From portal-commits at lists.jboss.org Fri Jan 30 17:05:36 2009 Content-Type: multipart/mixed; boundary="===============0992530148994802591==" MIME-Version: 1.0 From: portal-commits at lists.jboss.org To: portal-commits at lists.jboss.org Subject: [portal-commits] JBoss Portal SVN: r12737 - branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/portal/core/cms/ui/admin. Date: Fri, 30 Jan 2009 17:05:36 -0500 Message-ID: --===============0992530148994802591== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Author: chris.laprun(a)jboss.com Date: 2009-01-30 17:05:36 -0500 (Fri, 30 Jan 2009) New Revision: 12737 Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/port= al/core/cms/ui/admin/CMSAdminPortlet.java Log: - Should fix several potential XSS issues. Modified: branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jbo= ss/portal/core/cms/ui/admin/CMSAdminPortlet.java =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/por= tal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 19:49:06 UTC (rev 127= 36) +++ branches/Enterprise_Portal_Platform_4_3/core-cms/src/main/org/jboss/por= tal/core/cms/ui/admin/CMSAdminPortlet.java 2009-01-30 22:05:36 UTC (rev 127= 37) @@ -1,6 +1,6 @@ /*************************************************************************= ***** * JBoss, a division of Red Hat = * - * Copyright 2006, Red Hat Middleware, LLC, and individual = * + * Copyright 2009, Red Hat Middleware, LLC, and individual = * * contributors as indicated by the @authors tag. See the = * * copyright.txt in the distribution for a full listing of = * * individual contributors. = * @@ -32,6 +32,7 @@ import org.jboss.portal.cms.impl.ContentImpl; import org.jboss.portal.cms.impl.FileImpl; import org.jboss.portal.cms.impl.FolderImpl; +import org.jboss.portal.cms.impl.jcr.JCRCMS; import org.jboss.portal.cms.model.Content; import org.jboss.portal.cms.model.File; import org.jboss.portal.cms.model.Folder; @@ -44,9 +45,9 @@ import org.jboss.portal.cms.util.NodeUtil; import org.jboss.portal.cms.workflow.ApprovePublish; import org.jboss.portal.cms.workflow.CMSWorkflowUtil; -import org.jboss.portal.cms.impl.jcr.JCRCMS; -import org.jboss.portal.core.cms.ui.Util; +import org.jboss.portal.common.util.ParameterValidation; import org.jboss.portal.core.cms.command.StreamContentCommand; +import org.jboss.portal.core.cms.ui.Util; import org.jboss.portal.core.controller.ControllerContext; import org.jboss.portal.identity.AnonymousRole; import org.jboss.portal.identity.IdentityException; @@ -77,7 +78,8 @@ import javax.portlet.PortletSession; import javax.portlet.UnavailableException; import java.io.IOException; -import java.io.InputStream; +import java.text.Format; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Collection; import java.util.Date; @@ -85,11 +87,10 @@ import java.util.Iterator; import java.util.List; import java.util.Locale; +import java.util.ResourceBundle; import java.util.Set; import java.util.Vector; -import java.util.ResourceBundle; -import java.text.SimpleDateFormat; -import java.text.Format; +import java.util.regex.Pattern; = /** * @author Roy Russo @@ -105,6 +106,8 @@ private ApprovePublish approvePublish; private AuthorizationManager authorizationManager; private ResourceBundle resources =3D null; + private static final Pattern CHECK_FOR_XSS_PATTERN =3D Pattern.compile(= "^[<>\\(\\)=3D]"); + private static final String SLASH =3D "/"; = = public void init() throws PortletException @@ -136,22 +139,22 @@ throw new PortletException("Authorization Service not found"); } = - this.initializeApprovePublishWorkflow(); = + this.initializeApprovePublishWorkflow(); } - = + /** - * = + * */ public void init(PortletConfig config) throws PortletException { super.init(config); - = + //Get the Resource Bundle for this Portlet this.resources =3D config.getResourceBundle(Locale.getDefault()); } = /** - * = + * */ protected void doView(final JBossRenderRequest rReq, final JBossRenderR= esponse rRes) throws PortletException, IOException, UnavailableException @@ -161,8 +164,8 @@ String datePattern =3D bundle.getString(CMSAdminConstants.CMS_DATE_P= ATTERN); Format dateFormat =3D new SimpleDateFormat(datePattern, rReq.getLoca= le()); rReq.setAttribute(CMSAdminConstants.DATE_FORMAT, dateFormat); - = - = + + //check and make sure the CMSAdminPortlet is accessible to the curre= nt user if (!this.isPortletAccessible(rReq)) { @@ -202,38 +205,46 @@ { throw new PortletException(e); } - } = + } } - = - /** - * = - * @param renderResponse - * @throws IOException - */ + + /** @throws IOException */ private void showAccessDeniedScreen(JBossRenderRequest rReq, JBossRende= rResponse rRes) throws IOException, PortletException { - try - { - String sPath =3D rReq.getParameter("path"); - String sOp =3D rReq.getParameter("returnOp"); - = - = - rRes.setContentType("text/html"); - rReq.setAttribute("path", sPath); - rReq.setAttribute("returnOp", sOp); - javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.j= sp"); - prd.include(rReq, rRes); - } - catch(Exception e) - { - throw new PortletException(e); - } = + try + { + String sPath =3D rReq.getParameter("path"); + String sOp =3D rReq.getParameter("returnOp"); + + + rRes.setContentType("text/html"); + rReq.setAttribute("path", sPath); + rReq.setAttribute("returnOp", sOp); + javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/accessdenied.jsp"= ); + prd.include(rReq, rRes); + } + catch (Exception e) + { + throw new PortletException(e); + } } = private void internalDoView(JBossRenderRequest rReq, JBossRenderRespons= e rRes) throws CMSException, PortletException, IOException { String op =3D rReq.getParameter("op"); + String sPath =3D rReq.getParameter("path"); + if (sPath !=3D null) + { + sPath =3D ParameterValidation.sanitizeFromPattern(sPath, CHECK_FO= R_XSS_PATTERN, SLASH); + } + + String sNavPath =3D rReq.getParameter("navpath"); + if (sNavPath !=3D null) + { + sNavPath =3D ParameterValidation.sanitizeFromPattern(sNavPath, CH= ECK_FOR_XSS_PATTERN, SLASH); + } + if (op =3D=3D null) { op =3D CMSAdminConstants.OP_MAIN; @@ -241,21 +252,19 @@ = if (CMSAdminConstants.OP_MAIN.equals(op)) // list page. { - String sPath =3D rReq.getParameter("path"); if (sPath =3D=3D null) { - sPath =3D "/"; + sPath =3D SLASH; } - = - = + JCRCMS.enableUISecurityFilter(); Command listCMD =3D CMSService.getCommandFactory().createFolderGe= tListCommand(sPath); Folder mainFolder =3D (Folder)CMSService.execute(listCMD); - = + List folders =3D new ArrayList(); List files =3D new ArrayList(); - = - if(mainFolder !=3D null) + + if (mainFolder !=3D null) { folders =3D mainFolder.getFolders(); files =3D mainFolder.getFiles(); @@ -263,15 +272,15 @@ else { Object messages =3D rReq.getPortletSession().getAttribute("mes= sages"); - if(messages =3D=3D null) + if (messages =3D=3D null) { messages =3D new ArrayList(); rReq.getPortletSession().setAttribute("messages", messages); } - = + ((List)messages).add(this.resources.getObject("CMS_MISSING_RES= OURCE")); } - = + JCRCMS.disableUISecurityFilter(); = rRes.setContentType("text/html"); @@ -290,13 +299,13 @@ { rReq.setAttribute("manageWorkflowAccessible", new Boolean(fals= e)); } - = + //Messages - if(rReq.getPortletSession().getAttribute("messages") !=3D null) + if (rReq.getPortletSession().getAttribute("messages") !=3D null) { Object messages =3D rReq.getPortletSession().getAttribute("mes= sages"); rReq.getPortletSession().removeAttribute("messages"); - = + rReq.setAttribute("messages", messages); } = @@ -307,42 +316,42 @@ { try { - String sNavPath =3D rReq.getParameter("navpath"); - = List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("navpath", sNavPath); - = - String sPath =3D rReq.getParameter("path"); + rRes.setContentType("text/html"); rReq.setAttribute("createpath", sPath); - = - if (rReq.getParameter("error:message") !=3D null) + + String parameter =3D rReq.getParameter("error:message"); + if (parameter !=3D null) { - rReq.setAttribute("error:message", rReq.getParameter("error= :message")); + rReq.setAttribute("error:message", parameter); } - if (rReq.getParameter("error:newcollectionname") !=3D null) + parameter =3D rReq.getParameter("error:newcollectionname"); + if (parameter !=3D null) { - rReq.setAttribute("error:newcollectionname", rReq.getParame= ter("error:newcollectionname")); + rReq.setAttribute("error:newcollectionname", parameter); } - if (rReq.getParameter("error:newcollectiondescription") !=3D n= ull) + parameter =3D rReq.getParameter("error:newcollectiondescriptio= n"); + if (parameter !=3D null) { - rReq.setAttribute("error:newcollectiondescription", rReq.ge= tParameter("error:newcollectiondescription")); + rReq.setAttribute("error:newcollectiondescription", paramet= er); } - = - = + + javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcreatec= ollection.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -351,17 +360,15 @@ { try { - String sPath =3D rReq.getParameter("path"); - String sNavPath =3D rReq.getParameter("navpath"); - = + List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -370,15 +377,13 @@ javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/upload.jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_VIEWFILE.equals(op)) { - String sPath =3D rReq.getParameter("path"); - Command fileGetList =3D CMSService.getCommandFactory().createFile= GetListCommand(sPath); List contentList =3D (List)CMSService.execute(fileGetList); = @@ -459,17 +464,15 @@ { try { - String sPath =3D rReq.getParameter("path"); - String sNavPath =3D rReq.getParameter("navpath"); - = + List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -477,7 +480,7 @@ javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/uploadarchive.= jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -486,18 +489,16 @@ { try { - String sPath =3D rReq.getParameter("path"); - String sNavPath =3D rReq.getParameter("navpath"); String sType =3D rReq.getParameter("type"); - = + List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -506,7 +507,7 @@ javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmcopy.js= p"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } @@ -515,18 +516,16 @@ { try { - String sPath =3D rReq.getParameter("path"); - String sNavPath =3D rReq.getParameter("navpath"); String sType =3D rReq.getParameter("type"); - = + List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -535,14 +534,13 @@ javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmmove.js= p"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_CONFIRMDELETE.equals(op)) { - String sPath =3D rReq.getParameter("path"); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/confirmdelete.jsp= "); @@ -550,18 +548,16 @@ } else if (CMSAdminConstants.OP_EDIT_BINARY.equals(op)) { - String sPath =3D rReq.getParameter("path"); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("language", rReq.getParameter("language")); + String language =3D rReq.getParameter("language"); + ParameterValidation.sanitizeFromPattern(language, CHECK_FOR_XSS_P= ATTERN, "en"); + rReq.setAttribute("language", language); javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/editbinary.jsp"); prd.include(rReq, rRes); } - else - if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminConstan= ts.OP_CREATEFILE_VALIDATION_ERROR.equals(op)) + else if (CMSAdminConstants.OP_CREATENEWTEXT.equals(op) || CMSAdminCo= nstants.OP_CREATEFILE_VALIDATION_ERROR.equals(op)) { - String sPath =3D rReq.getParameter("path"); - // get Base for editor StringBuffer sbUrl =3D new StringBuffer(); sbUrl.append(rReq.getScheme()); @@ -588,32 +584,38 @@ = rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, "/")); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, SLASH)); = //If a validation error occurred, re-populate data already submit= ted - if (rReq.getParameter("error:content") !=3D null) + String parameter =3D rReq.getParameter("error:content"); + if (parameter !=3D null) { - rReq.setAttribute("error:content", rReq.getParameter("error:co= ntent")); + rReq.setAttribute("error:content", parameter); } - if (rReq.getParameter("error:description") !=3D null) + parameter =3D rReq.getParameter("error:description"); + if (parameter !=3D null) { - rReq.setAttribute("error:description", rReq.getParameter("erro= r:description")); + rReq.setAttribute("error:description", parameter); } - if (rReq.getParameter("error:title") !=3D null) + parameter =3D rReq.getParameter("error:title"); + if (parameter !=3D null) { - rReq.setAttribute("error:title", rReq.getParameter("error:titl= e")); + rReq.setAttribute("error:title", parameter); } - if (rReq.getParameter("error:language") !=3D null) + parameter =3D rReq.getParameter("error:language"); + if (parameter !=3D null) { - rReq.setAttribute("error:language", rReq.getParameter("error:l= anguage")); + rReq.setAttribute("error:language", parameter); } - if (rReq.getParameter("error:filename") !=3D null) + parameter =3D rReq.getParameter("error:filename"); + if (parameter !=3D null) { - rReq.setAttribute("error:filename", rReq.getParameter("error:f= ilename")); + rReq.setAttribute("error:filename", parameter); } - if (rReq.getParameter("error:message") !=3D null) + parameter =3D rReq.getParameter("error:message"); + if (parameter !=3D null) { - rReq.setAttribute("error:message", rReq.getParameter("error:me= ssage")); + rReq.setAttribute("error:message", parameter); } = javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/create.jsp"); @@ -621,8 +623,9 @@ } else if (CMSAdminConstants.OP_EDIT.equals(op)) { - String sPath =3D rReq.getParameter("path"); String sLanguage =3D rReq.getParameter("language"); + ParameterValidation.sanitizeFromPattern(sLanguage, CHECK_FOR_XSS_= PATTERN, "en"); + String sVersion =3D rReq.getParameter("version"); = StringBuffer sbUrl =3D new StringBuffer(); @@ -651,7 +654,7 @@ = rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, "/")); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, SLASH)); = = Command getCommand; @@ -680,17 +683,14 @@ { try { - String sPath =3D rReq.getParameter("path"); - String sNavPath =3D rReq.getParameter("navpath"); - = List folders =3D this.getFolderList(sNavPath); - if((folders =3D=3D null || folders.isEmpty()) && = - (sNavPath !=3D null && !sNavPath.equals("/"))) + if ((folders =3D=3D null || folders.isEmpty()) && + (sNavPath !=3D null && !sNavPath.equals(SLASH))) { sNavPath =3D NodeUtil.getParentPath(sNavPath); folders =3D this.getFolderList(sNavPath); } - = + rReq.setAttribute("folders", folders); rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); @@ -698,15 +698,15 @@ javax.portlet.PortletRequestDispatcher prd =3D getPortletConte= xt().getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/exportarchive.