Merge pull request #128 from EUSurvey/ESURVEY-6660

Esurvey 6660

Author: clam2310

src/main/java/com/ec/survey/controller/AddressBookController.java

@@ -1,5 +1,6 @@
 package com.ec.survey.controller;
 
+import com.ec.survey.exception.ForbiddenURLException;
 import com.ec.survey.exception.MessageException;
 import com.ec.survey.model.Paging;
 import com.ec.survey.model.ParticipationGroup;
@@ -70,7 +71,6 @@ public class AddressBookController extends BasicController {
 	@SuppressWarnings("unchecked")
 	@RequestMapping(method = {RequestMethod.GET, RequestMethod.HEAD})
 	public ModelAndView attendees(HttpServletRequest request) throws Exception {
-		
 		User user = sessionService.getCurrentUser(request);		
 		int ownerId;
 		if (user.getGlobalPrivileges().get(GlobalPrivilege.ContactManagement) == 2)
@@ -132,9 +132,7 @@ public ModelAndView attendees(HttpServletRequest request) throws Exception {
 
     	if (request.getParameter("added") != null)
     	{
-    		Attendee addedContact = attendeeService.get(Integer.parseInt(request.getParameter("added")));
     		result.addObject("added", true);
-    		result.addObject("addedContact", addedContact);
     	} else if (request.getParameter("edited") != null && request.getParameter("edited").length() > 0)
 		{
 			if (!request.getParameter("edited").equalsIgnoreCase("batch"))
@@ -1316,12 +1314,9 @@ public String delete(@RequestParam("id") String id, HttpServletRequest request)
 	@SuppressWarnings("unchecked")
 	@RequestMapping( value = "/editAttendee/{id}", method = {RequestMethod.GET, RequestMethod.HEAD})
 	public ModelAndView edit(@PathVariable("id") String id, HttpServletRequest request) throws Exception {	
-		
 		Attendee attendee = attendeeService.get(Integer.parseInt(id));
-		
 		Paging<Attendee> paging = (Paging<Attendee>) request.getSession().getAttribute("attendees-paging");
 		HashMap<String, String> filter = (HashMap<String, String>) request.getSession().getAttribute("attendees-filter");
-		
 		User user = sessionService.getCurrentUser(request);
 
 		int ownerId;
@@ -1330,8 +1325,13 @@ public ModelAndView edit(@PathVariable("id") String id, HttpServletRequest reque
     	{
 			ownerId = -1;
     	} else {
-    		ownerId = user.getId();    		
-    	}
+			ownerId = user.getId();  
+			if (attendee.getOwnerId() != ownerId) {
+				if (!attendeeService.getAccessibleAttendees(ownerId, null).contains(attendee.getId())) {
+					throw new ForbiddenURLException();
+				}
+			}		
+		}
 
 		paging.setItems(attendeeService.getAttendees(ownerId, filter, paging.getCurrentPage(), paging.getItemsPerPage()));		
 

src/main/java/com/ec/survey/controller/SettingsController.java

@@ -1,5 +1,6 @@
 package com.ec.survey.controller;
 
+import com.ec.survey.exception.ForbiddenURLException;
 import com.ec.survey.model.administration.GlobalPrivilege;
 import com.ec.survey.model.administration.User;
 import com.ec.survey.model.attendees.Attendee;
@@ -29,6 +30,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -48,7 +50,7 @@ public class SettingsController extends BasicController {
 
 	@Resource(name="attendeeService")
 	private AttendeeService attendeeService;
-	
+
 	@Autowired private LocaleResolver localeResolver;
 
 	@RequestMapping(method = {RequestMethod.GET, RequestMethod.HEAD})
@@ -285,19 +287,42 @@ public ModelAndView shareEdit(@PathVariable String pid, HttpServletRequest reque
 	}
 
 	@RequestMapping(value = "/userExists", headers="Accept=*/*", method=RequestMethod.GET)
-	public @ResponseBody boolean userExists(HttpServletRequest request, HttpServletResponse response ) {
+	public @ResponseBody boolean userExists(HttpServletRequest request, HttpServletResponse response )
+			throws NotAgreedToTosException, WeakAuthenticationException, ForbiddenURLException {
 		HashMap<String,String[]> parameters = Ucs2Utf8.requestToHashMap(request);
-		
-		String login = parameters.get("login")[0];
-		
-		User user;
-		try {
-			user = administrationService.getUserForLogin(login);			
-		} catch (Exception e) {
-			return false;
+		User userInRequest = sessionService.getCurrentUser(request);
+		User user = administrationService.getUser(userInRequest.getId());
+		Date now = new Date();
+		Date lastAttemptMoment = new Date();
+		if (user.getUserExistsAttemptDate() != null) {
+			lastAttemptMoment = user.getUserExistsAttemptDate();
+		} else {
+			user.setUserExistsAttemptDate(now);
 		}
 
