diff options
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java')
| -rw-r--r-- | id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java | 54 |
1 files changed, 50 insertions, 4 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java index 3f6005b97..bad522a4b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditGeneralConfigAction.java @@ -10,6 +10,7 @@ import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; @@ -53,6 +54,7 @@ import at.gv.egovernment.moa.id.configuration.data.GeneralMOAIDConfig; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.MOAConfigValidator; import at.gv.egovernment.moa.id.configuration.validation.moaconfig.PVP2ContactValidator; +import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; @@ -67,12 +69,18 @@ public class EditGeneralConfigAction extends ActionSupport private HttpServletResponse response; private AuthenticatedUser authUser; - private GeneralMOAIDConfig moaconfig; + private String formID; + public String loadConfig() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; if (authUser.isAdmin()) { @@ -84,6 +92,9 @@ public class EditGeneralConfigAction extends ActionSupport ConfigurationDBUtils.closeSession(); + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_SUCCESS; } else { @@ -93,11 +104,30 @@ public class EditGeneralConfigAction extends ActionSupport } public String saveConfig() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { MOAConfigValidator validator = new MOAConfigValidator(); @@ -109,6 +139,8 @@ public class EditGeneralConfigAction extends ActionSupport for (String el : errors) addActionError(el); + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -505,6 +537,20 @@ public class EditGeneralConfigAction extends ActionSupport public void setMoaconfig(GeneralMOAIDConfig moaconfig) { this.moaconfig = moaconfig; } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } |