Search in sources :

Example 1 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class UserManagementController method displayDeleteUserAuditsPage.

/**
     * @param userId
     * @param request
     * @param response
     * @param model
     * @return
     */
@RequestMapping(value = TgolKeyStore.DELETE_USER_AUDITS_URL, method = RequestMethod.GET)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String displayDeleteUserAuditsPage(@RequestParam(TgolKeyStore.USER_ID_KEY) String userId, HttpServletRequest request, HttpServletResponse response, Model model) {
    Long lUserId;
    try {
        lUserId = Long.valueOf(userId);
    } catch (NumberFormatException nfe) {
        throw new ForbiddenUserException();
    }
    User userToDelete = getUserDataService().read(lUserId);
    model.addAttribute(TgolKeyStore.USER_NAME_TO_DELETE_KEY, userToDelete.getEmail1());
    request.getSession().setAttribute(TgolKeyStore.USER_ID_TO_DELETE_KEY, userToDelete.getId());
    return TgolKeyStore.DELETE_AUDITS_VIEW_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Secured(org.springframework.security.access.annotation.Secured)

Example 2 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class UserManagementController method displayDeleteUserPage.

/**
     * @param userId
     * @param request
     * @param response
     * @param model
     * @return The pages audit set-up form page
     */
@RequestMapping(value = TgolKeyStore.DELETE_USER_URL, method = RequestMethod.GET)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String displayDeleteUserPage(@RequestParam(TgolKeyStore.USER_ID_KEY) String userId, HttpServletRequest request, HttpServletResponse response, Model model) {
    Long lUserId;
    try {
        lUserId = Long.valueOf(userId);
    } catch (NumberFormatException nfe) {
        throw new ForbiddenUserException();
    }
    User userToDelete = getUserDataService().read(lUserId);
    if (userToDelete == null || getCurrentUser().getId().equals(userToDelete.getId())) {
        return TgolKeyStore.ACCESS_DENIED_VIEW_NAME;
    }
    model.addAttribute(TgolKeyStore.USER_NAME_TO_DELETE_KEY, userToDelete.getEmail1());
    request.getSession().setAttribute(TgolKeyStore.USER_ID_TO_DELETE_KEY, userToDelete.getId());
    return TgolKeyStore.DELETE_USER_VIEW_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Secured(org.springframework.security.access.annotation.Secured)

Example 3 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class UserManagementController method displayDeleteUserConfirmation.

/**
     * @param request
     * @param response
     * @param model
     * @return The pages audit set-up form page
     */
@RequestMapping(value = TgolKeyStore.DELETE_USER_URL, method = RequestMethod.POST)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String displayDeleteUserConfirmation(HttpServletRequest request, HttpServletResponse response, Model model) {
    Object userId = request.getSession().getAttribute(TgolKeyStore.USER_ID_TO_DELETE_KEY);
    Long lUserId;
    if (userId instanceof Long) {
        lUserId = (Long) userId;
    } else {
        try {
            lUserId = Long.valueOf(userId.toString());
        } catch (NumberFormatException nfe) {
            throw new ForbiddenUserException();
        }
    }
    User user = getCurrentUser();
    User userToDelete = getUserDataService().read(lUserId);
    if (userToDelete == null || user.getId().equals(userToDelete.getId())) {
        return TgolKeyStore.ACCESS_DENIED_VIEW_NAME;
    }
    for (Contract contract : userToDelete.getContractSet()) {
        deleteAllAuditsFromContract(contract);
    }
    getUserDataService().delete(userToDelete.getId());
    request.getSession().removeAttribute(TgolKeyStore.USER_ID_TO_DELETE_KEY);
    request.getSession().setAttribute(TgolKeyStore.DELETED_USER_NAME_KEY, userToDelete.getEmail1());
    return TgolKeyStore.ADMIN_VIEW_REDIRECT_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Contract(org.asqatasun.webapp.entity.contract.Contract) Secured(org.springframework.security.access.annotation.Secured)

Example 4 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class ForgottenOrChangePasswordController method displayChangePasswordView.