-		return user != null;
+		long lastAttemptMomentPlusOneHourLong = lastAttemptMoment.getTime() + 1000L * 60L * 60L;
+		Date lastAttemptMomentPlusOneHour = new Date(lastAttemptMomentPlusOneHourLong);
+		int numberOfAttemptsInOneHour = user.getUserExistsAttempts();
+		if (now.after(lastAttemptMomentPlusOneHour)) {
+			// reinit
+			numberOfAttemptsInOneHour = 1;
+			user.setUserExistsAttempts(numberOfAttemptsInOneHour);
+			user.setUserExistsAttemptDate(now);
+		} else {
+			// adding
+			numberOfAttemptsInOneHour += 1;
+			user.setUserExistsAttempts(numberOfAttemptsInOneHour);
+			if (numberOfAttemptsInOneHour > 30) {
+				throw new ForbiddenURLException();
+				// not saving the user since this would overload the Users table
+			}
+		}
+		administrationService.updateUser(user);
+		sessionService.setCurrentUser(request, user);	
+	
+		String login = parameters.get("login")[0];
+		User searchedUser = administrationService.getUserForLogin(login);	
+		return searchedUser != null;
 	}
 
 	@RequestMapping(value = "/createStaticShare", method = RequestMethod.POST)

src/main/java/com/ec/survey/model/administration/User.java

@@ -46,6 +46,8 @@ public class User implements java.io.Serializable {
 	private Date validationCodeGeneration;
 	private List<String> departments = new ArrayList<>();
 	private int badLoginAttempts = 0;
+	private int userExistsAttempts = 0;
+	private Date userExistsAttemptDate;
 	private boolean agreedToToS;
 	private Integer lastEditedSurvey;
 	private boolean canCreateSurveys = true;
@@ -271,6 +273,22 @@ public int getBadLoginAttempts() {
 	public void setBadLoginAttempts(Integer badLoginAttempts) {
 		this.badLoginAttempts = badLoginAttempts != null ? badLoginAttempts : 0;
 	}
+
+	@Column(name = "USER_EXISTS_ATTEMPS") 
+	public int getUserExistsAttempts() {
+		return this.userExistsAttempts;
+	}
+	public void setUserExistsAttempts(Integer userExistsAttempts) {
+		this.userExistsAttempts = userExistsAttempts != null ? userExistsAttempts : 0;
+	}
+
+	@Column(name = "USER_EXISTS_ATTEMPT_DATE")
+	public Date getUserExistsAttemptDate() {
+		return userExistsAttemptDate;
+	}	
+	public void setUserExistsAttemptDate(Date userExistsAttemptDate) {
+		this.userExistsAttemptDate = userExistsAttemptDate;
+	}
 
 	@Column(name = "USER_TOS")
 	public boolean isAgreedToToS() {

src/main/java/com/ec/survey/service/AttendeeService.java

@@ -175,22 +175,38 @@ public int getNumberOfAttendees(Integer ownerId, HashMap<String, String> attribu
 
 		return ConversionTools.getValue(query.uniqueResult());		
 	}
+
+	@Transactional(readOnly = true)
+	@SuppressWarnings("unchecked")
+	public List<Integer> getAccessibleAttendees(Integer ownerId, HashMap<String,String> attributeFilter) throws Exception {
+		Session session = sessionFactory.getCurrentSession();
+		
+		HashMap<String, Object> parameters = new HashMap<>();
+		String sql = getSql(session, ownerId, attributeFilter, parameters, false);
+		
+		SQLQuery query = session.createSQLQuery("SELECT a.ATTENDEE_ID " + sql);
+		sqlQueryService.setParameters(query, parameters);
+
+		@SuppressWarnings("rawtypes")
+		List res = query.list();
+		return res;
+	}
 
-	private String getSql(Session session, Integer ownerId, Map<String, String> hashMap, HashMap<String, Object> oQueryParameters, boolean onlywritableshares) {
+	private String getSql(Session session, Integer ownerId, Map<String, String> attributeFilter, HashMap<String, Object> oQueryParameters, boolean onlywritableshares) {
 
 		StringBuilder sql = new StringBuilder("FROM ATTENDEE a");
 
