Skip to content

Commit 0a66e5f

Browse files
jo-elimujo-elimu
authored
fix(ui): disallow content labeling when contributor is not signed on (#2345)
2 parents a90747c + 73857bc commit 0a66e5f

File tree

4 files changed

+57
-13
lines changed

4 files changed

+57
-13
lines changed

pom-dependency-tree.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
ai.elimu:webapp:war:2.6.139-SNAPSHOT
1+
ai.elimu:webapp:war:2.6.140-SNAPSHOT
22
+- ai.elimu:model:jar:model-2.0.124:compile
33
| \- com.google.code.gson:gson:jar:2.13.1:compile
44
| \- com.google.errorprone:error_prone_annotations:jar:2.38.0:compile

src/main/java/ai/elimu/web/content/emoji/EmojiEditController.java

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
import ai.elimu.util.DiscordHelper.Channel;
1212
import ai.elimu.util.DomainHelper;
1313
import jakarta.servlet.http.HttpServletRequest;
14+
import jakarta.servlet.http.HttpServletResponse;
1415
import jakarta.servlet.http.HttpSession;
1516
import jakarta.validation.Valid;
1617

@@ -23,6 +24,7 @@
2324
import lombok.RequiredArgsConstructor;
2425
import lombok.extern.slf4j.Slf4j;
2526
import org.apache.commons.lang.StringUtils;
27+
import org.springframework.http.HttpStatus;
2628
import org.springframework.stereotype.Controller;
2729
import org.springframework.ui.Model;
2830
import org.springframework.validation.BindingResult;
@@ -110,10 +112,17 @@ public String handleSubmit(
110112
@ResponseBody
111113
public String handleAddContentLabelRequest(
112114
HttpServletRequest request,
115+
HttpServletResponse response,
113116
HttpSession session,
114117
@PathVariable Long id) {
115118
log.info("handleAddContentLabelRequest");
116119

120+
Contributor contributor = (Contributor) session.getAttribute("contributor");
121+
if (contributor == null) {
122+
response.setStatus(HttpStatus.FORBIDDEN.value());
123+
return "error";
124+
}
125+
117126
log.info("id: " + id);
118127
Emoji emoji = emojiDao.read(id);
119128

@@ -129,7 +138,7 @@ public String handleAddContentLabelRequest(
129138
emojiDao.update(emoji);
130139

131140
EmojiContributionEvent emojiContributionEvent = new EmojiContributionEvent();
132-
emojiContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
141+
emojiContributionEvent.setContributor(contributor);
133142
emojiContributionEvent.setTimestamp(Calendar.getInstance());
134143
emojiContributionEvent.setEmoji(emoji);
135144
emojiContributionEvent.setRevisionNumber(emoji.getRevisionNumber());
@@ -145,10 +154,17 @@ public String handleAddContentLabelRequest(
145154
@ResponseBody
146155
public String handleRemoveContentLabelRequest(
147156
HttpServletRequest request,
157+
HttpServletResponse response,
148158
HttpSession session,
149159
@PathVariable Long id) {
150160
log.info("handleRemoveContentLabelRequest");
151161

162+
Contributor contributor = (Contributor) session.getAttribute("contributor");
163+
if (contributor == null) {
164+
response.setStatus(HttpStatus.FORBIDDEN.value());
165+
return "error";
166+
}
167+
152168
log.info("id: " + id);
153169
Emoji emoji = emojiDao.read(id);
154170

@@ -169,7 +185,7 @@ public String handleRemoveContentLabelRequest(
169185
emojiDao.update(emoji);
170186

171187
EmojiContributionEvent emojiContributionEvent = new EmojiContributionEvent();
172-
emojiContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
188+
emojiContributionEvent.setContributor(contributor);
173189
emojiContributionEvent.setTimestamp(Calendar.getInstance());
174190
emojiContributionEvent.setEmoji(emoji);
175191
emojiContributionEvent.setRevisionNumber(emoji.getRevisionNumber());

src/main/java/ai/elimu/web/content/multimedia/image/ImageEditController.java

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
import ai.elimu.util.GitHubLfsHelper;
2727
import jakarta.servlet.ServletException;
2828
import jakarta.servlet.http.HttpServletRequest;
29+
import jakarta.servlet.http.HttpServletResponse;
2930
import jakarta.servlet.http.HttpSession;
3031

3132
import java.io.File;
@@ -44,6 +45,7 @@
4445
import org.apache.commons.io.FileUtils;
4546
import org.apache.commons.io.IOUtils;
4647
import org.apache.commons.lang.StringUtils;
48+
import org.springframework.http.HttpStatus;
4749
import org.springframework.stereotype.Controller;
4850
import org.springframework.ui.Model;
4951
import org.springframework.validation.BindingResult;
@@ -253,15 +255,20 @@ protected void initBinder(HttpServletRequest request, ServletRequestDataBinder b
253255
@ResponseBody
254256
public String handleAddContentLabelRequest(
255257
HttpServletRequest request,
258+
HttpServletResponse response,
256259
HttpSession session,
257260
@PathVariable Long id) {
258261
log.info("handleAddContentLabelRequest");
262+
263+
Contributor contributor = (Contributor) session.getAttribute("contributor");
264+
if (contributor == null) {
265+
response.setStatus(HttpStatus.FORBIDDEN.value());
266+
return "error";
267+
}
259268

