From 1f3bd6bb95e35b7ea5954dafbaab7ebc759e7899 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Tue, 25 Apr 2017 22:09:52 +0200
Subject: [PATCH] Add config property for exception messages in API responses

Execption messages in API responses is disabled by default because they
can contain sensitive data. The config property
`api.expose-exception-messages` has been added and is described in the
developer documentation.
---
 .../controller/AbstractControllerExceptionHandler.java   | 9 ++++++++-
 src/site/markdown/development.md                         | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/main/java/de/thm/arsnova/controller/AbstractControllerExceptionHandler.java b/src/main/java/de/thm/arsnova/controller/AbstractControllerExceptionHandler.java
index c0baf0fa..a393dc24 100644
--- a/src/main/java/de/thm/arsnova/controller/AbstractControllerExceptionHandler.java
+++ b/src/main/java/de/thm/arsnova/controller/AbstractControllerExceptionHandler.java
@@ -1,13 +1,20 @@
 package de.thm.arsnova.controller;
 
+import org.springframework.beans.factory.annotation.Value;
+
 import java.util.HashMap;
 import java.util.Map;
 
 public class AbstractControllerExceptionHandler {
+	/* Since exception messages might contain sensitive data, they are not exposed by default. */
+	@Value("${api.expose-error-messages:false}") private boolean exposeMessages;
+
 	protected Map<String, Object> handleException(Throwable e) {
 		final Map<String, Object> result = new HashMap<>();
 		result.put("errorType", e.getClass().getSimpleName());
-		result.put("errorMessage", e.getMessage());
+		if (exposeMessages) {
+			result.put("errorMessage", e.getMessage());
+		}
 
 		return result;
 	}
diff --git a/src/site/markdown/development.md b/src/site/markdown/development.md
index 8aee947e..e7bf9aaf 100644
--- a/src/site/markdown/development.md
+++ b/src/site/markdown/development.md
@@ -37,6 +37,9 @@ Run the following command to download the dependencies and startup the backend w
 
 After a few seconds the ARSnova API will be accessible at <http://localhost:8080/>.
 
+You can adjust the amount of debug logging by changing the log levels in [log4j-dev.properties](src/main/resources/log4j-dev.properties).
+Additionally, you can enable exception messages in API responses by setting the boolean property `api.expose-error-messages` in `arsnova.properties`.
+
 
 ## Continuous Integration
 
-- 
GitLab