-		if (hashMap != null && hashMap.size() > 0)
+		if (attributeFilter != null && attributeFilter.size() > 0)
 		{
-			for (String key : hashMap.keySet())
+			for (String key : attributeFilter.keySet())
 			{
-				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner") && !key.equalsIgnoreCase("_csrf") && !key.startsWith("visibleAttendee") && hashMap.get(key) != null && hashMap.get(key).trim().length() > 0)
+				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner") && !key.equalsIgnoreCase("_csrf") && !key.startsWith("visibleAttendee") && attributeFilter.get(key) != null && attributeFilter.get(key).trim().length() > 0)
 				{
 					sql.append(" LEFT OUTER JOIN ATTRIBUTE at ON at.ATTE_ID = a.ATTENDEE_ID ");
 					break;
 				}					
 			}
-			if (hashMap.containsKey("owner") && hashMap.get("owner") != null && hashMap.get("owner").length() > 0)
+			if (attributeFilter.containsKey("owner") && attributeFilter.get("owner") != null && attributeFilter.get("owner").length() > 0)
 			{
 				sql.append(" JOIN USERS u ON u.USER_ID = a.OWNER_ID ");
 			}
@@ -212,15 +228,15 @@ private String getSql(Session session, Integer ownerId, Map<String, String> hash
 
 		sql.append(" AND a.ATTENDEE_HIDDEN IS NULL");
 
-		if (hashMap != null && hashMap.size() > 0)
+		if (attributeFilter != null && attributeFilter.size() > 0)
 		{
 			int counter = 0;
-			for (String key : hashMap.keySet())
+			for (String key : attributeFilter.keySet())
 			{
 				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner"))
 				try {
 					int intKey = Integer.parseInt(key);
-					String value = hashMap.get(key).trim();
+					String value = attributeFilter.get(key).trim();
 
 					if (value.length() > 0)
 					{
@@ -234,22 +250,22 @@ private String getSql(Session session, Integer ownerId, Map<String, String> hash
 				}			
 			}
 
-			if (hashMap.containsKey("name") && hashMap.get("name") != null && hashMap.get("name").length() > 0)
+			if (attributeFilter.containsKey("name") && attributeFilter.get("name") != null && attributeFilter.get("name").length() > 0)
 			{
 				sql.append(" AND a.ATTENDEE_NAME like :name");
-				oQueryParameters.put("name", "%" + hashMap.get("name") + "%");
+				oQueryParameters.put("name", "%" + attributeFilter.get("name") + "%");
 			}
 
-			if (hashMap.containsKey("email") && hashMap.get("email") != null && hashMap.get("email").length() > 0)
+			if (attributeFilter.containsKey("email") && attributeFilter.get("email") != null && attributeFilter.get("email").length() > 0)
 			{
 				sql.append(" AND a.ATTENDEE_EMAIL like :email");
-				oQueryParameters.put("email", "%" + hashMap.get("email") + "%");
+				oQueryParameters.put("email", "%" + attributeFilter.get("email") + "%");
 			}
 
-			if (hashMap.containsKey("owner") && hashMap.get("owner") != null && hashMap.get("owner").length() > 0)
+			if (attributeFilter.containsKey("owner") && attributeFilter.get("owner") != null && attributeFilter.get("owner").length() > 0)
 			{
 				sql.append(" AND (u.USER_DISPLAYNAME like :owner OR u.USER_LOGIN like :owner)");
-				oQueryParameters.put("owner", "%" + hashMap.get("owner") + "%");
+				oQueryParameters.put("owner", "%" + attributeFilter.get("owner") + "%");
 			}
 		}
 

src/main/webapp/WEB-INF/classes/messages_en.properties

@@ -142,6 +142,8 @@ error.nouserselected = Please select a user
 error.OwnerNotValid = The selected owner is not a valid user
 error.PasswordWeak = Please choose a password between 8 and 16 characters with at least one digit and one non-alphanumeric character (e.g. !?$%...).
 error.PleaseReload = There was a problem. Please reload the page.
+error.UsersTooOftenAddressBook = You have exceeded the number of contact edits you may perform per hour.
+error.UsersTooOftenShares = You have exceeded the number of shares you may perform per hour.
 error.RequestTranslation = Request for translation failed
 error.ResetCodeInvalid = You did not provide a valid password reset code!
 error.ResetCodeOutdated = This password reset code is not valid anymore! Please request a new one.

