Check permissions to view images and cards..

Tuomas Riihimäki
Commit c5b4eacb authored Sep 08, 2014 by Tuomas Riihimäki
Showing with 20 additions and 3 deletions
code/MoyaWeb/src/fi/codecrew/moya/servlet/FileDownloadServlet.java
--- a/code/MoyaWeb/src/fi/codecrew/moya/servlet/FileDownloadServlet.java
+++ b/code/MoyaWeb/src/fi/codecrew/moya/servlet/FileDownloadServlet.java
@@ -22,6 +22,7 @@ import fi.codecrew.moya.beans.CardTemplateBeanLocal;
 import fi.codecrew.moya.beans.EventBeanLocal;
 import fi.codecrew.moya.beans.PermissionBeanLocal;
 import fi.codecrew.moya.beans.UserBeanLocal;
+import fi.codecrew.moya.enums.apps.UserPermission;
 import fi.codecrew.moya.model.CardTemplate;
 import fi.codecrew.moya.model.EventUser;
 import fi.codecrew.moya.model.LanEventProperty;
@@ -101,10 +102,19 @@ public class FileDownloadServlet extends GenericImageServlet {
 			}
 		}
 		else if (urlparts.get(0).equals("userimage") && urlparts.size() > 2) {
+
 			int imageid = Integer.parseInt(urlparts.get(1));
 			UserImage image = userbean.findUserimageFORCE(imageid);
 			if (image != null)
 			{
+
+				if (!permbean.isCurrentUser(image.getUser())
+						&& !permbean.hasPermission(UserPermission.VIEW_ALL))
+				{
+					ret.setResponse(HttpServletResponse.SC_FORBIDDEN);
+					return ret;
+				}
+
 				ret.setData(image.getImageData());
 				ret.setImagetype(image.getMimeType());

@@ -131,17 +141,22 @@ public class FileDownloadServlet extends GenericImageServlet {
 					} catch (IOException e) {
 						logger.warn("error creating image on file {}", e);
 					}
+
 				}
+
 			}

-		} else if (urlparts.get(0).equals("usercard") && urlparts.size() > 2)
-		{
+		} else if (urlparts.get(0).equals("usercard") && urlparts.size() > 2) {
 			int userid = Integer.parseInt(urlparts.get(1));

 			EventUser usr = userbean.findByUserId(userid, false);
 			logger.info("Trying to print usercard for user {}", usr);
-
 			if (usr != null) {
+				if (!permbean.isCurrentUser(usr.getUser())
+						&& !permbean.hasPermission(UserPermission.VIEW_ALL)) {
+					ret.setResponse(HttpServletResponse.SC_FORBIDDEN);
+					return ret;
+				}
 				PrintedCard card = cardbean.checkPrintedCard(usr);
 				try {
 					byte[] img = cardprint.constructPNG(card);
@@ -152,6 +167,7 @@ public class FileDownloadServlet extends GenericImageServlet {
 				} catch (Exception e) {
 					logger.warn("Error generating image", e);
 				}
+
 			}
 		}

@@ -161,4 +177,5 @@ public class FileDownloadServlet extends GenericImageServlet {
 		return ret;

 	}
+
 }