Merge branch 'passwordchangecleanup' into 'master'

Password change cleanup

Original thought behind this is that (at least in the future) anyone can create organisation and become admin for that event, change password for any other organisations admin, and gain access to any event.

See merge request !324

code/moya-beans/ejbModule/fi/codecrew/moya/beans/BootstrapBean.java

@@ -42,6 +42,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 	private DBModelFacade dbModelFacade;
 
 	private static final List<String[]> dbUpdates = new ArrayList<String[]>();
+
 	static {
 		// {"Query1","Query2",...}
 		dbUpdates.add(new String[] { "" }); // first version, no changes
@@ -166,8 +167,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 
 		dbUpdates.add(alterTables("ADD COLUMN meta json",
 				"card_text_data",
-				"card_object_data"
-				));
+				"card_object_data"));
 		dbUpdates.add(new String[] {
 				"ALTER TABLE card_text_data ADD COLUMN font_color_r integer DEFAULT 0;",
 				"ALTER TABLE card_text_data ADD COLUMN font_color_g integer DEFAULT 0;",
@@ -306,7 +306,7 @@ public class BootstrapBean implements BootstrapBeanLocal {
 		});
 
 		dbUpdates.add(new String[] {
-			"update events set end_time = '2010-01-01 00:00:00' where end_time is null"
+				"update events set end_time = '2010-01-01 00:00:00' where end_time is null"
 		});
 
 		// ... jepjep.. Lefu
@@ -318,7 +318,6 @@ public class BootstrapBean implements BootstrapBeanLocal {
 				"ALTER TABLE org_role_requests ADD CONSTRAINT FK_org_role_requests_user_id FOREIGN KEY (user_id) REFERENCES users (id)",
 		});
 
-
 		// Run some profiling against local database. These were few of the low hanging fruits.
 		dbUpdates.add(new String[] {
 				// User searching in admin view (seq scan to index scan)
@@ -335,18 +334,27 @@ public class BootstrapBean implements BootstrapBeanLocal {
 		});
 
 		dbUpdates.add(new String[] {
-			"ALTER TABLE event_users ADD tokencode text"
+				"ALTER TABLE event_users ADD tokencode text"
 		});
 
 		dbUpdates.add(new String[] {
-			"ALTER TABLE event_users ADD UNIQUE (tokencode)"
+				"ALTER TABLE event_users ADD UNIQUE (tokencode)"
 		});
 
+		deleteMenu("/useradmin/changePassword");
+
 	}
 
 	public BootstrapBean() {
 	}
 
+	private static void deleteMenu(String menupath) {
+		dbUpdates.add(new String[] {
+				"delete from menu_navigation where item_id in (select id from menuitem where url in ( ' " + menupath + "'))",
+				"delete from menuitem where url in ('" + menupath + "')",
+		});
+	}
+
 	/**
 	 * Runs a "ALTER TABLE
 	 * <table>

code/moya-beans/ejbModule/fi/codecrew/moya/beans/MenuBean.java

@@ -222,7 +222,6 @@ public class MenuBean implements MenuBeanLocal {
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/sendPicture"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/place/adminGroups"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/edit"), UserPermission.VIEW_ALL).setVisible(false);
-		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/changePassword"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/accountEvents"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveshop"), UserPermission.VIEW_ALL).setVisible(false);
 		adminuser.addPage(menuitemfacade.findOrCreate("/useradmin/foodwaveProducts"), UserPermission.VIEW_ALL).setVisible(false);

code/moya-web/WebContent/useradmin/changePassword.xhtml

-<!DOCTYPE html 
-     PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
-    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://java.sun.com/jsf/facelets"
-	xmlns:h="http://java.sun.com/jsf/html" xmlns:f="http://java.sun.com/jsf/core"
-	xmlns:c="http://java.sun.com/jsp/jstl/core" xmlns:users="http://java.sun.com/jsf/composite/cditools/user"
->
-<h:body>
-	<ui:composition template="#{sessionHandler.template}">
-		<f:metadata>
-			<f:viewParam name="userid" value="#{userView.userid}" />
-			<f:event type="preRenderView" listener="#{userView.initView}" />
-		</f:metadata>
-		<ui:define name="title">
-			<h1>#{i18n['user.changepassword.title']}</h1>
-			<users:usertabs tabId="edit" />
-
-		</ui:define>
-		<ui:define name="content">
-			<h:form id="userform">
-				<h:panelGrid columns="2">
-					<h:outputLabel value="#{i18n['user.password']}:" />
-					<h:inputSecret id="password" value="#{passwordView.password}" />
-					<h:outputLabel value="#{i18n['user.passwordcheck']}:" />
-					<h:inputSecret id="passwordcheck" value="#{passwordView.passwordcheck}" />
-					<h:commandButton id="createuserbtn" action="#{passwordView.changePassword()}"
-						value="#{i18n['user.changePassword']}"
-					/>
-				</h:panelGrid>
-			</h:form>
-		</ui:define>
-	</ui:composition>
-</h:body>
-</html>
\ No newline at end of file

code/moya-web/WebContent/useradmin/edit.xhtml

@@ -19,9 +19,7 @@
 			<users:usertabs tabId="edit" />
 		</ui:define>
 		<ui:define name="content">
-			<p:button render="#{userSessionView.currentUser.user.superadmin}" outcome="/useradmin/changePassword" value="#{i18n['submenu.user.changePassword']}">
-				<f:param name="userid" value="#{userView.user.user.id}" />
-			</p:button>
+			
 			<users:edit commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 
 			<h:form id="roleform" rendered="#{roleView.canReadRoles}">

code/moya-web/WebContent/useradmin/userCartShow.xhtml

@@ -55,11 +55,6 @@
 				</h:link>
 			</p>
 
-			<p>
-				<h:link outcome="/useradmin/changePassword" value="#{i18n['submenu.user.changePassword']}">
-					<f:param name="userid" value="#{userView.user.user.id}" />
-				</h:link>
-			</p>
 
 			<users:edit id="useredit" commitaction="#{userCartView.saveUser()}" commitvalue="#{i18n['user.save']}" />
 

code/moya-web/src/main/java/fi/codecrew/moya/web/cdiview/user/PasswordView.java

@@ -27,7 +27,6 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import fi.codecrew.moya.beans.UserBeanLocal;
-import fi.codecrew.moya.enums.apps.UserPermission;
 import fi.codecrew.moya.model.EventUser;
 import fi.codecrew.moya.web.annotations.SelectedUser;
 import fi.codecrew.moya.web.cdiview.GenericCDIView;
@@ -55,22 +54,20 @@ public class PasswordView extends GenericCDIView {
 	private static final Logger logger = LoggerFactory.getLogger(PasswordView.class);
 
 	public String changePassword() {
-		boolean mod = permbean.hasPermission(UserPermission.MODIFY);
-		if (permbean.isCurrentUser(user) || mod) {
-			logger.debug("foo {}, {}", mod, user.checkPassword(oldPassword));
-
-			if (!user.checkPassword(oldPassword)) {
-				super.addFaceMessage("userview.oldPasswordError");
-			} else if (password == null || !password.equals(passwordcheck)) {
-				super.addFaceMessage("userview.passwordsDontMatch");
-			} else {
-				user.getUser().resetPassword(password);
-				user = userbean.mergeChanges(user);
-				return "/user/edit";
-			}
-			return null;
+		if (!permbean.isCurrentUser(user)) {
+			return "permissionDenied";
 		}
-		return "permissionDenied";
+		if (!user.checkPassword(oldPassword)) {
+			super.addFaceMessage("userview.oldPasswordError");
+		} else if (password == null || !password.equals(passwordcheck)) {
+			super.addFaceMessage("userview.passwordsDontMatch");
+		} else {
+			user.getUser().resetPassword(password);
+			user = userbean.mergeChanges(user);
+			return "/user/edit";
+		}
+		return null;
+
 	}
 
 	public EventUser getUser() {