Merge branch 'passwordchangecleanup' into 'master'

Password change cleanup

Original thought behind this is that (at least in the future) anyone can create organisation and become admin for that event, change password for any other organisations admin, and gain access to any event.

See merge request !324

code/moya-beans/ejbModule/fi/codecrew/moya/beans/BootstrapBean.java

@@ -42,6 +42,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 	private DBModelFacade dbModelFacade;
 	private DBModelFacade dbModelFacade;
 
 
 	private static final List<String[]> dbUpdates = new ArrayList<String[]>();
 	private static final List<String[]> dbUpdates = new ArrayList<String[]>();
+
 	static {
 	static {
 		// {"Query1","Query2",...}
 		// {"Query1","Query2",...}
 		dbUpdates.add(new String[] { "" }); // first version, no changes
 		dbUpdates.add(new String[] { "" }); // first version, no changes
@@ -166,8 +167,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 
 
 		dbUpdates.add(alterTables("ADD COLUMN meta json",
 		dbUpdates.add(alterTables("ADD COLUMN meta json",
 				"card_text_data",
 				"card_text_data",
-				"card_object_data"
-				));
+				"card_object_data"));
 		dbUpdates.add(new String[] {
 		dbUpdates.add(new String[] {
 				"ALTER TABLE card_text_data ADD COLUMN font_color_r integer DEFAULT 0;",
 				"ALTER TABLE card_text_data ADD COLUMN font_color_r integer DEFAULT 0;",
 				"ALTER TABLE card_text_data ADD COLUMN font_color_g integer DEFAULT 0;",
 				"ALTER TABLE card_text_data ADD COLUMN font_color_g integer DEFAULT 0;",
@@ -306,7 +306,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 		});
 		});
 
 
 		dbUpdates.add(new String[] {
 		dbUpdates.add(new String[] {
-			"update events set end_time = '2010-01-01 00:00:00' where end_time is null"
+				"update events set end_time = '2010-01-01 00:00:00' where end_time is null"
 		});
 		});
 
 
 		// ... jepjep.. Lefu
 		// ... jepjep.. Lefu
@@ -318,7 +318,6 @@ public class BootstrapBean implements BootstrapBeanLocal {
 				"ALTER TABLE org_role_requests ADD CONSTRAINT FK_org_role_requests_user_id FOREIGN KEY (user_id) REFERENCES users (id)",
 				"ALTER TABLE org_role_requests ADD CONSTRAINT FK_org_role_requests_user_id FOREIGN KEY (user_id) REFERENCES users (id)",
 		});
 		});
 
 
-
 		// Run some profiling against local database. These were few of the low hanging fruits.
 		// Run some profiling against local database. These were few of the low hanging fruits.
 		dbUpdates.add(new String[] {
 		dbUpdates.add(new String[] {
 				// User searching in admin view (seq scan to index scan)
 				// User searching in admin view (seq scan to index scan)
@@ -335,18 +334,27 @@ public class BootstrapBean implements BootstrapBeanLocal {
 		});
 		});
 
 
 		dbUpdates.add(new String[] {
 		dbUpdates.add(new String[] {
-			"ALTER TABLE event_users ADD tokencode text"
+				"ALTER TABLE event_users ADD tokencode text"
 		});
 		});
 
 
 		dbUpdates.add(new String[] {
 		dbUpdates.add(new String[] {
-			"ALTER TABLE event_users ADD UNIQUE (tokencode)"
+				"ALTER TABLE event_users ADD UNIQUE (tokencode)"
 		});
 		});
 
 
+		deleteMenu("/useradmin/changePassword");
+
 	}
 	}
 
 
 	public BootstrapBean() {
 	public BootstrapBean() {
 	}
 	}
 
 
+	private static void deleteMenu(String menupath) {
+		dbUpdates.add(new String[] {
+				"delete from menu_navigation where item_id in (select id from menuitem where url in ( ' " + menupath + "'))",
+				"delete from menuitem where url in ('" + menupath + "')",
+		});
+	}
+
 	/**
 	/**
 	 * Runs a "ALTER TABLE
 	 * Runs a "ALTER TABLE
 	 * <table>
 	 * <table>

code/moya-beans/ejbModule/fi/codecrew/moya/beans/MenuBean.java

@@ -222,7 +222,6 @@ public class MenuBean implements MenuBeanLocal {
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/sendPicture"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/sendPicture"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/place/adminGroups"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/place/adminGroups"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/edit"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/edit"), UserPermission.VIEW_ALL).setVisible(false);
-		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/changePassword"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/accountEvents"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/accountEvents"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveshop"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveshop"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveProducts"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveProducts"), UserPermission.VIEW_ALL).setVisible(false);

