Commit 399faa81 authored by Matija Obreza's avatar Matija Obreza
Browse files

Removed obsolete code being a potential security risk

parent ab3812c6
......@@ -18,89 +18,31 @@ package org.genesys2.server.servlet.controller;
import java.util.List;
import org.genesys2.server.exception.NotUniqueUserException;
import org.genesys2.server.exception.UserException;
import org.genesys2.server.model.impl.User;
import org.genesys2.server.model.oauth.OAuthClientDetails;
import org.genesys2.server.service.OAuth2ClientDetailsService;
import org.genesys2.server.service.UserService;
import org.genesys2.server.servlet.model.UserList;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.dao.DataIntegrityViolationException;
import org.springframework.http.MediaType;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
/**
* User REST-controller. It produces and consumes JSON. For "USER" role all
* actions are read-only.
* Produce the Javascript code for Webapi widget.
*
* @see org.genesys2.auth.common.service.UserService
*/
@Controller
public class UsersRestController extends BaseController {
public class WidgetApiController extends BaseController {
@Value("${base.url}")
private String baseUrl;
@Autowired
protected UserService userService;
@Autowired
private OAuth2ClientDetailsService clientDetailsService;
@RequestMapping(value = "/users", method = RequestMethod.GET, produces = { MediaType.APPLICATION_JSON_VALUE })
@ResponseBody
@PreAuthorize("hasRole('ADMINISTRATOR')")
public Object getUsers(@RequestParam(value = "startRow", required = false, defaultValue = "0") Integer startRow,
@RequestParam(value = "pageSize", required = false, defaultValue = "0") Integer pageSize) throws UserException {
return new UserList(userService.listWrapped(startRow, pageSize));
}
@RequestMapping(value = "/users/{id}", method = RequestMethod.GET, produces = { MediaType.APPLICATION_JSON_VALUE })
@ResponseBody
@PreAuthorize("hasRole('ADMINISTRATOR')")
public Object getUser(@PathVariable Long id) throws UserException {
return userService.getWrappedById(id);
}
@RequestMapping(value = "/users", method = RequestMethod.PUT, consumes = { MediaType.APPLICATION_JSON_VALUE })
@ResponseBody
public void saveUser(@RequestBody @Validated User user) throws UserException {
userService.addUser(user);
}
@RequestMapping(value = "/users", method = RequestMethod.POST, consumes = { MediaType.APPLICATION_JSON_VALUE })
@ResponseBody
public void updateUser(@RequestBody @Validated User user) throws UserException {
try {
userService.updateUser(user);
} catch (final DataIntegrityViolationException e) { // for some reasons it's
// not caught in service
throw new NotUniqueUserException(e, user.getEmail());
}
}
@RequestMapping(value = "/users",
/* method = RequestMethod.DELETE) */
// only GET, POST, PUT allowed
method = RequestMethod.POST)
@PreAuthorize("hasRole('ADMINISTRATOR')")
@ResponseBody
public void removeUser(@RequestParam("id") Long userId) throws UserException {
userService.removeUserById(userId);
}
@RequestMapping(value = "/get_widget")
@PreAuthorize("hasRole('ADMINISTRATOR')")
public String getWidget(Model model,@RequestParam(value = "clientId",required = false) String clientId) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment