Skip to content

Commit

Permalink
Bugfix: overwrite superuser security context in UiAuthenticator.
Browse files Browse the repository at this point in the history
  • Loading branch information
@cmorgner
cmorgner committed Feb 28, 2024
1 parent 7734b8a commit a8c08e5
Show file tree
Hide file tree
Showing 2 changed files with 93 additions and 0 deletions.
3 changes: 3 additions & 0 deletions structr-base/src/main/java/org/structr/web/auth/UiAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,9 @@ public SecurityContext initializeAndExamineRequest(final HttpServletRequest requ
} else {

securityContext = SecurityContext.getInstance(user, request, AccessMode.Backend);

// overwrite superuser context in user
user.setSecurityContext(securityContext);
}
}

Expand Down
90 changes: 90 additions & 0 deletions structr-ui/src/test/java/org/structr/test/web/rest/UserTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,20 @@
import io.restassured.filter.log.ResponseLoggingFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.structr.api.schema.JsonSchema;
import org.structr.api.schema.JsonType;
import org.structr.common.PropertyView;
import org.structr.common.error.FrameworkException;
import org.structr.core.app.App;
import org.structr.core.app.StructrApp;
import org.structr.core.graph.Tx;
import org.structr.schema.export.StructrSchema;
import org.structr.test.web.StructrUiTest;
import org.structr.web.auth.UiAuthenticator;
import org.testng.annotations.Test;

import static org.hamcrest.Matchers.equalTo;

/**
*
*
Expand Down Expand Up @@ -97,4 +107,84 @@ public void testAdminUserCreation() {
.post("/User");

}

@Test
public void testSecurityContextInMeResource() {

final String uuid = createEntityAsSuperUser("/User", "{ 'name': 'user', 'password': 'password'}");

grant("User", UiAuthenticator.AUTH_USER_GET, true);
grant("User/_Ui", UiAuthenticator.AUTH_USER_GET, false);

final App app = StructrApp.getInstance();

try (final Tx tx = app.tx()) {

final JsonSchema schema = StructrSchema.createFromDatabase(app);
final JsonType principal = schema.addType("Principal");

principal.addFunctionProperty("funcTest", PropertyView.Public, PropertyView.Ui).setReadFunction("(me)");

StructrSchema.replaceDatabaseSchema(app, schema);

tx.success();

} catch (FrameworkException fex) {

fex.printStackTrace();
}

RestAssured
.given()
.contentType("application/json; charset=UTF-8")
.header("X-User", "user")
.header("X-Password", "password")
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(200))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(201))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(401))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(403))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(404))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(500))
.expect()
.body("result.funcTest", equalTo(uuid))
.statusCode(200)
.when()
.get("/me");

RestAssured
.given()
.contentType("application/json; charset=UTF-8")
.header("X-User", "user")
.header("X-Password", "password")
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(200))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(201))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(401))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(403))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(404))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(500))
.expect()
.body("result[0].funcTest", equalTo(uuid))
.statusCode(200)
.when()
.get("/User");

RestAssured
.given()
.contentType("application/json; charset=UTF-8")
.header("X-User", "user")
.header("X-Password", "password")
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(200))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(201))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(401))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(403))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(404))
.filter(ResponseLoggingFilter.logResponseIfStatusCodeIs(500))
.expect()
.body("result.funcTest", equalTo(uuid))
.statusCode(200)
.when()
.get("/User/" + uuid);


}
}

0 comments on commit a8c08e5

Please sign in to comment.