/**
     * 
     * @param email
     * @param token
     * @param model
     * @param request
     * @return 
     */
private String displayChangePasswordView(String id, String token, Model model, HttpServletRequest request) {
    Long userId;
    try {
        userId = Long.valueOf(id);
    } catch (NumberFormatException nfe) {
        throw new ForbiddenUserException();
    }
    if (StringUtils.isBlank(token)) {
        return TgolKeyStore.ACCESS_DENIED_VIEW_REDIRECT_NAME;
    }
    User currentUser = getCurrentUser();
    User user;
    // an admin
    if (token.equalsIgnoreCase(TgolKeyStore.AUTHENTICATED_KEY)) {
        if (currentUser == null || (!currentUser.getId().equals(userId) && !currentUser.getRole().getRoleName().equals(TgolKeyStore.ROLE_ADMIN_NAME_KEY)) || forbiddenUserList.contains(currentUser.getEmail1())) {
            return TgolKeyStore.ACCESS_DENIED_VIEW_REDIRECT_NAME;
        } else {
            if (!currentUser.getId().equals(userId)) {
                user = getUserDataService().read(userId);
            } else {
                user = currentUser;
            }
        }
    // the request is submitted through an unauthentified user and the token
    // has to be checked.
    } else {
        user = getUserDataService().read(userId);
        try {
            // if the token is invalid
            if (!tokenManager.checkUserToken(user.getEmail1(), token)) {
                model.addAttribute(TgolKeyStore.INVALID_CHANGE_PASSWORD_URL_KEY, true);
                return TgolKeyStore.CHANGE_PASSWORD_VIEW_NAME;
            } else {
                // if the token is valid but the request comes from the 
                // form submission with success
                Object passwordModified = model.asMap().get(TgolKeyStore.PASSWORD_MODIFIED_KEY);
                if (passwordModified instanceof Boolean && (Boolean) passwordModified) {
                    tokenManager.setTokenUsed(token);
                    return TgolKeyStore.CHANGE_PASSWORD_VIEW_NAME;
                }
            }
        } catch (ArrayIndexOutOfBoundsException aioobe) {
            model.addAttribute(TgolKeyStore.INVALID_CHANGE_PASSWORD_URL_KEY, true);
            return TgolKeyStore.CHANGE_PASSWORD_VIEW_NAME;
        }
    }
    if (user == null) {
        return TgolKeyStore.ACCESS_DENIED_VIEW_REDIRECT_NAME;
    }
    ChangePasswordCommand cpc = new ChangePasswordCommand();
    model.addAttribute(TgolKeyStore.CHANGE_PASSWORD_COMMAND_KEY, cpc);
    model.addAttribute(TgolKeyStore.USER_NAME_KEY, user.getEmail1());
    request.getSession().setAttribute(TgolKeyStore.USER_ID_KEY, user.getId());
    return TgolKeyStore.CHANGE_PASSWORD_VIEW_NAME;
}
Also used : ChangePasswordCommand(org.asqatasun.webapp.command.ChangePasswordCommand) User(org.asqatasun.webapp.entity.user.User) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException)

Example 5 with ForbiddenUserException

use of org.asqatasun.webapp.exception.ForbiddenUserException in project Asqatasun by Asqatasun.

the class ContractManagementController method submitAddContractAdminPage.

/**
     * @param createContractCommand
     * @param result
     * @param request
     * @param response
     * @param model
     * @return The pages audit set-up form page
     */
@RequestMapping(value = TgolKeyStore.ADD_CONTRACT_FROM_CONTRACT_MNGT_URL, method = RequestMethod.POST)
@Secured(TgolKeyStore.ROLE_ADMIN_KEY)
public String submitAddContractAdminPage(@ModelAttribute(TgolKeyStore.CREATE_CONTRACT_COMMAND_KEY) CreateContractCommand createContractCommand, BindingResult result, HttpServletRequest request, HttpServletResponse response, Model model) {
    Object userId = request.getSession().getAttribute(TgolKeyStore.USER_ID_KEY);
    Long lUserId;
    if (userId instanceof Long) {
        lUserId = (Long) userId;
    } else {
        try {
            lUserId = Long.valueOf(userId.toString());
        } catch (NumberFormatException nfe) {
            throw new ForbiddenUserException();
        }
    }
    Map<String, List<ContractOptionFormField>> optionFormFieldMap = ContractOptionFormFieldHelper.getFreshContractOptionFormFieldMap(getContractOptionFormFieldBuilderMap());
    getCreateContractFormValidator().setContractOptionFormFieldMap(optionFormFieldMap);
    // We check whether the form is valid
    getCreateContractFormValidator().validate(createContractCommand, result);
    // If the form has some errors, we display it again with errors' details
    User currentModifiedUser = getUserDataService().read(lUserId);
    if (result.hasErrors()) {
        return displayFormWithErrors(model, createContractCommand, currentModifiedUser.getEmail1(), lUserId, optionFormFieldMap, TgolKeyStore.EDIT_CONTRACT_VIEW_NAME);
    }
    Contract contract = getContractDataService().create();
    contract.setUser(currentModifiedUser);
    contract = CreateContractCommandFactory.getInstance().updateContractFromCommand(createContractCommand, contract);
    saveOrUpdateContract(contract);
    request.getSession().setAttribute(TgolKeyStore.ADDED_CONTRACT_NAME_KEY, contract.getLabel());
    model.addAttribute(TgolKeyStore.USER_ID_KEY, contract.getUser().getId());
    request.getSession().removeAttribute(TgolKeyStore.USER_ID_KEY);
    return TgolKeyStore.MANAGE_CONTRACTS_VIEW_REDIRECT_NAME;
}
Also used : User(org.asqatasun.webapp.entity.user.User) List(java.util.List) ForbiddenUserException(org.asqatasun.webapp.exception.ForbiddenUserException) Contract(org.asqatasun.webapp.entity.contract.Contract) Secured(org.springframework.security.access.annotation.Secured) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Aggregations

ForbiddenUserException (org.asqatasun.webapp.exception.ForbiddenUserException)29 Secured (org.springframework.security.access.annotation.Secured)20 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)16 Contract (org.asqatasun.webapp.entity.contract.Contract)15 User (org.asqatasun.webapp.entity.user.User)12 ForbiddenPageException (org.asqatasun.webapp.exception.ForbiddenPageException)8 Audit (org.asqatasun.entity.audit.Audit)6 WebResource (org.asqatasun.entity.subject.WebResource)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 Site (org.asqatasun.entity.subject.Site)3 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)3 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)3 ExtendedModelMap (org.springframework.ui.ExtendedModelMap)3 Model (org.springframework.ui.Model)3 List (java.util.List)2 SSP (org.asqatasun.entity.audit.SSP)1 Criterion (org.asqatasun.entity.reference.Criterion)1 Test (org.asqatasun.entity.reference.Test)1 Page (org.asqatasun.entity.subject.Page)1 ChangePasswordCommand (org.asqatasun.webapp.command.ChangePasswordCommand)1