diff options
| author | Marvin Borner | 2019-05-04 19:10:18 +0200 |
|---|---|---|
| committer | Marvin Borner | 2019-05-04 19:10:18 +0200 |
| commit | b7540fb2b1bbe016d23b8a7f3e7ab3edafb219c8 (patch) | |
| tree | da32ba6ac7467bc7d39f5209c7734ded79911260 /src/main/kotlin/App.kt | |
| parent | 04d0cb43f6a3ede1a61309cf17d78d189caa9dd4 (diff) | |
Fixed major security issues
Co-authored-by: LarsVomMars <lars@kroenner.eu>
Diffstat (limited to 'src/main/kotlin/App.kt')
| -rw-r--r-- | src/main/kotlin/App.kt | 36 |
1 files changed, 16 insertions, 20 deletions
diff --git a/src/main/kotlin/App.kt b/src/main/kotlin/App.kt index 95dfdca..f3cb8a0 100644 --- a/src/main/kotlin/App.kt +++ b/src/main/kotlin/App.kt @@ -46,20 +46,20 @@ fun main(args: Array<String>) { ctx.contentType("text/css") ctx.result(Thread.currentThread().contextClassLoader.getResourceAsStream("css/" + ctx.splat(0))) }, - roles(Roles.GUEST) + roles(Roles.GUEST, Roles.USER) ) get( "/js/*", { ctx -> ctx.contentType("text/js") ctx.result(Thread.currentThread().contextClassLoader.getResourceAsStream("js/" + ctx.splat(0))) }, - roles(Roles.GUEST) + roles(Roles.GUEST, Roles.USER) ) get( "/fonts/*", { ctx -> ctx.result(Thread.currentThread().contextClassLoader.getResourceAsStream("fonts/" + ctx.splat(0))) }, - roles(Roles.GUEST) + roles(Roles.GUEST, Roles.USER) ) /** @@ -70,12 +70,12 @@ fun main(args: Array<String>) { "index.rocker.html", model("username", databaseController.getUsername(userHandler.getVerifiedUserId(ctx))) ) - }, roles(Roles.GUEST)) + }, roles(Roles.GUEST, Roles.USER)) /** * Renders the login page */ - get("/user/login", userHandler::renderLogin, roles(Roles.GUEST)) + get("/user/login", userHandler::renderLogin, roles(Roles.GUEST, Roles.USER)) /** * Endpoint for user authentication @@ -99,12 +99,9 @@ fun main(args: Array<String>) { /** * Adds part of a new user (username) to database + * TODO: Create post request with admin interface */ - get( - "/user/add", - databaseController::indexUserRegistration, - roles(Roles.ADMIN) - ) // TODO: Create post request with admin interface + get("/user/add", databaseController::indexUserRegistration, roles(Roles.ADMIN)) /** * Renders the setup page (only on initial use) @@ -139,12 +136,12 @@ fun main(args: Array<String>) { /** * Shares file in directory */ - post("/share", fileController::handleSharedFile, roles(Roles.GUEST)) + post("/share", fileController::handleSharedFile, roles(Roles.USER)) /** * Shows the shared file */ - get("/shared", fileController::renderShared, roles(Roles.GUEST)) + get("/shared", fileController::renderShared, roles(Roles.GUEST, Roles.USER)) } } @@ -152,14 +149,13 @@ fun main(args: Array<String>) { * Sets up the roles with the database and declares the handling of roles */ fun roleManager(handler: Handler, ctx: Context, permittedRoles: Set<Role>) { - when { - userHandler.getVerifiedUserId(ctx) == ctx.cookieStore("userId") ?: "userId" -> handler.handle(ctx) - databaseController.getRoles(userHandler.getVerifiedUserId(ctx)).any { it in permittedRoles } -> handler.handle( - ctx - ) - // ctx.host()!!.contains("localhost") -> handler.handle(ctx) // DEBUG - else -> ctx.status(401).redirect("/user/login") - } + if (userHandler.getVerifiedUserId(ctx) == ctx.cookieStore("userId") ?: "userId" + && databaseController.getRoles(userHandler.getVerifiedUserId(ctx)).any { it in permittedRoles } + ) handler.handle(ctx) + else if (userHandler.getVerifiedUserId(ctx) != ctx.cookieStore("userId") ?: "userId" + && databaseController.getRoles(userHandler.getVerifiedUserId(ctx)).any { it in permittedRoles } + ) handler.handle(ctx) + else ctx.status(401).redirect("/user/login") } /** |