= jsp"); prd.include(rReq, rRes); } - catch(Exception e) + catch (Exception e) { throw new PortletException(e); } } else if (CMSAdminConstants.OP_EXPORTARCHIVE_PICKUP.equals(op)) { - String sPath =3D rReq.getParameter("path"); String sPickupFile =3D rReq.getParameter("filepath"); + ParameterValidation.sanitizeFromPattern(sPickupFile, CHECK_FOR_XS= S_PATTERN, SLASH); = rRes.setContentType("text/html"); PortletRequestDispatcher prd =3D null; @@ -725,7 +725,6 @@ } else if (CMSAdminConstants.OP_CONFIRMSECURE.equals(op)) { - String sPath =3D rReq.getParameter("path"); String sConfirm =3D rReq.getParameter("confirm"); String returnOp =3D rReq.getParameter("returnOp"); = @@ -786,13 +785,11 @@ else if (CMSAdminConstants.OP_VIEWPENDING.equals(op)) { boolean isWorkflowManagementAccessible =3D this.isWorkflowManagem= entAccessible(rReq); - if(!isWorkflowManagementAccessible) + if (!isWorkflowManagementAccessible) { this.showAccessDeniedScreen(rReq, rRes); return; } - = - String sPath =3D rReq.getParameter("path"); = if (this.getApprovePublish() !=3D null) { @@ -809,30 +806,29 @@ = rRes.setContentType("text/html"); rReq.setAttribute("currpath", sPath); - = + javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp= "); prd.include(rReq, rRes); } else if (CMSAdminConstants.OP_VIEWPENDINGPREVIEW.equals(op)) { String processId =3D rReq.getParameter("pid"); - String path =3D rReq.getParameter("path"); = String contentPath =3D rReq.getParameter("contentPath"); - = + boolean isWorkflowManagementAccessible =3D this.isWorkflowManagem= entAccessible(rReq); - if(!isWorkflowManagementAccessible) + if (!isWorkflowManagementAccessible) { this.showAccessDeniedScreen(rReq, rRes); return; } - = - boolean hasWriteAccess =3D this.hasWriteAccess(rReq, path); - if(!hasWriteAccess) + + boolean hasWriteAccess =3D this.hasWriteAccess(rReq, sPath); + if (!hasWriteAccess) { this.showAccessDeniedScreen(rReq, rRes); return; } - = + if (this.getApprovePublish() !=3D null) { try @@ -845,12 +841,12 @@ rReq.setAttribute("pendingQueue", null); } } - = + Content pendingContent =3D CMSWorkflowUtil.getPendingContent(Long= .parseLong(processId), contentPath); String viewableContent =3D Util.getViewableContent(rReq, rRes, pe= ndingContent.getContentAsString()); - = + rReq.setAttribute("pendingPreviewContent", viewableContent); - = + StringBuffer sbUrl =3D new StringBuffer(); sbUrl.append(rReq.getScheme()); sbUrl.append("://"); @@ -862,12 +858,12 @@ sbUrl.append(rReq.getServerPort()); } rRes.setContentType("text/html"); - rReq.setAttribute("currpath", path); - rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, "/")); - = + rReq.setAttribute("currpath", sPath); + rReq.setAttribute("document_base_url", sbUrl.toString() + this.bu= ildURL(rReq, SLASH)); + javax.portlet.PortletRequestDispatcher prd =3D getPortletContext(= ).getRequestDispatcher(CMSAdminConstants.CMS_JSP_PATH + "/pending_items.jsp= "); prd.include(rReq, rRes); - } = + } } = public void processAction(final JBossActionRequest aReq, final JBossAct= ionResponse aRes) throws PortletException @@ -917,7 +913,7 @@ String sFolderDescription =3D aReq.getParameter("newcollection= description"); if (!"".equals(sCreatePath) && !"".equals(sFolderName)) { - String sNewPath =3D FileUtil.cleanDoubleSlashes(sCreatePath= + "/" + sFolderName); + String sNewPath =3D FileUtil.cleanDoubleSlashes(sCreatePath= + SLASH + sFolderName); = Folder folder =3D new FolderImpl(); folder.setCreationDate(new Date()); @@ -932,9 +928,9 @@ Command saveCMD =3D CMSService.getCommandFactory().creat= eFolderSaveCommand(folder); CMSService.execute(saveCMD); } - catch(CMSException cme) + catch (CMSException cme) { - if(cme.hasPathFormatFailure()) + if (cme.hasPathFormatFailure()) { //Validation Error occurred //FileName should not be empty @@ -944,7 +940,7 @@ //used to remember the data already submitted by the = user