XNAT-4519 Prevented guest user from being given owner/member/collaborator...

XNAT-4519 Prevented guest user from being given owner/member/collaborator access to a project through project page or xapi.

XNAT-4519 Prevented guest user from being given owner/member/collaborator...
8f0f0f82 · Mike McKay · 82e8eefe · 8f0f0f82 · 8f0f0f82
Commit 8f0f0f82 authored 8 years ago by Mike McKay
--- a/src/main/java/org/nrg/xapi/rest/users/UsersApi.java
+++ b/src/main/java/org/nrg/xapi/rest/users/UsersApi.java
@@ -599,6 +599,9 @@ public class UsersApi extends AbstractXapiRestController {
            if (user == null) {
                return new ResponseEntity<>(HttpStatus.NOT_FOUND);
            }
+            if(user.getID().equals(Users.getGuest().getID())){
+                return new ResponseEntity<>(HttpStatus.PRECONDITION_FAILED);
+            }
            try {
                Groups.addUserToGroup(group, user, getSessionUser(), null);
                return new ResponseEntity<>(HttpStatus.OK);

--- a/src/main/java/org/nrg/xnat/restlet/resources/ProjectMemberResource.java
+++ b/src/main/java/org/nrg/xnat/restlet/resources/ProjectMemberResource.java
@@ -188,64 +188,68 @@ public class ProjectMemberResource extends SecureResource {
 			try {
 				final UserI user = getUser();
 				if(Permissions.canDelete(user,proj)){
-					if (unknown.size()>0){
+					if (unknown.size() > 0) {
-						//NEW USER                        
+						//NEW USER
-                        try {
+						try {
-							for(String uID : unknown){
+							for (String uID : unknown) {
 								VelocityContext context = new VelocityContext();
-								context.put("user",user);
+								context.put("user", user);
-							    context.put("server",TurbineUtils.GetFullServerPath(request));
+								context.put("server", TurbineUtils.GetFullServerPath(request));
-							    context.put("process","Transfer to the archive.");
+								context.put("process", "Transfer to the archive.");
-							    context.put("system",TurbineUtils.GetSystemName());
+								context.put("system", TurbineUtils.GetSystemName());
-							    context.put("access_level",gID);
+								context.put("access_level", gID);
-							    context.put("admin_email",XDAT.getSiteConfigPreferences().getAdminEmail());
+								context.put("admin_email", XDAT.getSiteConfigPreferences().getAdminEmail());
-							    context.put("projectOM",proj);
+								context.put("projectOM", proj);
-							    //SEND email to user
+								//SEND email to user
-							    final PersistentWorkflowI wrk=PersistentWorkflowUtils.getOrCreateWorkflowData(null, user, XnatProjectdata.SCHEMA_ELEMENT_NAME, proj.getId(), proj.getId(), newEventInstance(EventUtils.CATEGORY.PROJECT_ACCESS, EventUtils.INVITE_USER_TO_PROJECT + " (" + uID + ")"));
+								final PersistentWorkflowI wrk = PersistentWorkflowUtils.getOrCreateWorkflowData(null, user, XnatProjectdata.SCHEMA_ELEMENT_NAME, proj.getId(), proj.getId(), newEventInstance(EventUtils.CATEGORY.PROJECT_ACCESS, EventUtils.INVITE_USER_TO_PROJECT + " (" + uID + ")"));
-						    	try {
+								try {
 									ProjectAccessRequest.InviteUser(context, uID, user, user.getFirstname() + " " + user.getLastname() + " has invited you to join the " + proj.getName() + " " + DisplayManager.GetInstance().getSingularDisplayNameForProject().toLowerCase() + ".");
 									WorkflowUtils.complete(wrk, wrk.buildEvent());
 								} catch (Exception e) {
 									WorkflowUtils.fail(wrk, wrk.buildEvent());
-									logger.error("",e);
+									logger.error("", e);
 								}
 							}
 						} catch (Throwable e) {
-							logger.error("",e);
+							logger.error("", e);
 						}
 					}
-					if (newUsers.size()>0){
+					if (newUsers.size() > 0) {
 						//CURRENT USER
-						String email=(this.isQueryVariableTrue("sendemail"))?"true":"false";
+						String email = (this.isQueryVariableTrue("sendemail")) ? "true" : "false";
-						boolean sendmail=Boolean.parseBoolean(email);
+						boolean sendmail = Boolean.parseBoolean(email);
-						for(UserI newUser: newUsers){
-							final PersistentWorkflowI wrk=PersistentWorkflowUtils.getOrCreateWorkflowData(null, user, Users.getUserDataType(),newUser.getID().toString(),proj.getId(),newEventInstance(EventUtils.CATEGORY.PROJECT_ACCESS, EventUtils.ADD_USER_TO_PROJECT));
-					    	EventMetaI c=wrk.buildEvent();
-							proj.addGroupMember(group.getId(), newUser, user,WorkflowUtils.setStep(wrk, "Add " + newUser.getLogin()));
+						for (UserI newUser : newUsers) {
-							WorkflowUtils.complete(wrk, c);
+							if(newUser!=null && newUser.getID().equals(Users.getGuest().getID())){
+								getResponse().setStatus(Status.CLIENT_ERROR_PRECONDITION_FAILED);
+							} else {
+								final PersistentWorkflowI wrk = PersistentWorkflowUtils.getOrCreateWorkflowData(null, user, Users.getUserDataType(), newUser.getID().toString(), proj.getId(), newEventInstance(EventUtils.CATEGORY.PROJECT_ACCESS, EventUtils.ADD_USER_TO_PROJECT));
+								EventMetaI c = wrk.buildEvent();
-							if (sendmail){
+								proj.addGroupMember(group.getId(), newUser, user, WorkflowUtils.setStep(wrk, "Add " + newUser.getLogin()));
-                                try {
+								WorkflowUtils.complete(wrk, c);
-                                    VelocityContext context = new VelocityContext();
-                                    context.put("user",user);
+								if (sendmail) {
-                                    context.put("server",TurbineUtils.GetFullServerPath(request));
+									try {
-                                    context.put("process","Transfer to the archive.");
+										VelocityContext context = new VelocityContext();
-                                    context.put("system",TurbineUtils.GetSystemName());
-                                    context.put("access_level","member");
+										context.put("user", user);
-                                    context.put("admin_email", XDAT.getSiteConfigPreferences().getAdminEmail());
+										context.put("server", TurbineUtils.GetFullServerPath(request));
-                                    context.put("projectOM",proj);
+										context.put("process", "Transfer to the archive.");
-                                    org.nrg.xnat.turbine.modules.actions.ProcessAccessRequest.SendAccessApprovalEmail(context, newUser.getEmail(), user, TurbineUtils.GetSystemName() + " Access Granted for " + proj.getName());
+										context.put("system", TurbineUtils.GetSystemName());
-                                } catch (Throwable e) {
+										context.put("access_level", "member");
-                                    logger.error("",e);
+										context.put("admin_email", XDAT.getSiteConfigPreferences().getAdminEmail());
-                                }
+										context.put("projectOM", proj);
-                            }
+										org.nrg.xnat.turbine.modules.actions.ProcessAccessRequest.SendAccessApprovalEmail(context, newUser.getEmail(), user, TurbineUtils.GetSystemName() + " Access Granted for " + proj.getName());
+									} catch (Throwable e) {
+										logger.error("", e);
+									}
+								}
+							}
 						}
 					}
 				}else{