Browse code

[mapi] BM-14936 Fix: prevent creation of public folders without ACL check

Thomas Fricker authored on 24/06/2019 09:25:02
Showing 4 changed files
... ...
@@ -47,7 +47,7 @@ public interface IContainerManagement {
47 47
 	 * store container ACL
48 48
 	 * 
49 49
 	 * @param entries
50
-	 *            acl
50
+	 *                    acl
51 51
 	 * @throws ServerFault
52 52
 	 */
53 53
 	@PUT
... ...
@@ -156,6 +156,10 @@ public interface IContainerManagement {
156 156
 	@Path("{subject}/offlineSync")
157 157
 	public void disallowOfflineSync(@PathParam("subject") String subject) throws ServerFault;
158 158
 
159
+	@POST
160
+	@Path("_canAccess")
161
+	public boolean canAccess(List<String> verbsOrRoles) throws ServerFault;
162
+
159 163
 	@GET
160 164
 	@Path("_itemCount")
161 165
 	public Count getItemCount() throws ServerFault;
... ...
@@ -78,7 +78,7 @@ public class FlatHierarchyRepair implements IDirEntryRepairSupport {
78 78
 			if (entry.system) {
79 79
 				return;
80 80
 			}
81
-			logger.info("Check flat hier for {} as {}", entry, context);
81
+			logger.info("Checking flat hier for {} as {}", entry, context);
82 82
 
83 83
 		}
84 84
 
... ...
@@ -92,7 +92,7 @@ public class FlatHierarchyRepair implements IDirEntryRepairSupport {
92 92
 			if (entry.system) {
93 93
 				return;
94 94
 			}
95
-			logger.info("Repair flat hier for {} as {}", entry, context);
95
+			logger.info("Repairing flat hier for {} as {}", entry, context);
96 96
 			IInternalContainersFlatHierarchyMgmt mgmtApi = context.provider()
97 97
 					.instance(IInternalContainersFlatHierarchyMgmt.class, domainUid, entry.entryUid);
98 98
 			mgmtApi.init();
... ...
@@ -8,6 +8,7 @@ import static org.junit.Assert.fail;
8 8
 
9 9
 import java.sql.SQLException;
10 10
 import java.util.Arrays;
11
+import java.util.Collections;
11 12
 import java.util.HashMap;
12 13
 import java.util.List;
13 14
 
... ...
@@ -66,6 +67,8 @@ public class ContainerManagementTests {
66 67
 		PopulateHelper.addDomain(domainUid);
67 68
 		PopulateHelper.addUser("subject", domainUid);
68 69
 
70
+		PopulateHelper.addUser("accesstest", domainUid);
71
+
69 72
 		testSecurityContext = new SecurityContext("testSessionId", "test", Arrays.<String>asList(testGroup),
70 73
 				Arrays.<String>asList(), domainUid);
71 74
 
... ...
@@ -317,6 +320,44 @@ public class ContainerManagementTests {
317 320
 	}
318 321
 
319 322
 	@Test
323
+	public void testAccess() throws SQLException {
324
+		SecurityContext ctx = new SecurityContext("accesstest", "accesstest", Collections.emptyList(),
325
+				Arrays.<String>asList(), domainUid);
326
+		Sessions.get().put(ctx.getSessionId(), ctx);
327
+
328
+		IContainerManagement containerManagement = service(ctx, containerId);
329
+
330
+		aclStore.store(container, Collections.emptyList());
331
+
332
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Read.name())));
333
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Write.name())));
334
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Manage.name())));
335
+
336
+		assertFalse(
337
+				containerManagement.canAccess(Arrays.asList(Verb.Read.name(), Verb.Write.name(), Verb.Manage.name())));
338
+
339
+		aclStore.store(container, Arrays.asList(AccessControlEntry.create(ctx.getSubject(), Verb.Read)));
340
+
341
+		assertTrue(containerManagement.canAccess(Arrays.asList(Verb.Read.name())));
342
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Write.name())));
343
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Manage.name())));
344
+
345
+		assertTrue(
346
+				containerManagement.canAccess(Arrays.asList(Verb.Read.name(), Verb.Write.name(), Verb.Manage.name())));
347
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Write.name(), Verb.Manage.name())));
348
+
349
+		aclStore.store(container, Arrays.asList(AccessControlEntry.create(ctx.getSubject(), Verb.Write)));
350
+
351
+		assertTrue(containerManagement.canAccess(Arrays.asList(Verb.Read.name())));
352
+		assertTrue(containerManagement.canAccess(Arrays.asList(Verb.Write.name())));
353
+		assertFalse(containerManagement.canAccess(Arrays.asList(Verb.Manage.name())));
354
+
355
+		assertTrue(
356
+				containerManagement.canAccess(Arrays.asList(Verb.Read.name(), Verb.Write.name(), Verb.Manage.name())));
357
+		assertTrue(containerManagement.canAccess(Arrays.asList(Verb.Write.name(), Verb.Manage.name())));
358
+	}
359
+
360
+	@Test
320 361
 	public void getItemCount() throws SQLException {
321 362
 		IContainerManagement containerManagement = service(testSecurityContext, containerId);
322 363
 
... ...
@@ -325,4 +325,9 @@ public class ContainerManagement implements IContainerManagement {
325 325
 		}
326 326
 	}
327 327
 
328
+	@Override
329
+	public boolean canAccess(List<String> verbsOrRoles) throws ServerFault {
330
+		return rbacManager.can(verbsOrRoles.toArray(new String[0]));
331
+	}
332
+
328 333
 }