code/moya-web/WebContent/useradmin/changePassword.xhtml

-<!DOCTYPE html 
-     PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets"
-	xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core"
-	xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:users="http://java.sun.com/jsf/composite/cditools/user"
->
-<h:body>
-	<ui:composition template="#{sessionHandler.template}">
-		<f:metadata>
-			<f:viewParam name="userid" value="#{userView.userid}" />
-			<f:event type="preRenderView" listener="#{userView.initView}" />
-		</f:metadata>
-		<ui:define name="title">
-			<h1>#{i18n['user.changepassword.title']}</h1>
-			<users:usertabs tabId="edit" />
-
-		</ui:define>
-		<ui:define name="content">
-			<h:form id="userform">
-				<h:panelGrid columns="2">
-					<h:outputLabel value="#{i18n['user.password']}:" />
-					<h:inputSecret id="password" value="#{passwordView.password}" />
-					<h:outputLabel value="#{i18n['user.passwordcheck']}:" />
-					<h:inputSecret id="passwordcheck" value="#{passwordView.passwordcheck}" />
-					<h:commandButton id="createuserbtn" action="#{passwordView.changePassword()}"
-						value="#{i18n['user.changePassword']}"
-					/>
-				</h:panelGrid>
-			</h:form>
-		</ui:define>
-	</ui:composition>
-</h:body>
-</html>
\ No newline at end of file

code/moya-web/WebContent/useradmin/edit.xhtml

@@ -19,9 +19,7 @@
 			<users:usertabs tabId="edit" />
 			<users:usertabs tabId="edit" />
 		</ui:define>
 		</ui:define>
 		<ui:define name="content">
 		<ui:define name="content">
-			<p:button render="#{userSessionView.currentUser.user.superadmin}" outcome="/useradmin/changePassword" value="#{i18n['submenu.user.changePassword']}">
-				<f:param name="userid" value="#{userView.user.user.id}" />
-			</p:button>
+			
 			<users:edit commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 			<users:edit commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 
 
 			<h:form id="roleform" rendered="#{roleView.canReadRoles}">
 			<h:form id="roleform" rendered="#{roleView.canReadRoles}">

code/moya-web/WebContent/useradmin/userCartShow.xhtml

@@ -55,11 +55,6 @@
 				</h:link>
 				</h:link>
 			</p>
 			</p>
 
 
-			<p>
-				<h:link outcome="/useradmin/changePassword" value="#{i18n['submenu.user.changePassword']}">
-					<f:param name="userid" value="#{userView.user.user.id}" />
-				</h:link>
-			</p>
 
 
 			<users:edit id="useredit" commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 			<users:edit id="useredit" commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 
 

code/moya-web/src/main/java/fi/codecrew/moya/web/cdiview/user/PasswordView.java

@@ -27,7 +27,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.slf4j.LoggerFactory;
 
 
 import fi.codecrew.moya.beans.UserBeanLocal;
 import fi.codecrew.moya.beans.UserBeanLocal;
-import fi.codecrew.moya.enums.apps.UserPermission;
 import fi.codecrew.moya.model.EventUser;
 import fi.codecrew.moya.model.EventUser;
 import fi.codecrew.moya.web.annotations.SelectedUser;
 import fi.codecrew.moya.web.annotations.SelectedUser;
 import fi.codecrew.moya.web.cdiview.GenericCDIView;
 import fi.codecrew.moya.web.cdiview.GenericCDIView;
@@ -55,22 +54,20 @@ public class PasswordView extends GenericCDIView {
 	private static final Logger logger = LoggerFactory.getLogger(PasswordView.class);
 	private static final Logger logger = LoggerFactory.getLogger(PasswordView.class);
 
 
 	public String changePassword() {
 	public String changePassword() {
-		boolean mod = permbean.hasPermission(UserPermission.MODIFY);
-		if (permbean.isCurrentUser(user) || mod) {
-			logger.debug("foo {}, {}", mod, user.checkPassword(oldPassword));
-
-			if (!user.checkPassword(oldPassword)) {
-				super.addFaceMessage("userview.oldPasswordError");
-			} else if (password == null || !password.equals(passwordcheck)) {
-				super.addFaceMessage("userview.passwordsDontMatch");
-			} else {
-				user.getUser().resetPassword(password);
-				user = userbean.mergeChanges(user);
-				return "/user/edit";
-			}
-			return null;
+		if (!permbean.isCurrentUser(user)) {
+			return "permissionDenied";
 		}
 		}
-		return "permissionDenied";
+		if (!user.checkPassword(oldPassword)) {
+			super.addFaceMessage("userview.oldPasswordError");
+		} else if (password == null || !password.equals(passwordcheck)) {
+			super.addFaceMessage("userview.passwordsDontMatch");
+		} else {
+			user.getUser().resetPassword(password);
+			user = userbean.mergeChanges(user);
+			return "/user/edit";
+		}
+		return null;
+
 	}
 	}
 
 
 	public EventUser getUser() {
 	public EventUser getUser() {