Commit 828f1093 authored by Jörg Richter's avatar Jörg Richter

Fix: send add-to-map messages to authorized parties only (#384)

parent 6671936d
Pipeline #10480 passed with stage
in 8 minutes and 16 seconds
......@@ -39,6 +39,9 @@ class WebSocketConnectionImpl implements WebSocketConnection, WebSocket, WebSock
// ----------------------------------------------------------------------------------------------------- Constructor
/**
* @param session not null
*/
WebSocketConnectionImpl(String pluginUri, String clientId, HttpSession session, WebSocketConnectionPool pool,
CoreService dmx) {
this.pluginUri = pluginUri;
......@@ -59,6 +62,11 @@ class WebSocketConnectionImpl implements WebSocketConnection, WebSocket, WebSock
return clientId;
}
@Override
public String getUsername() {
return username(session);
}
// *** WebSocket ***
@Override
......
......@@ -28,7 +28,7 @@ class WebSocketConnectionPool {
WebSocketConnectionImpl getConnection(String clientId) {
WebSocketConnectionImpl connection = pool.get(clientId);
if (connection == null) {
logger.warning("No open WebSocket connection for client ID " + clientId);
logger.warning("No WebSocket connection open for client ID " + clientId);
}
return connection;
}
......
......@@ -5,4 +5,9 @@ package systems.dmx.core.service.websocket;
public interface WebSocketConnection {
String getClientId();
/**
* @return the username associated with this WebSocket connection, or null if no one is associated (= not logged in).
*/
String getUsername();
}
......@@ -4,6 +4,7 @@ import systems.dmx.core.Topic;
import systems.dmx.core.model.topicmaps.ViewAssoc;
import systems.dmx.core.model.topicmaps.ViewTopic;
import systems.dmx.core.service.CoreService;
import systems.dmx.core.service.accesscontrol.Operation;
import org.codehaus.jettison.json.JSONObject;
......@@ -34,6 +35,7 @@ class Messenger {
void newTopicmap(Topic topicmapTopic) {
try {
// FIXME: per connection check read access
sendToAllButOrigin(new JSONObject()
.put("type", "newTopicmap")
.put("args", new JSONObject()
......@@ -48,12 +50,12 @@ class Messenger {
void addTopicToTopicmap(long topicmapId, ViewTopic topic) {
try {
// FIXME: per connection check read access
sendToAllButOrigin(new JSONObject()
sendToAuthorized(new JSONObject()
.put("type", "addTopicToTopicmap")
.put("args", new JSONObject()
.put("topicmapId", topicmapId)
.put("viewTopic", topic.toJSON())
)
), topic.getId()
);
} catch (Exception e) {
logger.log(Level.WARNING, "Error while sending a \"addTopicToTopicmap\" message:", e);
......@@ -63,12 +65,12 @@ class Messenger {
void addAssocToTopicmap(long topicmapId, ViewAssoc assoc) {
try {
// FIXME: per connection check read access
sendToAllButOrigin(new JSONObject()
sendToAuthorized(new JSONObject()
.put("type", "addAssocToTopicmap")
.put("args", new JSONObject()
.put("topicmapId", topicmapId)
.put("viewAssoc", assoc.toJSON())
)
), assoc.getId()
);
} catch (Exception e) {
logger.log(Level.WARNING, "Error while sending a \"addAssocToTopicmap\" message:", e);
......@@ -128,4 +130,12 @@ class Messenger {
private void sendToAllButOrigin(JSONObject message) {
dmx.getWebSocketService().sendToAllButOrigin(message.toString());
}
private void sendToAuthorized(JSONObject message, long objectId) {
dmx.getWebSocketService().sendToSome(message.toString(), conn -> {
boolean isReadable = dmx.getPrivilegedAccess().hasPermission(conn.getUsername(), Operation.READ, objectId);
logger.info(conn.getClientId() + " " + conn.getUsername() + " -> " + isReadable);
return isReadable;
});
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment