Skip to content

Commit 538d4ad

Browse files
committed
Export: Authentication
- ExportServletHelper: improved user & role checking for the encoded queries - QueryEncoderBackend: always attach user & role in the encoded query - ACR Submit: include role in the export URL
1 parent f4ad0a5 commit 538d4ad

4 files changed

Lines changed: 19 additions & 6 deletions

File tree

JavaSource/org/unitime/timetable/events/QueryEncoderBackend.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@
4343
import org.unitime.timetable.gwt.shared.EventInterface.EncodeQueryRpcRequest;
4444
import org.unitime.timetable.gwt.shared.EventInterface.EncodeQueryRpcResponse;
4545
import org.unitime.timetable.model.HashedQuery;
46+
import org.unitime.timetable.model.Roles;
4647
import org.unitime.timetable.model.dao.HashedQueryDAO;
4748
import org.unitime.timetable.security.SessionContext;
4849

@@ -55,8 +56,8 @@ public class QueryEncoderBackend implements GwtRpcImplementation<EncodeQueryRpcR
5556
@Override
5657
public EncodeQueryRpcResponse execute(EncodeQueryRpcRequest request, SessionContext context) {
5758
String query = request.getQuery() +
58-
(context.getUser() == null ? "" : "&user=" + context.getUser().getExternalUserId() +
59-
(context.getUser() == null || context.getUser().getCurrentAuthority() == null ? "" : "&role=" + context.getUser().getCurrentAuthority().getRole()));
59+
(context.getUser() == null ? "&user=" : "&user=" + context.getUser().getExternalUserId() +
60+
(context.getUser() == null || context.getUser().getCurrentAuthority() == null ? "&role=" + Roles.ROLE_ANONYMOUS : "&role=" + context.getUser().getCurrentAuthority().getRole()));
6061
if (request.isHash() && ApplicationProperty.UrlEncoderHashQueryWhenAsked.isTrue()) {
6162
return new EncodeQueryRpcResponse(encode(query), hash(query));
6263
} else {

JavaSource/org/unitime/timetable/export/ExportServletHelper.java

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
import org.unitime.timetable.api.ApiToken;
4040
import org.unitime.timetable.defaults.ApplicationProperty;
4141
import org.unitime.timetable.events.QueryEncoderBackend;
42+
import org.unitime.timetable.model.Roles;
4243
import org.unitime.timetable.model.dao.SessionDAO;
4344
import org.unitime.timetable.security.SessionContext;
4445
import org.unitime.timetable.security.UserAuthority;
@@ -77,9 +78,11 @@ public ExportServletHelper(HttpServletRequest request, HttpServletResponse respo
7778
uc = ((ApiToken)SpringApplicationContextHolder.getBean("apiToken")).getContext(getParameter("token"));
7879
if (uc != null) iContext = new CustomExportContext(request.getSession(), uc);
7980
} else if (isRequestEncoded()) {
80-
String user = getParameter("user");
81-
if (user != null)
82-
uc = new UniTimeUserContext(user, null, null, null);
81+
String[] user = getParameterValues("user");
82+
String[] role = getParameterValues("role");
83+
if (user != null && user.length == 1 && user[0] != null && !user[0].isEmpty() &&
84+
role != null && role.length == 1 && role[0] != null && !role[0].isEmpty() && !Roles.ROLE_ANONYMOUS.equals(role[0]))
85+
uc = new UniTimeUserContext(user[0], null, null, null);
8386
}
8487
if (uc != null) {
8588
String role = getParameter("role");

JavaSource/org/unitime/timetable/onlinesectioning/advisors/AdvisorCourseRequestsSubmit.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ public AdvisorCourseRequestSubmission execute(OnlineSectioningServer server, Onl
8282
try {
8383
AdvisorCourseRequestSubmission ret = new AdvisorCourseRequestSubmission();
8484
ret.setName("crf-" + server.getAcademicSession().getTerm() + server.getAcademicSession().getYear() + "-" + getDetails().getStudentName().replaceAll("[&$\\+,/:;=\\?@<>\\[\\]\\{\\}\\|\\^\\~%#`\\t\\s\\n\\r \\\\]", "") + "-" + getDetails().getStudentExternalId());
85-
ret.setLink("export?q=" + QueryEncoderBackend.encode("output=acrf.pdf&sid=" + server.getAcademicSession().getUniqueId() + "&user=" + helper.getUser().getExternalId() + "&id=" + getDetails().getStudentExternalId()));
85+
ret.setLink("export?q=" + QueryEncoderBackend.encode("output=acrf.pdf&sid=" + server.getAcademicSession().getUniqueId() + "&user=" + helper.getUser().getExternalId() + "&role=Advisor&id=" + getDetails().getStudentExternalId()));
8686

8787
OnlineSectioningLog.Action.Builder action = helper.getAction();
8888
action.setStudent(OnlineSectioningLog.Entity.newBuilder()

WebContent/help/Release-Notes.xml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,15 @@
3737
</description>
3838
</item>
3939
</category>
40+
<category>
41+
<title>Administration</title>
42+
<item>
43+
<name>Export: Encrypted URLs</name>
44+
<description>
45+
<line>Fixed a potential vulnerability problem with encrypted export URLs, allowing an attacker to inject a wrong user ID.</line>
46+
</description>
47+
</item>
48+
</category>
4049
</release>
4150

4251
<release>

0 commit comments

Comments
 (0)