From 3894d763069601cf9f62374bca4355256a2faec4 Mon Sep 17 00:00:00 2001
From: Rick Herrick <jrherrick@wustl.edu>
Date: Fri, 9 Sep 2016 16:19:40 -0500
Subject: [PATCH] XNAT-4301 Fixed permissions on user API. Tried to fix
intermittent concurrent modification error in SecureResource.
---
src/main/java/org/nrg/xapi/rest/users/UsersApi.java | 13 ++++++++-----
.../nrg/xnat/restlet/resources/SecureResource.java | 5 +++--
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/main/java/org/nrg/xapi/rest/users/UsersApi.java b/src/main/java/org/nrg/xapi/rest/users/UsersApi.java
index 499f9298..abcc0abd 100644
--- a/src/main/java/org/nrg/xapi/rest/users/UsersApi.java
+++ b/src/main/java/org/nrg/xapi/rest/users/UsersApi.java
@@ -145,7 +145,7 @@ public class UsersApi extends AbstractXapiRestController {
@RequestMapping(value = "active/{username}", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
@ResponseBody
public ResponseEntity<List<String>> getUserActiveSessions(@ApiParam(value = "ID of the user to fetch", required = true) @PathVariable("username") final String username) {
- final HttpStatus status = isPermitted();
+ final HttpStatus status = isPermitted(username);
if (status != null) {
return new ResponseEntity<>(status);
}
@@ -162,6 +162,7 @@ public class UsersApi extends AbstractXapiRestController {
}
return new ResponseEntity<>(sessionIds, HttpStatus.OK);
}
+
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
@@ -173,9 +174,11 @@ public class UsersApi extends AbstractXapiRestController {
@ApiResponse(code = 500, message = "An unexpected error occurred.")})
@RequestMapping(value = "{username}", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.GET)
public ResponseEntity<User> getUser(@ApiParam(value = "Username of the user to fetch.", required = true) @PathVariable("username") final String username) {
- HttpStatus status = isPermitted(username);
- if (status != null) {
- return new ResponseEntity<>(status);
+ if (_preferences.getRestrictUserListAccessToAdmins()) {
+ final HttpStatus status = isPermitted(username);
+ if (status != null) {
+ return new ResponseEntity<>(status);
+ }
}
final UserI user;
try {
@@ -309,7 +312,7 @@ public class UsersApi extends AbstractXapiRestController {
@ApiResponse(code = 403, message = "Not authorized to create or update this user."),
@ApiResponse(code = 404, message = "User not found."),
@ApiResponse(code = 500, message = "An unexpected error occurred.")})
- @RequestMapping(value = {"{username}", "active/{username}"}, produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.DELETE)
+ @RequestMapping(value = "active/{username}", produces = MediaType.APPLICATION_JSON_VALUE, method = RequestMethod.DELETE)
public ResponseEntity<List<String>> invalidateUser(final HttpSession current, @ApiParam(value = "The username of the user to invalidate.", required = true) @PathVariable("username") final String username) throws NotFoundException {
HttpStatus status = isPermitted(username);
if (status != null) {
diff --git a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
index eac158f4..c2b54b8a 100644
--- a/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
+++ b/src/main/java/org/nrg/xnat/restlet/resources/SecureResource.java
@@ -10,7 +10,6 @@
*/
package org.nrg.xnat.restlet.resources;
-import com.fasterxml.jackson.core.type.TypeReference;
import com.google.common.collect.Maps;
import com.noelios.restlet.http.HttpConstants;
import org.apache.commons.beanutils.BeanUtils;
@@ -1564,11 +1563,13 @@ public abstract class SecureResource extends Resource {
throw new RuntimeException(exception);
}
+ final List<FilteredResourceHandlerI> handlerClasses = new ArrayList<>();
for (Class<?> clazz : classes) {
if (FilteredResourceHandlerI.class.isAssignableFrom(clazz)) {
- handlers.get(_package).add((FilteredResourceHandlerI) clazz.newInstance());
+ handlerClasses.add((FilteredResourceHandlerI) clazz.newInstance());
}
}
+ handlers.get(_package).addAll(handlerClasses);
}
}
--
GitLab