Merge branch '228-access-denied' into 'master'

Resolve "Access denied"

Closes #228

See merge request genesys-pgr/genesys-server!129

src/main/java/org/genesys2/server/servlet/controller/WiewsController.java

@@ -248,8 +248,9 @@ public class WiewsController extends BaseController {
 	@RequestMapping("/{wiewsCode}/update")
 	public String update(ModelMap model, @PathVariable(value = "wiewsCode") String wiewsCode, @RequestParam("blurp") String aboutBody,
 			@RequestParam(value = "summary", required = false) String summary, @RequestParam("gaTracker") String gaTracker, @RequestParam("mailto") String mailto,
-			@RequestParam("uniqueAcceNumbs") boolean uniqueAcceNumbs, @RequestParam(value = "allowMaterialRequests", required = false, defaultValue = "false") boolean allowMaterialRequests,
-			@RequestParam("codeSVGS") String codeSVGS) throws CRMException {
+			@RequestParam("uniqueAcceNumbs") boolean uniqueAcceNumbs,
+			@RequestParam(value = "allowMaterialRequests", required = false, defaultValue = "false") boolean allowMaterialRequests, @RequestParam("codeSVGS") String codeSVGS)
+			throws CRMException {
 
 		LOG.debug("Updating institite {}", wiewsCode);
 		final FaoInstitute faoInstitute = instituteService.getInstitute(wiewsCode);
@@ -270,15 +271,15 @@ public class WiewsController extends BaseController {
 	}
 
 	@RequestMapping("/{dateVal}/{wiewsCode}/last-updated")
-	public String viewDataByLastModifiedDate(ModelMap model, @PathVariable(value = "wiewsCode") String wiewsCode,
-											 @PathVariable(value = "dateVal") String dateVal,
-											 @RequestParam(value = "page", required = false, defaultValue = "1") int page) {
+	public String viewDataByLastModifiedDate(ModelMap model, @PathVariable(value = "wiewsCode") String wiewsCode, @PathVariable(value = "dateVal") String dateVal,
+			@RequestParam(value = "page", required = false, defaultValue = "1") int page) {
 		LOG.debug("Viewing last updated data for {}", dateVal);
 		final FaoInstitute faoInstitute = instituteService.getInstitute(wiewsCode);
 		if (faoInstitute == null) {
 			throw new ResourceNotFoundException();
 		}
-		model.addAttribute("filter", "{\"" + FilterConstants.LAST_MODIFIED_DATE + "\":[\"" + dateVal + "\"], \"" + FilterConstants.INSTCODE + "\":[\"" + faoInstitute.getCode() + "\"]}");
+		model.addAttribute("filter", "{\"" + FilterConstants.LAST_MODIFIED_DATE + "\":[\"" + dateVal + "\"], \"" + FilterConstants.INSTCODE + "\":[\"" + faoInstitute.getCode()
+				+ "\"]}");
 		model.addAttribute("page", page);
 		return "redirect:/explore";
 	}
@@ -472,130 +473,130 @@ public class WiewsController extends BaseController {
 		}
 	}
 
