Merge branch '2.3' into 2.4

CHANGELOG.md

 # Changelog
 
+## 2.3.4
+This release fixes a minor security vulnerability which allowed an attacker to
+remove a MotD from a session without being the creator.
+
+Additional changes:
+* Libraries have been upgraded to fix potential bugs
+
 ## 2.4.1
 This release fixes a security vulnerability caused by the CORS implementation.
 Origins allowed for CORS can now be set in the configuration via

pom.xml

@@ -355,7 +355,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>sonar-maven-plugin</artifactId>
-				<version>3.0.2</version>
+				<version>3.2</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>

src/main/java/de/thm/arsnova/dao/CouchDBDao.java

@@ -2534,12 +2534,11 @@ public class CouchDBDao implements IDatabaseDao, ApplicationEventPublisherAware
 
 			if (null != id) {
 				d = database.getDocument(id, rev);
-			}
-			if (motd.getMotdkey() == null) {
+			} else {
 				motd.setMotdkey(sessionService.generateKeyword());
+				d.put("motdkey", motd.getMotdkey());
 			}
 			d.put("type", "motd");
-			d.put("motdkey", motd.getMotdkey());
 			d.put("startdate", String.valueOf(motd.getStartdate().getTime()));
 			d.put("enddate", String.valueOf(motd.getEnddate().getTime()));
 			d.put("title", motd.getTitle());

src/main/java/de/thm/arsnova/services/MotdService.java

@@ -21,6 +21,7 @@ import de.thm.arsnova.dao.IDatabaseDao;
 import de.thm.arsnova.entities.Motd;
 import de.thm.arsnova.entities.MotdList;
 import de.thm.arsnova.entities.User;
+import de.thm.arsnova.exceptions.BadRequestException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -113,35 +114,47 @@ public class MotdService implements IMotdService {
 		}
 	}
 
-  @Override
-  @PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
-  public Motd saveMotd(final Motd motd) {
-    return databaseDao.createOrUpdateMotd(motd);
-  }
+	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	public Motd saveMotd(final Motd motd) {
+		return createOrUpdateMotd(motd);
+	}
 
 	@Override
 	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
 	public Motd saveSessionMotd(final String sessionkey, final Motd motd) {
-		return databaseDao.createOrUpdateMotd(motd);
+		return createOrUpdateMotd(motd);
 	}
 
-  @Override
-  @PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
-  public Motd updateMotd(final Motd motd) {
-    return databaseDao.createOrUpdateMotd(motd);
-  }
+	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	public Motd updateMotd(final Motd motd) {
+		return createOrUpdateMotd(motd);
+	}
 
 	@Override
 	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
 	public Motd updateSessionMotd(final String sessionkey, final Motd motd) {
+		return createOrUpdateMotd(motd);
+	}
+
+	private Motd createOrUpdateMotd(final Motd motd) {
+		if (motd.getMotdkey() != null) {
+			Motd oldMotd = databaseDao.getMotdByKey(motd.getMotdkey());
+			if (!(motd.get_id().equals(oldMotd.get_id()) && motd.getSessionkey().equals(oldMotd.getSessionkey())
+					&& motd.getAudience().equals(oldMotd.getAudience()))) {
+				throw new BadRequestException();
+			}
+		}
+
 		return databaseDao.createOrUpdateMotd(motd);
 	}
 
-  @Override
-  @PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
-  public void deleteMotd(Motd motd) {
+	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
+	public void deleteMotd(Motd motd) {
 		databaseDao.deleteMotd(motd);
-  }
+	}
 
 	@Override
 	@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")