260269
log.info("id: " + id);
261270
Image image = imageDao.read(id);
262271

263-
Contributor contributor = (Contributor) session.getAttribute("contributor");
264-
265272
String letterIdParameter = request.getParameter("letterId");
266273
log.info("letterIdParameter: " + letterIdParameter);
267274
if (StringUtils.isNotBlank(letterIdParameter)) {
@@ -332,15 +339,20 @@ public String handleAddContentLabelRequest(
332339
@ResponseBody
333340
public String handleRemoveContentLabelRequest(
334341
HttpServletRequest request,
342+
HttpServletResponse response,
335343
HttpSession session,
336344
@PathVariable Long id) {
337345
log.info("handleRemoveContentLabelRequest");
338346

347+
Contributor contributor = (Contributor) session.getAttribute("contributor");
348+
if (contributor == null) {
349+
response.setStatus(HttpStatus.FORBIDDEN.value());
350+
return "error";
351+
}
352+
339353
log.info("id: " + id);
340354
Image image = imageDao.read(id);
341355

342-
Contributor contributor = (Contributor) session.getAttribute("contributor");
343-
344356
String letterIdParameter = request.getParameter("letterId");
345357
log.info("letterIdParameter: " + letterIdParameter);
346358
if (StringUtils.isNotBlank(letterIdParameter)) {

src/main/java/ai/elimu/web/content/multimedia/video/VideoEditController.java

Lines changed: 22 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
import ai.elimu.util.GitHubLfsHelper;
2525
import jakarta.servlet.ServletException;
2626
import jakarta.servlet.http.HttpServletRequest;
27+
import jakarta.servlet.http.HttpServletResponse;
2728
import jakarta.servlet.http.HttpSession;
2829

2930
import java.io.IOException;
@@ -36,6 +37,7 @@
3637
import lombok.RequiredArgsConstructor;
3738
import lombok.extern.slf4j.Slf4j;
3839
import org.apache.commons.lang.StringUtils;
40+
import org.springframework.http.HttpStatus;
3941
import org.springframework.stereotype.Controller;
4042
import org.springframework.ui.Model;
4143
import org.springframework.validation.BindingResult;
@@ -185,10 +187,17 @@ protected void initBinder(HttpServletRequest request, ServletRequestDataBinder b
185187
@ResponseBody
186188
public String handleAddContentLabelRequest(
187189
HttpServletRequest request,
190+
HttpServletResponse response,
188191
HttpSession session,
189192
@PathVariable Long id) {
190193
log.info("handleAddContentLabelRequest");
191194

195+
Contributor contributor = (Contributor) session.getAttribute("contributor");
196+
if (contributor == null) {
197+
response.setStatus(HttpStatus.FORBIDDEN.value());
198+
return "error";
199+
}
200+
192201
log.info("id: " + id);
193202
Video video = videoDao.read(id);
194203

@@ -204,7 +213,7 @@ public String handleAddContentLabelRequest(
204213
videoDao.update(video);
205214

206215
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
207-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
216+
videoContributionEvent.setContributor(contributor);
208217
videoContributionEvent.setTimestamp(Calendar.getInstance());
209218
videoContributionEvent.setVideo(video);
210219
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());
@@ -225,7 +234,7 @@ public String handleAddContentLabelRequest(
225234
videoDao.update(video);
226235

227236
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
228-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
237+
videoContributionEvent.setContributor(contributor);
229238
videoContributionEvent.setTimestamp(Calendar.getInstance());
230239
videoContributionEvent.setVideo(video);
231240
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());
@@ -246,7 +255,7 @@ public String handleAddContentLabelRequest(
246255
videoDao.update(video);
247256

248257
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
249-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
258+
videoContributionEvent.setContributor(contributor);
250259
videoContributionEvent.setTimestamp(Calendar.getInstance());
251260
videoContributionEvent.setVideo(video);
252261
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());
@@ -262,10 +271,17 @@ public String handleAddContentLabelRequest(
262271
@ResponseBody
263272
public String handleRemoveContentLabelRequest(
264273
HttpServletRequest request,
274+
HttpServletResponse response,
265275
HttpSession session,
266276
@PathVariable Long id) {
267277
log.info("handleRemoveContentLabelRequest");
268278

279+
Contributor contributor = (Contributor) session.getAttribute("contributor");
280+
if (contributor == null) {
281+
response.setStatus(HttpStatus.FORBIDDEN.value());
282+
return "error";
283+
}
284+
269285
log.info("id: " + id);
270286
Video video = videoDao.read(id);
271287

@@ -286,7 +302,7 @@ public String handleRemoveContentLabelRequest(
286302
videoDao.update(video);
287303

288304
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
289-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
305+
videoContributionEvent.setContributor(contributor);
290306
videoContributionEvent.setTimestamp(Calendar.getInstance());
291307
videoContributionEvent.setVideo(video);
292308
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());
@@ -311,7 +327,7 @@ public String handleRemoveContentLabelRequest(
311327
videoDao.update(video);
312328

313329
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
314-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
330+
videoContributionEvent.setContributor(contributor);
315331
videoContributionEvent.setTimestamp(Calendar.getInstance());
316332
videoContributionEvent.setVideo(video);
317333
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());
@@ -336,7 +352,7 @@ public String handleRemoveContentLabelRequest(
336352
videoDao.update(video);
337353

338354
VideoContributionEvent videoContributionEvent = new VideoContributionEvent();
339-
videoContributionEvent.setContributor((Contributor) session.getAttribute("contributor"));
355+
videoContributionEvent.setContributor(contributor);
340356
videoContributionEvent.setTimestamp(Calendar.getInstance());
341357
videoContributionEvent.setVideo(video);
342358
videoContributionEvent.setRevisionNumber(video.getRevisionNumber());

0 commit comments

Comments
 (0)