-	/*  File management  */
-
-    @GetMapping(value = "/{wiewsCode}/files/**")
-    public String listAllFiles(HttpServletRequest request, ModelMap model) throws UnsupportedEncodingException, InvalidRepositoryPathException {
-        String fullpath = (String) request.getAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE);
-        // The /** mapping does not decode the URL
-        fullpath = UriUtils.decode(fullpath, "UTF-8");
-
-        return listAllFiles(model, fullpath);
-    }
-
-    @GetMapping(value = "/{path}/files")
-    public String listAllFiles(ModelMap model, @PathVariable(value = "path") String path) throws InvalidRepositoryPathException {
-        final String repositoryPath = path.contains("/wiews/") ? path.replace("/files/", "/") : "/wiews/" + path;
-        String wiewsCode = path.replace("/wiews/", "");
-        wiewsCode = wiewsCode.contains("/") ? wiewsCode.substring(0, wiewsCode.indexOf("/")) : wiewsCode;
-
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
-
-        if (LOG.isDebugEnabled()) {
-            LOG.debug("Listing files for path={}", repositoryPath);
-        }
-
-        List<String> subPaths = new ArrayList<>();
-        for (String subPath: repositoryService.listPaths(repositoryPath, new PageRequest(0, 10))) {
-            if (!subPath.equals(repositoryPath) && subPath.contains(repositoryPath)) {
-                subPaths.add(subPath.substring(repositoryPath.length()));
-            }
-        }
-
-        model.addAttribute("fileList", repositoryService.getFiles(repositoryPath));
-        model.addAttribute("currentPath", repositoryPath);
-        model.addAttribute("subPaths", subPaths);
-        model.addAttribute("imageGallery", imageGalleryService.loadImageGallery(repositoryPath));
-        model.addAttribute("wiewsCode", wiewsCode);
-
-        return MANAGE_FILES_JSP_PATH + "/index";
-    }
-
-    @PostMapping(value = "/{wiewsCode}/upload-file")
-    public String uploadFile(@RequestParam MultipartFile file, @PathVariable String wiewsCode, @RequestParam String repositoryPath,
-                             RedirectAttributes redirectAttributes) throws IOException {
-
-        final String mimeType = file.getContentType();
-
-        try {
-            if (mimeType.startsWith("image")) {
-                repositoryService.addImage(repositoryPath, file.getOriginalFilename(), file.getContentType(), file.getBytes(), null);
-            } else {
-                repositoryService.addFile(repositoryPath, file.getOriginalFilename(), file.getContentType(), file.getBytes(), null);
-            }
-        } catch (InvalidRepositoryPathException e) {
-            LOG.error("Invalid repository path!", e);
-            redirectAttributes.addFlashAttribute("errorMessage", "Invalid repository path!");
-        } catch (InvalidRepositoryFileDataException e) {
-            LOG.error("Invalid file data!", e);
-            redirectAttributes.addFlashAttribute("errorMessage", "Invalid file data!");
-        }
-
-        if (repositoryPath.equals("/wiews/".concat(wiewsCode))) {
-            return "redirect:" + repositoryPath + "/files";
-        } else {
-            return "redirect:" + repositoryPath.replace("/wiews/".concat(wiewsCode).concat("/"), "/wiews/".concat(wiewsCode).concat("/files/"));
-        }
-    }
-
-    @PostMapping(value = "/{wiewsCode}/delete-file")
-    public String deleteFile(@RequestParam String uuid, @PathVariable String wiewsCode) throws NoSuchRepositoryFileException, IOException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
-
-        RepositoryFile repositoryFile = repositoryService.getFile(UUID.fromString(uuid));
-        repositoryService.removeFile(repositoryFile);
-
-        if (repositoryFile.getPath().equals("/wiews/".concat(wiewsCode))) {
-            return "redirect:" + repositoryFile.getPath() + "/files";
-        } else {
-            return "redirect:" + repositoryFile.getPath().replace("/wiews/".concat(wiewsCode).concat("/"), "/wiews/".concat(wiewsCode).concat("/files/"));
-        }
-    }
-
-    @GetMapping(value = "/{wiewsCode}/edit-file")
-    public String getEditPage(@RequestParam String uuid, @PathVariable(value = "wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
-
-        RepositoryFile file = repositoryService.getFile(UUID.fromString(uuid));
-        String fileSubPath = file.getPath().replace("/wiews/" + wiewsCode, "");
-        model.addAttribute("file", file);
-        model.addAttribute("wiewsCode", wiewsCode);
-        model.addAttribute("fileSubPath", fileSubPath);
-
-        return MANAGE_FILES_JSP_PATH + "/edit";
-    }
-
-    @PostMapping(value = "/{wiewsCode}/update-file")
-    public String updateMetadata(@ModelAttribute RepositoryFile fileData, @PathVariable(value = "wiewsCode") String wiewsCode) throws NoSuchRepositoryFileException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
-
-        RepositoryFile updatedFile = repositoryService.getFile(UUID.fromString(fileData.getUuid().toString()));
-        repositoryService.updateMetadata(updatedFile.getUuid(), fileData);
