>
<c:if
test=
"
${
not
empty
emailError
}
"
>
<div
class=
"alert alert-danger"
>
${emailError}
</div>
</c:if>
<form
role=
"form"
class=
"form-horizontal validate"
action=
"
<c:url
value=
"/profile/${user.uuid}/update"
/>
"
method=
"post"
>
<div
class=
"form-group"
>
<label
for=
"name"
class=
"col-lg-2 control-label"
><spring:message
code=
"registration.full-name"
/></label>
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment