Changeset 38302 for main/trunk/greenstone3/src

Timestamp:

2023-10-11T17:55:40+13:00 (8 months ago)

Author:

anupama

Message:

Webswing authentication bypass when logged in, using JSessionID this time. But what should be in FROM attribute of response message from SystemAction? No response is coming from a service.

File:

• main/trunk/greenstone3/src/java/org/greenstone/gsdl3/action/SystemAction.java (modified) (2 diffs)

main/trunk/greenstone3/src/java/org/greenstone/gsdl3/action/SystemAction.java

@@ -25 +25 @@
 
     String tempVal = "";
-
+    protected static final String SYSTEM_ACTION = "SystemAction";
+    
     /** process a request */
     public Node process(Node message_node)
@@ -52 +53 @@
         else if(subaction.equals("authenticated-ping")) {
             to = "RemoteAuthentication"; // not "Authentication/RemoteAuthentication": MessageRouter knows to map the RemoteAuthentication service to the Authentication module
+        } else if(subaction.equals("get-groups-from-session")) {
+            String msg = "";
+            
+            String suppliedUsername = (String) params.get(GSParams.UN);
+            if(!suppliedUsername.equals(userContext.getUsername())) {
+            msg = "Authentication failed: incorrect username for current session.";
+            } else {
+            String groups = userContext.getGroupsString();
+            String suppliedCollection = params.containsKey("col") ? suppliedCollection = (String) params.get("col") : "";
+            
+            if(suppliedCollection.equals("")) {
+                msg = groups;
+            } else {                    
+                
+                if(groups.indexOf("all-collections-editor") != -1) { // Does this user have access to all collections?
+                msg = groups;
+                } else if(groups.indexOf("personal-collections-editor") != -1 && suppliedCollection.startsWith(suppliedUsername+"-")) { // Does this user have access to personal collections, and is this one?
+                msg = groups;
+                } else if(groups.indexOf(suppliedCollection+"-collection-editor") != -1) { //  Does this user have access to this collection?
+                msg = groups;
+                }
+                else {
+                msg = "Authentication failed: user is not in the required group.";
+                //logger.error("*** Remote login failed. Groups did not match for the collection specified");
+                }
+            }
+            }
+
+            Element response = doc.createElement(GSXML.RESPONSE_ELEM);
+            response.setAttribute(GSXML.FROM_ATT, SYSTEM_ACTION);
+            response.setAttribute(GSXML.TYPE_ATT, GSXML.REQUEST_TYPE_PROCESS);      
+            Element s = GSXML.createTextElement(doc, GSXML.STATUS_ELEM, msg);
+            response.appendChild(s);
+            
+            addSiteMetadata(response, userContext);
+            addInterfaceOptions(response);
+            
+            result.appendChild(response);
+            return result; // done, no need to call a service
         }
-
+        
         Element mr_request_message = doc.createElement(GSXML.MESSAGE_ELEM);
         Element mr_request = GSXML.createBasicRequest(doc, GSXML.REQUEST_TYPE_SYSTEM, to, userContext);