-        String fileSubPath = updatedFile.getPath().replace("/wiews/" + wiewsCode, "");
-
-        return "redirect:/wiews/" + wiewsCode + "/files" + fileSubPath;
-    }
-
-    /*  Image gallery management  */
+	/* File management */
+	@GetMapping(value = "/{wiewsCode}/files")
+	public String listInstituteFiles(@PathVariable("wiewsCode") String wiewsCode, HttpServletRequest request, ModelMap model) throws UnsupportedEncodingException,
+			InvalidRepositoryPathException {
+		return listAllFiles(wiewsCode, request, model);
+	}
+
+	@GetMapping(value = "/{wiewsCode}/files/**")
+	public String listAllFiles(@PathVariable("wiewsCode") String wiewsCode, HttpServletRequest request, ModelMap model) throws UnsupportedEncodingException,
+			InvalidRepositoryPathException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
+
+		String path = (String) request.getAttribute(HandlerMapping.PATH_WITHIN_HANDLER_MAPPING_ATTRIBUTE);
+		// The /** mapping does not decode the URL
+		path = UriUtils.decode(path, "UTF-8");
+		path = path.substring(path.indexOf("/files", 1) + 6);
+
+		final String repositoryPath = "/wiews/" + wiewsCode + path;
+
+		if (LOG.isDebugEnabled()) {
+			LOG.debug("Listing files in repo={} for path={}", repositoryPath, path);
+		}
+
+		List<String> subPaths = new ArrayList<>();
+		for (String subPath : repositoryService.listPaths(repositoryPath, new PageRequest(0, 10))) {
+			if (!subPath.equals(repositoryPath) && subPath.contains(repositoryPath)) {
+				subPaths.add(subPath.substring(repositoryPath.length()));
+			}
+		}
+
+		model.addAttribute("fileList", repositoryService.getFiles(repositoryPath));
+		model.addAttribute("currentPath", repositoryPath);
+		model.addAttribute("subPaths", subPaths);
+		model.addAttribute("imageGallery", imageGalleryService.loadImageGallery(repositoryPath));
+		model.addAttribute("wiewsCode", wiewsCode);
+
+		return MANAGE_FILES_JSP_PATH + "/index";
+	}
+
+	@PostMapping(value = "/{wiewsCode}/file/upload")
+	public String uploadFile(@RequestParam MultipartFile file, @PathVariable String wiewsCode, @RequestParam String repositoryPath, RedirectAttributes redirectAttributes)
+			throws IOException {
+
+		final String mimeType = file.getContentType();
+
+		try {
+			if (mimeType.startsWith("image")) {
+				repositoryService.addImage(repositoryPath, file.getOriginalFilename(), file.getContentType(), file.getBytes(), null);
+			} else {
+				repositoryService.addFile(repositoryPath, file.getOriginalFilename(), file.getContentType(), file.getBytes(), null);
+			}
+		} catch (InvalidRepositoryPathException e) {
+			LOG.error("Invalid repository path!", e);
+			redirectAttributes.addFlashAttribute("errorMessage", "Invalid repository path!");
+		} catch (InvalidRepositoryFileDataException e) {
+			LOG.error("Invalid file data!", e);
+			redirectAttributes.addFlashAttribute("errorMessage", "Invalid file data!");
+		}
+
+		if (repositoryPath.equals("/wiews/".concat(wiewsCode))) {
+			return "redirect:" + repositoryPath + "/files";
+		} else {
+			return "redirect:" + repositoryPath.replace("/wiews/".concat(wiewsCode).concat("/"), "/wiews/".concat(wiewsCode).concat("/files/"));
+		}
+	}
+
+	@PostMapping(value = "/{wiewsCode}/file/delete")
+	public String deleteInstituteFile(@RequestParam String uuid, @PathVariable String wiewsCode) throws NoSuchRepositoryFileException, IOException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
+
+		RepositoryFile repositoryFile = repositoryService.getFile(UUID.fromString(uuid));
+		repositoryService.removeFile(repositoryFile);
+
+		if (repositoryFile.getPath().equals("/wiews/".concat(wiewsCode))) {
+			return "redirect:" + repositoryFile.getPath() + "/files";
+		} else {
+			return "redirect:" + repositoryFile.getPath().replace("/wiews/".concat(wiewsCode).concat("/"), "/wiews/".concat(wiewsCode).concat("/files/"));
+		}
+	}
+
+	@GetMapping(value = "/{wiewsCode}/file/edit")
+	public String editInstituteFile(@RequestParam String uuid, @PathVariable(value = "wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
+
+		RepositoryFile file = repositoryService.getFile(UUID.fromString(uuid));
+		String fileSubPath = file.getPath().replace("/wiews/" + wiewsCode, "");
+		model.addAttribute("file", file);
+		model.addAttribute("wiewsCode", wiewsCode);
+		model.addAttribute("fileSubPath", fileSubPath);
+
+		return MANAGE_FILES_JSP_PATH + "/edit";
+	}
+
+	@PostMapping(value = "/{wiewsCode}/file/update")
+	public String updateMetadata(@ModelAttribute RepositoryFile fileData, @PathVariable(value = "wiewsCode") String wiewsCode) throws NoSuchRepositoryFileException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
+
+		RepositoryFile updatedFile = repositoryService.getFile(UUID.fromString(fileData.getUuid().toString()));
+		repositoryService.updateMetadata(updatedFile.getUuid(), fileData);
+		String fileSubPath = updatedFile.getPath().replace("/wiews/" + wiewsCode, "");
+
+		return "redirect:/wiews/" + wiewsCode + "/files" + fileSubPath;
+	}
+
+	/* Image gallery management */
 
