Commits

Tim Olsen committed f93a345

Copied From CVS HEAD
Security fix: Prevent any user from being able to modify the xdat: namespaced data. Only admins should be able to modify these.
BUGZID:1161

  • Participants
  • Parent commits 29607e3

Comments (0)

Files changed (2)

File org/nrg/xdat/turbine/modules/actions/XMLUpload.java

                 if(!handler.assertValid()){
                 	throw handler.getErrors().get(0);
                 }
-                
+
                 //Document doc = XMLUtils.GetDOM(fi.getInputStream());
                 //item = XMLReader.TranslateDomToItem(doc,TurbineUtils.getUser(data));
                 SAXReader reader = new SAXReader(TurbineUtils.getUser(data));
                 if (XFT.VERBOSE)
                     System.out.println("Loaded XML Item:" + item.getProperName());
                 logger.info("Loaded XML Item:" + item.getProperName());
-                
+
                 ValidationResults vr = XFTValidator.Validate(item);
                 if (vr.isValid())
                 {
                     if (XFT.VERBOSE)
                         System.out.println("Validation: PASSED");
                     logger.info("Validation: PASSED");
-                	
+
                 	boolean q;
                 	boolean override;
                 	q = item.getGenericSchemaElement().isQuarantine();
                 	override = false;
-                	   
+
                 	if (allowDeletion.equalsIgnoreCase("true"))
                 	{
                     	SaveItemHelper.Save(item,TurbineUtils.getUser(data),false,q,override,true);
                 	}else{
                     	SaveItemHelper.Save(item,TurbineUtils.getUser(data),false,q,override,false);
                 	}
-                	
+
                 	if(XFT.VERBOSE)System.out.println("Item Successfully Stored.");
-                    logger.info("Item Successfully Stored.");	
-                    
+                    logger.info("Item Successfully Stored.");
+
                     DisplayItemAction dia = new DisplayItemAction();
                 	data = TurbineUtils.SetSearchProperties(data,item);
                 	dia.doPerform(data,context);
-                	
+
                 	postProcessing(item,data,context);
-                	
+
                 	return;
                 }else
                 {
 				    logger.error("",e);
                     data.setScreenTemplate("Error.vm");
                     String message = "Permissions Exception.<BR><BR>" + e.getMessage();
-                    SchemaElement se = SchemaElement.GetElement(item.getXSIType());
-                    message += "<BR><BR>Please review the security field (" + se.getElementSecurity().getSecurityFields() + ") for this data type.";
-                    message += " Verify that the data reflects a currently stored value and the user has relevant permissions for this data.";
+                    final SchemaElement se = SchemaElement.GetElement(item.getXSIType());
+                    final ElementSecurity es=se.getElementSecurity();
+                    if(es!=null && es.getSecurityFields()!=null){
+                    	message += "<BR><BR>Please review the security field (" + se.getElementSecurity().getSecurityFields() + ") for this data type.";
+                    	message += " Verify that the data reflects a currently stored value and the user has relevant permissions for this data.";
+                    }
                     data.setMessage(message);
 				}else{
 	                logger.error("",e);
             }
         }
     }
+
     public void postProcessing(XFTItem item,RunData data, Context context) throws Exception{
         SchemaElementI se = SchemaElement.GetElement(item.getXSIType());
         if (se.getGenericXFTElement().getType().getLocalPrefix().equalsIgnoreCase("xdat"))

File org/nrg/xft/utils/SaveItemHelper.java

 
 import org.apache.log4j.Logger;
 import org.nrg.xdat.base.BaseElement;
+import org.nrg.xdat.security.XDATUser;
 import org.nrg.xft.ItemI;
-import org.nrg.xft.ItemWrapper;
+import org.nrg.xft.XFT;
 import org.nrg.xft.XFTItem;
+import org.nrg.xft.exception.InvalidPermissionException;
 import org.nrg.xft.security.UserI;
 
 public class SaveItemHelper {
 	public static SaveItemHelper getInstance(){
 		return new SaveItemHelper();
 	}
-	
+
 	protected void save(ItemI i,UserI user, boolean overrideSecurity, boolean quarantine, boolean overrideQuarantine, boolean allowItemRemoval) throws Exception {
 		if(i==null){
 			throw new NullPointerException();
 		}
-		
+
+		if(i.getItem().getGenericSchemaElement().getType().getForeignPrefix().equals(XFT.PREFIX)){
+        	if (!((XDATUser)user).checkRole("Administrator"))
+            {
+        		throw new InvalidPermissionException("Only site administrators can store core documents.");
+            }
+        }
+
 		if(i instanceof XFTItem){
 			ItemI temp=BaseElement.GetGeneratedItem(i);
 			temp.save(user, overrideSecurity, quarantine, overrideQuarantine, allowItemRemoval);
 			i.save(user,overrideSecurity,quarantine,overrideQuarantine,allowItemRemoval);
 		}
 	}
-	
+
 	protected void save(ItemI i,UserI user, boolean overrideSecurity, boolean allowItemRemoval) throws Exception {
 		if(i==null){
 			throw new NullPointerException();
 		}
-		
+
+		if(i.getItem().getGenericSchemaElement().getType().getForeignPrefix().equals(XFT.PREFIX)){
+        	if (!((XDATUser)user).checkRole("Administrator"))
+            {
+        		throw new InvalidPermissionException("Only site administrators can store core documents.");
+            }
+        }
+
 		if(i instanceof XFTItem){
 			ItemI temp=BaseElement.GetGeneratedItem(i);
 			temp.save(user, overrideSecurity, allowItemRemoval);
 			i.save(user,overrideSecurity,allowItemRemoval);
 		}
 	}
-	
+
 	public static void Save(ItemI i,UserI user, boolean overrideSecurity, boolean quarantine, boolean overrideQuarantine, boolean allowItemRemoval) throws Exception {
 		getInstance().save(i, user, overrideSecurity, quarantine, overrideQuarantine, allowItemRemoval);
 	}
-	
+
 	public static void Save(ItemI i,UserI user, boolean overrideSecurity, boolean allowItemRemoval) throws Exception {
 		getInstance().save(i, user, overrideSecurity, allowItemRemoval);
 	}