Examples with ForbiddenException run.halo.app.exception.ForbiddenException used on opensource projects

Example 1 with ForbiddenException

use of run.halo.app.exception.ForbiddenException in project halo by ruibaby.

the class AbstractAuthenticationFilter method isSufficientOneTimeToken.

/**
 * Check if the sufficient one-time token is set.
 *
 * @param request http servlet request
 * @return true if sufficient; false otherwise
 */
private boolean isSufficientOneTimeToken(HttpServletRequest request) {
    // Check the param
    final String oneTimeToken = getTokenFromRequest(request, ONE_TIME_TOKEN_QUERY_NAME, ONE_TIME_TOKEN_HEADER_NAME);
    if (StringUtils.isBlank(oneTimeToken)) {
        // If no one-time token is not provided, skip
        return false;
    }
    // Get allowed uri
    String allowedUri = oneTimeTokenService.get(oneTimeToken).orElseThrow(() -> new BadRequestException("The one-time token does not exist or has been expired").setErrorData(oneTimeToken));
    // Get request uri
    String requestUri = request.getRequestURI();
    if (!StringUtils.equals(requestUri, allowedUri)) {
        // TODO using ant path matcher could be better
        throw new ForbiddenException("The one-time token does not correspond the request uri").setErrorData(oneTimeToken);
    }
    // Revoke the token before return
    oneTimeTokenService.revoke(oneTimeToken);
    return true;
}

Example 2 with ForbiddenException

use of run.halo.app.exception.ForbiddenException in project halo by ruibaby.

the class PostCommentServiceImpl method validateCommentBlackListStatus.

@Override
public void validateCommentBlackListStatus() {
    CommentViolationTypeEnum banStatus = commentBlackListService.commentsBanStatus(ServletUtils.getRequestIp());
    Integer banTime = optionService.getByPropertyOrDefault(CommentProperties.COMMENT_BAN_TIME, Integer.class, 10);
    if (banStatus == CommentViolationTypeEnum.FREQUENTLY) {
        throw new ForbiddenException(String.format("您的评论过于频繁，请%s分钟之后再试。", banTime));
    }
}

Example 3 with ForbiddenException

use of run.halo.app.exception.ForbiddenException in project halo by ruibaby.

the class FileUtils method checkDirectoryTraversal.

/**
 * Checks directory traversal vulnerability.
 *
 * @param parentPath parent path must not be null.
 * @param pathToCheck path to check must not be null
 */
public static void checkDirectoryTraversal(@NonNull Path parentPath, @NonNull Path pathToCheck) {
    Assert.notNull(parentPath, "Parent path must not be null");
    Assert.notNull(pathToCheck, "Path to check must not be null");
    if (pathToCheck.normalize().startsWith(parentPath)) {
        return;
    }
    throw new ForbiddenException("你没有权限访问 " + pathToCheck).setErrorData(pathToCheck);
}

Example 4 with ForbiddenException

use of run.halo.app.exception.ForbiddenException in project halo by ruibaby.

the class UserServiceImpl method mustNotExpire.

@Override
public void mustNotExpire(User user) {
    Assert.notNull(user, "User must not be null");
    Date now = DateUtils.now();
    if (user.getExpireTime() != null && user.getExpireTime().after(now)) {
        long seconds = TimeUnit.MILLISECONDS.toSeconds(user.getExpireTime().getTime() - now.getTime());
        // If expired
        throw new ForbiddenException("账号已被停用，请 " + HaloUtils.timeFormat(seconds) + " 后重试").setErrorData(seconds);
    }
}

Example 5 with ForbiddenException

use of run.halo.app.exception.ForbiddenException in project halo by ruibaby.

the class SheetModel method content.

/**
 * Sheet content.
 *
 * @param sheet sheet
 * @param token token
 * @param model model
 * @return template name
 */
public String content(Sheet sheet, String token, Model model) {
    SheetDetailVO sheetDetailVo;
    if (StringUtils.isEmpty(token)) {
        sheet = sheetService.getBy(PostStatus.PUBLISHED, sheet.getSlug());
        sheetDetailVo = sheetRenderAssembler.convertToDetailVo(sheet);
    } else {
        // verify token
        String cachedToken = cacheStore.getAny(token, String.class).orElseThrow(() -> new ForbiddenException("您没有该页面的访问权限"));
        if (!cachedToken.equals(token)) {
            throw new ForbiddenException("您没有该页面的访问权限");
        }
        sheetDetailVo = sheetRenderAssembler.convertToPreviewDetailVo(sheet);
    }
    sheetService.publishVisitEvent(sheet.getId());
    List<SheetMeta> metas = sheetMetaService.listBy(sheet.getId());
    // Generate meta keywords.
    if (StringUtils.isNotEmpty(sheet.getMetaKeywords())) {
        model.addAttribute("meta_keywords", sheet.getMetaKeywords());
    } else {
        model.addAttribute("meta_keywords", optionService.getSeoKeywords());
    }
    // Generate meta description.
    if (StringUtils.isNotEmpty(sheet.getMetaDescription())) {
        model.addAttribute("meta_description", sheet.getMetaDescription());
    } else {
        model.addAttribute("meta_description", sheetService.generateDescription(sheet.getContent().getContent()));
    }
    // sheet and post all can use
    model.addAttribute("sheet", sheetDetailVo);
    model.addAttribute("post", sheetDetailVo);
    model.addAttribute("is_sheet", true);
    model.addAttribute("metas", sheetMetaService.convertToMap(metas));
    if (themeService.templateExists(ThemeService.CUSTOM_SHEET_PREFIX + sheet.getTemplate() + HaloConst.SUFFIX_FTL)) {
        return themeService.render(ThemeService.CUSTOM_SHEET_PREFIX + sheet.getTemplate());
    }
    return themeService.render("sheet");
}