more auth/perms cleanup

maxcom · Nov 27, 2024 · ec31c02 · ec31c02
1 parent 9944d24
commit ec31c02
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 39 deletions.
diff --git a/src/main/java/ru/org/linux/user/User.java b/src/main/java/ru/org/linux/user/User.java
@@ -106,16 +106,6 @@ public boolean matchPassword(String password) {
     }
   }
 
-  public void checkBlocked() throws AccessViolationException {
-    if (blocked) {
-      throw new AccessViolationException("Пользователь заблокирован");
-    }
-
-    if (!activated) {
-      throw new AccessViolationException("Пользователь не активирован");
-    }
-  }
-
   public void checkBlocked(Errors errors) {
     if (blocked) {
       errors.reject(null, "Пользователь заблокирован");

diff --git a/src/main/scala/ru/org/linux/user/LostPasswordController.scala b/src/main/scala/ru/org/linux/user/LostPasswordController.scala
@@ -21,7 +21,7 @@ import org.springframework.web.servlet.ModelAndView
 import ru.org.linux.auth.AccessViolationException
 import ru.org.linux.auth.AuthUtil.MaybeAuthorized
 import ru.org.linux.email.EmailService
-import ru.org.linux.site.{BadInputException, Template}
+import ru.org.linux.site.BadInputException
 
 import java.sql.Timestamp
 import javax.mail.internet.AddressException
@@ -35,18 +35,15 @@ class LostPasswordController(userDao: UserDao, userService: UserService, emailSe
   @RequestMapping(method = Array(RequestMethod.POST))
   @throws[Exception]
   def sendPassword(@RequestParam("email") email: String): ModelAndView = MaybeAuthorized { currentUser =>
-    val tmpl = Template.getTemplate
     if (Strings.isNullOrEmpty(email)) throw new BadInputException("email не задан")
 
     val user = userDao.getByEmail(email, true)
     if (user == null) {
       throw new BadInputException("Этот email не зарегистрирован!")
     }
 
-    user.checkBlocked()
-
-    if (user.isAnonymous) {
-      throw new AccessViolationException("Anonymous user")
+    if (!userService.canResetPasswordByCode(user)) {
+      throw new AccessViolationException("Пароль этого пользователя нельзя сбросить через email")
     }
 
     if (user.isModerator && !currentUser.moderator) {

diff --git a/src/main/scala/ru/org/linux/user/ResetPasswordController.scala b/src/main/scala/ru/org/linux/user/ResetPasswordController.scala
@@ -20,8 +20,8 @@ import org.springframework.stereotype.Controller
 import org.springframework.web.bind.annotation.*
 import org.springframework.web.servlet.ModelAndView
 import org.springframework.web.util.UriComponentsBuilder
-import ru.org.linux.auth.AuthUtil.ModeratorOnly
 import ru.org.linux.auth.AccessViolationException
+import ru.org.linux.auth.AuthUtil.ModeratorOnly
 import ru.org.linux.util.StringUtil
 
 import scala.jdk.CollectionConverters.MapHasAsJava
@@ -50,14 +50,8 @@ class ResetPasswordController(userDao: UserDao, userService: UserService) extend
                     @RequestParam("code") formCode: String): ModelAndView = {
     val user = userService.getUser(nick)
 
-    user.checkBlocked()
-
-    if (user.isAnonymous) {
-      throw new AccessViolationException("Anonymous user")
-    }
-
-    if (user.isAdministrator) {
-      throw new AccessViolationException("this feature is not for you, ask me directly")
+    if (!userService.canResetPasswordByCode(user)) {
+      throw new AccessViolationException("Пароль этого пользователя нельзя сбросить")
     }
 
     val resetDate = userDao.getResetDate(user)

diff --git a/src/main/scala/ru/org/linux/user/UserService.scala b/src/main/scala/ru/org/linux/user/UserService.scala
@@ -20,7 +20,8 @@ import com.typesafe.scalalogging.StrictLogging
 import org.springframework.scala.transaction.support.TransactionManagement
 import org.springframework.stereotype.Service
 import org.springframework.transaction.PlatformTransactionManager
-import ru.org.linux.auth.{AccessViolationException, IPBlockDao}
+import ru.org.linux.auth.{AccessViolationException, AnySession, IPBlockDao}
+import ru.org.linux.site.BadInputException
 import ru.org.linux.spring.SiteConfig
 import ru.org.linux.spring.dao.{DeleteInfoDao, UserAgentDao}
 import ru.org.linux.user.UserService.*
@@ -372,4 +373,7 @@ class UserService(siteConfig: SiteConfig, userDao: UserDao, ignoreListDao: Ignor
 
     userDao.block(user, user, "самостоятельная блокировка аккаунта")
   }
+
+  def canResetPasswordByCode(user: User): Boolean =
+    !user.isBlocked && user.isActivated && !user.isAnonymous && !user.isAdministrator
 }
diff --git a/src/main/scala/ru/org/linux/user/WhoisController.scala b/src/main/scala/ru/org/linux/user/WhoisController.scala
@@ -25,6 +25,7 @@ import org.springframework.stereotype.Controller
 import org.springframework.web.bind.annotation.*
 import org.springframework.web.servlet.ModelAndView
 import org.springframework.web.servlet.view.RedirectView
+import ru.org.linux.auth.AccessViolationException
 import ru.org.linux.auth.AuthUtil.MaybeAuthorized
 import ru.org.linux.site.Template
 import ru.org.linux.topic.{TopicDao, TopicPermissionService}
@@ -172,8 +173,8 @@ class WhoisController(userStatisticsService: UserStatisticsService, userDao: Use
   def yearStats(@PathVariable nick: String, request: HttpServletRequest): CompletionStage[Json] = MaybeAuthorized { currentUser =>
     val user = userService.getUser(nick)
 
-    if (!currentUser.moderator) {
-      user.checkBlocked()
+    if (!currentUser.moderator && user.isBlocked) {
+      throw new AccessViolationException("Пользователь заблокирован")
     }
 
     val timezone = request.getAttribute("timezone").asInstanceOf[DateTimeZone]

diff --git a/src/test/java/ru/org/linux/user/UserTest.java b/src/test/java/ru/org/linux/user/UserTest.java
@@ -38,6 +38,16 @@ private void checkFrozen(User user) {
     }
   }
 
+  private void checkBlocked(User user) {
+    var errors = new MapBindingResult(Map.of(), "obj");
+
+    user.checkBlocked(errors);
+
+    if (errors.hasErrors()) {
+      throw new AccessViolationException("Пользователь заблокирован");
+    }
+  }
+
   /**
    * проверка администратора
    * @throws Exception хм
@@ -52,7 +62,7 @@ public void maxcomTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -96,7 +106,7 @@ public void anonymousTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertFalse(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -141,7 +151,7 @@ public void svuTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -188,7 +198,7 @@ public void user5starTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -235,7 +245,7 @@ public void user1starTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -282,7 +292,7 @@ public void user45scoreTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -329,7 +339,7 @@ public void userBlockedTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
       Assert.fail();
     } catch (AccessViolationException e) {
       Assert.assertEquals("Пользователь заблокирован", e.getMessage());
@@ -375,7 +385,7 @@ public void userDefrosedTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -422,7 +432,7 @@ public void userFrozenTest() throws Exception {
     Assert.assertEquals("tango", resultSet.getString("style"));
     Assert.assertTrue(user.matchPassword("passwd"));
     try {
-      user.checkBlocked();
+      checkBlocked(user);
     } catch (AccessViolationException e) {
       Assert.fail();
     }
@@ -472,6 +482,4 @@ public void hizelTest() throws Exception {
     User user = new User(resultSet);
     Assert.assertEquals("0428dfed932b07ea582efd94038b1076", user.getActivationCode("secret"));
   }
-
-
 }