 	@GetMapping(value = "/{wiewsCode}/files/gallery")
-	public String listAllFiles(ModelMap model, @PathVariable("wiewsCode") String wiewsCode, HttpServletRequest request) {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String listInstituteGalleries(ModelMap model, @PathVariable("wiewsCode") String wiewsCode, HttpServletRequest request) {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
-        return "redirect:/wiews/" + wiewsCode + "/files" + "/gallery" + "/1";
+		return "redirect:/wiews/" + wiewsCode + "/files" + "/gallery" + "/1";
 	}
 
 	@GetMapping(value = "/{wiewsCode}/files/gallery/{page:\\d+}")
-	public String listAllFiles(ModelMap model, @PathVariable("page") int page, @PathVariable("wiewsCode") String wiewsCode) {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String listInstituteGallery(ModelMap model, @PathVariable("page") int page, @PathVariable("wiewsCode") String wiewsCode) {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
-        Page<ImageGallery> pagedData = imageGalleryService.listImageGalleries("/wiews/" + wiewsCode, new PageRequest(page - 1, 50, new Sort("path")));
+		Page<ImageGallery> pagedData = imageGalleryService.listImageGalleries("/wiews/" + wiewsCode, new PageRequest(page - 1, 50, new Sort("path")));
 		model.addAttribute("pagedData", pagedData);
 		model.addAttribute("wiewsCode", wiewsCode);
 
@@ -603,11 +604,11 @@ public class WiewsController extends BaseController {
 	}
 
 	@GetMapping(value = "/{wiewsCode}/files/gallery/details")
-	public String listAllFiles(ModelMap model, HttpServletRequest request, @PathVariable("wiewsCode") String wiewsCode, @RequestParam String galleryPath) {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String viewInstituteGallery(ModelMap model, HttpServletRequest request, @PathVariable("wiewsCode") String wiewsCode, @RequestParam String galleryPath) {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
-        ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
+		ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
 
 		if (imageGallery == null) {
 			throw new ResourceNotFoundException("No image gallery here!");
@@ -622,11 +623,11 @@ public class WiewsController extends BaseController {
 	}
 
 	@GetMapping(value = "/{wiewsCode}/files/gallery/edit")
-	public String getEditGalleryPage(@RequestParam String galleryPath, @PathVariable("wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String editInstituteGallery(@RequestParam String galleryPath, @PathVariable("wiewsCode") String wiewsCode, ModelMap model) throws NoSuchRepositoryFileException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
-        ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
+		ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
 		if (imageGallery == null) {
 			imageGallery = new ImageGallery();
 			imageGallery.setPath(galleryPath);
@@ -638,11 +639,12 @@ public class WiewsController extends BaseController {
 	}
 
 	@PostMapping(value = "{wiewsCode}/files/gallery/update")
-	public String updateMetadata(@PathVariable("wiewsCode") String wiewsCode, @ModelAttribute ImageGallery imageGallery, RedirectAttributes redirectAttributes) throws NoSuchRepositoryFileException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String updateGallery(@PathVariable("wiewsCode") String wiewsCode, @ModelAttribute ImageGallery imageGallery, RedirectAttributes redirectAttributes)
+			throws NoSuchRepositoryFileException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
-        ImageGallery updatedGallery = imageGalleryService.loadImageGallery(imageGallery.getPath());
+		ImageGallery updatedGallery = imageGalleryService.loadImageGallery(imageGallery.getPath());
 		if (updatedGallery == null) {
 			imageGalleryService.createImageGallery(imageGallery.getPath(), imageGallery.getTitle(), imageGallery.getDescription());
 		} else {
@@ -654,9 +656,10 @@ public class WiewsController extends BaseController {
 	}
 
 	@PostMapping(value = "{wiewsCode}/files/gallery/delete")
-	public String deleteFile(@RequestParam String galleryPath, RedirectAttributes redirectAttributes, @PathVariable("wiewsCode") String wiewsCode) throws InvalidRepositoryPathException {
-        //check user permissions
-        instituteService.getInstituteForEdit(wiewsCode);
+	public String deleteGalleryFile(@RequestParam String galleryPath, RedirectAttributes redirectAttributes, @PathVariable("wiewsCode") String wiewsCode)
+			throws InvalidRepositoryPathException {
+		// check user permissions
+		instituteService.getInstituteForEdit(wiewsCode);
 
