Commit 44cae8d8 authored by Daniel Gerhardt's avatar Daniel Gerhardt
Browse files

Merge branch '2.3' into 2.4

parents 83fedc70 a38ac9d2
# Changelog
## 2.3.4
This release fixes a minor security vulnerability which allowed an attacker to
remove a MotD from a session without being the creator.
Additional changes:
* Libraries have been upgraded to fix potential bugs
## 2.4.1
This release fixes a security vulnerability caused by the CORS implementation.
Origins allowed for CORS can now be set in the configuration via
......
......@@ -355,7 +355,7 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.0.2</version>
<version>3.2</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
......
......@@ -2534,12 +2534,11 @@ public class CouchDBDao implements IDatabaseDao, ApplicationEventPublisherAware
if (null != id) {
d = database.getDocument(id, rev);
}
if (motd.getMotdkey() == null) {
} else {
motd.setMotdkey(sessionService.generateKeyword());
d.put("motdkey", motd.getMotdkey());
}
d.put("type", "motd");
d.put("motdkey", motd.getMotdkey());
d.put("startdate", String.valueOf(motd.getStartdate().getTime()));
d.put("enddate", String.valueOf(motd.getEnddate().getTime()));
d.put("title", motd.getTitle());
......
......@@ -21,6 +21,7 @@ import de.thm.arsnova.dao.IDatabaseDao;
import de.thm.arsnova.entities.Motd;
import de.thm.arsnova.entities.MotdList;
import de.thm.arsnova.entities.User;
import de.thm.arsnova.exceptions.BadRequestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
......@@ -113,35 +114,47 @@ public class MotdService implements IMotdService {
}
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public Motd saveMotd(final Motd motd) {
return databaseDao.createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public Motd saveMotd(final Motd motd) {
return createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
public Motd saveSessionMotd(final String sessionkey, final Motd motd) {
return databaseDao.createOrUpdateMotd(motd);
return createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public Motd updateMotd(final Motd motd) {
return databaseDao.createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public Motd updateMotd(final Motd motd) {
return createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
public Motd updateSessionMotd(final String sessionkey, final Motd motd) {
return createOrUpdateMotd(motd);
}
private Motd createOrUpdateMotd(final Motd motd) {
if (motd.getMotdkey() != null) {
Motd oldMotd = databaseDao.getMotdByKey(motd.getMotdkey());
if (!(motd.get_id().equals(oldMotd.get_id()) && motd.getSessionkey().equals(oldMotd.getSessionkey())
&& motd.getAudience().equals(oldMotd.getAudience()))) {
throw new BadRequestException();
}
}
return databaseDao.createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public void deleteMotd(Motd motd) {
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
public void deleteMotd(Motd motd) {
databaseDao.deleteMotd(motd);
}
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment