SAK-33393 Make sure savePost is fully secured. (sakaiproject#4821)

thakursir · Sep 22, 2017 · 9cb9b0e · 9cb9b0e
1 parent f879611
commit 9cb9b0e
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 20 deletions.
diff --git a/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsManagerImpl.java b/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsManagerImpl.java
@@ -109,23 +109,27 @@ public List<Post> getPosts(QueryBean query) throws Exception {
 
     public Post savePost(Post post) {
 
-        try {
-            Post newOrUpdatedPost = persistenceManager.savePost(post);
-            if (newOrUpdatedPost != null) {
-                String commonsId = post.getCommonsId();
-                List<String> contextIds = new ArrayList();
-                if (persistenceManager.getCommons(commonsId).isSocial()) {
-                    contextIds = getConnectionUserIds(sakaiProxy.getCurrentUserId());
+        if (commonsSecurityManager.canCurrentUserEditPost(post)) {
+            try {
+                Post newOrUpdatedPost = persistenceManager.savePost(post);
+                if (newOrUpdatedPost != null) {
+                    String commonsId = post.getCommonsId();
+                    List<String> contextIds = new ArrayList();
+                    if (persistenceManager.getCommons(commonsId).isSocial()) {
+                        contextIds = getConnectionUserIds(sakaiProxy.getCurrentUserId());
+                    } else {
+                        contextIds.add(post.getCommonsId());
+                    }
+                    removeContextIdsFromCache(contextIds);
+                    return newOrUpdatedPost;
                 } else {
-                    contextIds.add(post.getCommonsId());
+                    log.error("Failed to save post");
                 }
-                removeContextIdsFromCache(contextIds);
-                return newOrUpdatedPost;
-            } else {
-                log.error("Failed to save post");
+            } catch (Exception e) {
+                log.error("Caught exception whilst saving post", e);
             }
-        } catch (Exception e) {
-            log.error("Caught exception whilst saving post", e);
+        } else {
+            log.warn("Current user cannot save post with id '{}'. Null will be returned.", post.getId());
         }
 
         return null;

diff --git a/...ons/tool/src/java/org/sakaiproject/commons/tool/entityprovider/CommonsEntityProvider.java b/...ons/tool/src/java/org/sakaiproject/commons/tool/entityprovider/CommonsEntityProvider.java
@@ -204,12 +204,17 @@ public ActionReturn handleSavePost(Map<String, Object> params) {
         boolean isNew = "".equals(id);
 
         Post post = new Post();
-        post.setId(id);
-        post.setCreatorId(userId);
-        post.setSiteId(siteId);
-        post.setCommonsId(commonsId);
-        post.setEmbedder(embedder);
-        post.setContent(content);
+
+        if (!isNew) {
+            post = commonsManager.getPost(id, false);
+            post.setContent(content);
+        } else {
+            post.setCreatorId(userId);
+            post.setSiteId(siteId);
+            post.setCommonsId(commonsId);
+            post.setEmbedder(embedder);
+            post.setContent(content);
+        }
 
         Post createdOrUpdatedPost = commonsManager.savePost(post);
         if (createdOrUpdatedPost != null) {