 		ImageGallery imageGallery = imageGalleryService.loadImageGallery(galleryPath);
 		imageGalleryService.removeGallery(imageGallery);
@@ -665,7 +668,7 @@ public class WiewsController extends BaseController {
 		return "redirect:/wiews/" + wiewsCode + "/files/gallery";
 	}
 
-	@RequestMapping(value = "{wiewsCode}/files/download/metadata")
+	@PostMapping(value = "{wiewsCode}/files/metadata/download")
 	@Transactional(readOnly = true)
 	public void downloadMetadata(@PathVariable("wiewsCode") String wiewsCode, HttpServletResponse response) throws IOException {
 		// check user permissions
@@ -680,7 +683,7 @@ public class WiewsController extends BaseController {
 		filesMetadataInfo.downloadMetadata(files, response, '\t', '"', '\\', "\n", "UTF-16LE");
 	}
 
-	@PostMapping(value = "/{wiewsCode}/files/upload/metadata")
+	@PostMapping(value = "/{wiewsCode}/files/metadata/upload")
 	public String uploadMetadata(@RequestParam MultipartFile file, @PathVariable("wiewsCode") String wiewsCode) throws IOException {
 		instituteService.getInstituteForEdit(wiewsCode);
 

src/main/webapp/WEB-INF/jsp/wiews/files/edit.jsp

@@ -12,7 +12,7 @@
     <spring:message code="cancel"/>
 </a>
 
-<form action="<c:url value="/wiews/${wiewsCode}/update-file" />" method="post">
+<form action="<c:url value="/wiews/${wiewsCode}/file/update" />" method="post">
 
     <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
     <input type="hidden" name="uuid" value="${file.uuid}"/>

src/main/webapp/WEB-INF/jsp/wiews/files/index.jsp

@@ -63,8 +63,8 @@
                 <c:out	value="${file.path}" />
             </td>
             <td class="col-md-4 col-xs-5 text-right">
-                <form action="<c:url value="/wiews/${wiewsCode}/delete-file" />" method="post">
-                    <a href="<c:url value="/wiews/${wiewsCode}/edit-file"><c:param name="uuid" value="${file.uuid}" /></c:url>"
+                <form action="<c:url value="/wiews/${wiewsCode}/file/delete" />" method="post">
+                    <a href="<c:url value="/wiews/${wiewsCode}/file/edit"><c:param name="uuid" value="${file.uuid}" /></c:url>"
                        class="btn btn-default"><spring:message code="edit" />
                     </a>
                     <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
@@ -83,7 +83,7 @@
 
 <div class="row">
     <div class="col-xs-6">
-        <form action="<c:url value='/wiews/${wiewsCode}/upload-file' />" method="post" enctype="multipart/form-data" class="">
+        <form action="<c:url value='/wiews/${wiewsCode}/file/upload'><c:param name='${_csrf.parameterName}' value='${_csrf.token}' /></c:url>" method="post" enctype="multipart/form-data" class="">
             <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
             <input type="hidden" name="repositoryPath" value="${currentPath}"/>
             <div class="form-group">
@@ -96,7 +96,7 @@
         </form>
     </div>
     <div class="col-xs-6">
-        <form action="<c:url value='/wiews/${wiewsCode}/files/upload/metadata' />" method="post" enctype="multipart/form-data" class="">
+        <form action="<c:url value='/wiews/${wiewsCode}/files/metadata/upload'><c:param name='${_csrf.parameterName}' value='${_csrf.token}' /></c:url>" method="post" enctype="multipart/form-data" class="">
             <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
             <div class="form-group">
                 <input type="file" name="file" class="upload-file-metadata"/>
@@ -107,7 +107,7 @@
             <button type="submit" class="btn btn-primary upload-btn-metadata"><spring:message code="file.upload.metadata"/></button>
         </form>
 
-        <form style="margin-top: 5px;" method="post" action="<c:url value='/wiews/${wiewsCode}/files/download/metadata' />" class="">
+        <form style="margin-top: 5px;" method="post" action="<c:url value='/wiews/${wiewsCode}/files/metadata/download' />" class="">
             <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
             <button type="submit" class="btn btn-primary"><spring:message code="file.download-metadata"/></button>
         </form>