From c2184e78568bf5d3622affc4d17a80914eeabea7 Mon Sep 17 00:00:00 2001
From: Jake Potrebic <15055071+Machine-Maker@users.noreply.github.com>
Date: Sun, 6 Sep 2020 18:42:57 -0700
Subject: [PATCH] implemented user locking authentication
---
docker/docker-compose.yml | 1 +
.../hangar/controller/UsersController.java | 29 +++++++++++++++----
.../papermc/hangar/service/UserService.java | 3 +-
src/main/resources/templates/users/view.ftlh | 2 +-
4 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index e5ac6fb33..2495663d5 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -94,6 +94,7 @@ services:
DB_USER: "hangarauth"
DB_PASSWORD: "hangarauth"
DB_HOST: "db"
+ APP_HOST: "http://localhost:8080"
SSO_ENDPOINT_hangar: "{ 'sync_sso_endpoint': ('http://app:8080/api/sync_sso'), 'sso_secret': 'changeme', 'api_key': 'changeme' }"
DEBUG: "true"
DJANGO_SETTINGS_MODULE: "spongeauth.settings.prod"
diff --git a/src/main/java/io/papermc/hangar/controller/UsersController.java b/src/main/java/io/papermc/hangar/controller/UsersController.java
index 10655863e..aae586768 100644
--- a/src/main/java/io/papermc/hangar/controller/UsersController.java
+++ b/src/main/java/io/papermc/hangar/controller/UsersController.java
@@ -8,11 +8,13 @@ import io.papermc.hangar.db.model.NotificationsTable;
import io.papermc.hangar.db.model.OrganizationsTable;
import io.papermc.hangar.db.model.UsersTable;
import io.papermc.hangar.model.InviteFilter;
+import io.papermc.hangar.model.NamedPermission;
import io.papermc.hangar.model.NotificationFilter;
import io.papermc.hangar.model.Prompt;
import io.papermc.hangar.model.viewhelpers.InviteSubject;
import io.papermc.hangar.model.viewhelpers.UserData;
import io.papermc.hangar.model.viewhelpers.UserRole;
+import io.papermc.hangar.security.annotations.GlobalPermission;
import io.papermc.hangar.service.ApiKeyService;
import io.papermc.hangar.service.AuthenticationService;
import io.papermc.hangar.service.NotificationService;
@@ -21,6 +23,7 @@ import io.papermc.hangar.service.PermissionService;
import io.papermc.hangar.service.RoleService;
import io.papermc.hangar.service.SitemapService;
import io.papermc.hangar.service.SsoService;
+import io.papermc.hangar.service.SsoService.SignatureException;
import io.papermc.hangar.service.UserActionLogService;
import io.papermc.hangar.service.UserService;
import io.papermc.hangar.service.sso.AuthUser;
@@ -44,7 +47,6 @@ import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.server.ResponseStatusException;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
-import org.springframework.web.servlet.view.RedirectView;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
@@ -240,12 +242,27 @@ public class UsersController extends HangarController {
return fillModel(mav);
}
+ @GlobalPermission(NamedPermission.EDIT_OWN_USER_SETTINGS)
@Secured("ROLE_USER")
- @PostMapping("/{user}/settings/lock/{locked}")
- public RedirectView setLocked(@PathVariable String user, @PathVariable boolean locked, @RequestParam String sso, @RequestParam String sig) {
- // TODO auth
- userService.setLocked(user, locked);
- return new RedirectView(Routes.getRouteUrlOf("users.showProjects", user));
+ @GetMapping("/{user}/settings/lock/{locked}")
+ public ModelAndView setLocked(@PathVariable String user, @PathVariable boolean locked, @RequestParam(required = false) String sso, @RequestParam(required = false) String sig) {
+ UsersTable curUser = getCurrentUser();
+ if (!hangarConfig.fakeUser.isEnabled()) {
+ try {
+ AuthUser authUser = ssoService.authenticate(sso, sig);
+ if (authUser == null || authUser.getId() != curUser.getId()) {
+ throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
+ }
+ } catch (SignatureException e) {
+ throw new ResponseStatusException(HttpStatus.UNAUTHORIZED);
+ }
+ }
+
+ if (!locked) {
+ // TODO email!
+ }
+ userService.setLocked(curUser, locked);
+ return Routes.USERS_SHOW_PROJECTS.getRedirect(user);
}
@Secured("ROLE_USER")
diff --git a/src/main/java/io/papermc/hangar/service/UserService.java b/src/main/java/io/papermc/hangar/service/UserService.java
index c81966e30..96e832c2f 100644
--- a/src/main/java/io/papermc/hangar/service/UserService.java
+++ b/src/main/java/io/papermc/hangar/service/UserService.java
@@ -156,8 +156,7 @@ public class UserService extends HangarService {
}
}
- public void setLocked(String userName, boolean locked) {
- UsersTable user = userDao.get().getByName(userName);
+ public void setLocked(UsersTable user, boolean locked) {
user.setIsLocked(locked);
userDao.get().update(user);
}
diff --git a/src/main/resources/templates/users/view.ftlh b/src/main/resources/templates/users/view.ftlh
index 6ccccfecb..3bb441cdd 100644
--- a/src/main/resources/templates/users/view.ftlh
+++ b/src/main/resources/templates/users/view.ftlh
@@ -75,7 +75,7 @@
<span data-toggle="modal" data-target="#modal-lock">
<i class="fas <#if u.user.isLocked()>fa-lock<#else>fa-unlock-alt</#if> action-lock-account" data-toggle="tooltip"
- data-placement="top" title="<@spring.message "user.lock" />"></i>
+ data-placement="top" title="<#if !u.user.isLocked()><@spring.message "user.lock" /><#else><@spring.message "user.unlock" /></#if>"></i>
</span>
<a class="action-api" href="${Routes.USERS_EDIT_API_KEYS.getRouteUrl(u.user.name)}">