src/main/webapp/WEB-INF/views/addressbook/addressbook-batch.jsp

@@ -89,29 +89,31 @@
 							</c:if>
 
 							<c:forEach items="${attributeNames}" var="attributeName">
-								<tr>
-									<td><esapi:encodeForHTML>${attributeName.name}</esapi:encodeForHTML><input type="hidden" class="existingbatchkey" value="<esapi:encodeForHTMLAttribute>${attributeName.name}</esapi:encodeForHTMLAttribute>" /></td>
-									<td style="width: 250px;"><select class="form-control" onchange="checkAttributeSelection(this)"
-										name="attribute<esapi:encodeForHTMLAttribute>${attributeName.id}</esapi:encodeForHTMLAttribute>">
-											<option value="0" selected="selected">
-												<spring:message code="label.KeepValue" />
-											</option>
-											<option value="-1">
-												<spring:message code="label.ClearValue" />
-											</option>
-											<option value="-2">
-												<spring:message code="label.NewValue" />
-											</option>
-
-											<c:if test="${attributeValues.get(attributeName.id).size() > 0}">
-												<option disabled="disabled">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;</option>
-											</c:if>
-
-											<c:forEach items="${attributeValues.get(attributeName.id)}" var="value">
-												<option><esapi:encodeForHTML>${value}</esapi:encodeForHTML></option>
-											</c:forEach>
-									</select></td>
-								</tr>
+								<c:if test="${attributeName.name != 'Owner'}">
+									<tr>
+										<td><esapi:encodeForHTML>${attributeName.name}</esapi:encodeForHTML><input type="hidden" class="existingbatchkey" value="<esapi:encodeForHTMLAttribute>${attributeName.name}</esapi:encodeForHTMLAttribute>" /></td>
+										<td style="width: 250px;"><select class="form-control" onchange="checkAttributeSelection(this)"
+											name="attribute<esapi:encodeForHTMLAttribute>${attributeName.id}</esapi:encodeForHTMLAttribute>">
+												<option value="0" selected="selected">
+													<spring:message code="label.KeepValue" />
+												</option>
+												<option value="-1">
+													<spring:message code="label.ClearValue" />
+												</option>
+												<option value="-2">
+													<spring:message code="label.NewValue" />
+												</option>
+
+												<c:if test="${attributeValues.get(attributeName.id).size() > 0}">
+													<option disabled="disabled">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;</option>
+												</c:if>
+
+												<c:forEach items="${attributeValues.get(attributeName.id)}" var="value">
+													<option><esapi:encodeForHTML>${value}</esapi:encodeForHTML></option>
+												</c:forEach>
+										</select></td>
+									</tr>
+								</c:if>
 							</c:forEach>
 
 						</tbody>

src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp

@@ -16,6 +16,7 @@
 	<script type="text/javascript" src="${contextpath}/resources/js/configure.js?version=<%@include file="../version.txt" %>"></script>
 	<script type="text/javascript" src="${contextpath}/resources/js/jquery.stickytableheaders.js?version=<%@include file="../version.txt" %>"></script>
 	<script type="text/javascript" src="${contextpath}/resources/js/fileuploader.js?version=<%@include file="../version.txt" %>"></script>
+	<script type="text/javascript" src="${contextpath}/resources/js/menu.js?version=<%@include file="../version.txt" %>"></script>
 
 	<style>
 	    #sortable { list-style-type: none; margin: 0; padding: 0; width: 190px; }
@@ -35,6 +36,7 @@
 
 	<script type="text/javascript"> 
 		var labelRemoveAttribute = '<spring:message code="label.RemoveAttribute" />';
+		var usersTooOftenAddressBook = '<spring:message code="error.UsersTooOftenAddressBook" />';
 	
 		$(function() {					
 			$("#addressbook-menu-tab").addClass("active");
@@ -881,7 +883,7 @@
 
 	<c:if test="${added != null}">
 		<script type="text/javascript">
-			showInfo('<spring:message code="label.Contact" />&nbsp;<esapi:encodeForHTML>${addedContact.name}</esapi:encodeForHTML>&nbsp;<spring:message code="message.AttendeeAdded" />');
+			showInfo('<spring:message code="label.Contact" />&nbsp;<spring:message code="message.AttendeeAdded" />');
 		</script>
 	</c:if>
 

src/main/webapp/WEB-INF/views/settings/shares.jsp

@@ -13,6 +13,7 @@
 	<script type="text/javascript" src="${contextpath}/resources/js/shares.js?version=<%@include file="../version.txt" %>"></script>	
 
 	<script type="text/javascript">
+		var usersTooOftenShares = '<spring:message code="error.UsersTooOftenShares" />';
 		$(function() {					
 			$("#settings-menu-tab").addClass("active");
 			$("#shares-button").removeClass("InactiveLinkButton").addClass("ActiveLinkButton");

src/main/webapp/resources/js/addressbook.js

@@ -775,17 +775,21 @@ function checkOwnerAndSubmit()
 			  ok = false;
 		}
 	}
-	
+
 	if (owner != null && owner.trim().length > 0)
 	{				
 		$.ajax({
 			type:'GET',
+			  async: false,
 			  url: contextpath + "/settings/userExists",
 			  data: "login=" + owner,
 			  dataType: 'json',
 			  cache: false,
+			  error: function() {
+				ok = false;
+				showError(usersTooOftenAddressBook);
+			  },
 			  success: function( exists ) {
-				  
 				  if (exists == true)
 				  {
 					  ok = true;

src/main/webapp/resources/js/shares.js

@@ -441,6 +441,9 @@
 				  data: "login=" + recipient,
 				  dataType: 'json',
 				  cache: false,
+				  error: function() {
+					showError(usersTooOftenShares);
+				  },
 				  success: function( exists ) {
 
 					  if (exists == true)