aRes.setRenderParameter("error:message", CMSAdminCons= tants.CMS_FOLDERNAME_INVALID); aRes.setRenderParameter("error:newcollectionname", aR= eq.getParameter("newcollectionname")); - aRes.setRenderParameter("error:newcollectiondescripti= on", aReq.getParameter("newcollectiondescription")); = + aRes.setRenderParameter("error:newcollectiondescripti= on", aReq.getParameter("newcollectiondescription")); = return; } @@ -956,7 +952,7 @@ = aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN); aRes.setRenderParameter("path", sNewPath); - } = + } else { //Validation Error @@ -966,7 +962,7 @@ //used to remember the data already submitted by the user aRes.setRenderParameter("error:message", CMSAdminConstants.= CMS_FOLDERNAME_INVALID); aRes.setRenderParameter("error:newcollectionname", aReq.get= Parameter("newcollectionname")); - aRes.setRenderParameter("error:newcollectiondescription", a= Req.getParameter("newcollectiondescription")); = + aRes.setRenderParameter("error:newcollectiondescription", a= Req.getParameter("newcollectiondescription")); } } else if (CMSAdminConstants.OP_UPLOADCONTENT.equals(op)) @@ -998,7 +994,7 @@ } else // unix { - backslashIndex =3D sFilename.lastIndexOf("/"); + backslashIndex =3D sFilename.lastIndexOf(SLASH); sFilename =3D sFilename.substring(backslashInde= x + 1); } = @@ -1016,12 +1012,12 @@ content.setMimeType("application/octet-stream"); } = - String sBasePath =3D FileUtil.cleanDoubleSlashes(s= Path + "/" + sFilename); + String sBasePath =3D FileUtil.cleanDoubleSlashes(s= Path + SLASH + sFilename); file.setBasePath(sBasePath); = content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + new Locale(s= Language)); + content.setBasePath(sBasePath + SLASH + new Locale= (sLanguage)); content.setBytes(item.get()); file.setContent(new Locale(sLanguage), content); = @@ -1100,26 +1096,26 @@ if (!item.isFormField()) { byte[] archiveBytes =3D item.get(); - = + Command storearchiveCMD =3D CMSService.getCommandFact= ory().createAsyncStoreArchiveCommand(sPath, archiveBytes, sLanguage); - = + List messages =3D new ArrayList(); - = + try { - CMSService.execute(storearchiveCMD); = = + CMSService.execute(storearchiveCMD); messages.add(this.resources.getObject("CMS_MSG_UPL= OADARCHIVE_ASYNC")); } - catch(CMSException cme) + catch (CMSException cme) { String messageKey =3D cme.getMessageKey(); - if(messageKey !=3D null && messageKey.trim().lengt= h() > 0) + if (messageKey !=3D null && messageKey.trim().leng= th() > 0) { messages.add(this.resources.getObject(messageKe= y)); } } - = - = + + aReq.getPortletSession().setAttribute("messages", mes= sages); = aRes.setRenderParameter("path", FileUtil.cleanDoubleS= lashes(sPath)); @@ -1134,7 +1130,7 @@ else if ("language".equals(fieldName)) { sLanguage =3D item.getString(aReq.getCharacterEnco= ding()); - } = + } } } } @@ -1151,27 +1147,27 @@ String sType =3D aReq.getParameter("type"); if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType)) { - String sNodeName =3D sFrom.substring(sFrom.lastIndexOf("/")= + 1, sFrom.length()); - sTo =3D FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName); - = + String sNodeName =3D sFrom.substring(sFrom.lastIndexOf(SLAS= H) + 1, sFrom.length()); + sTo =3D FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName= ); + // check if destination already exists Command existsCMD =3D CMSService.getCommandFactory().create= ItemExistsCommand(sTo); Boolean bExists =3D (Boolean)CMSService.execute(existsCMD); - if (bExists.booleanValue()) = - { = - List messages =3D new ArrayList(); - messages.add(this.resources.getObject("CMS_MSG_DESTINAT= ION_ALREADY_EXISTS")); - aReq.getPortletSession().setAttribute("messages", messa= ges); - try - { - String sParentPath =3D NodeUtil.getParentPath(sFrom); - aRes.setRenderParameter("path", sParentPath); - } - catch (Exception e) - { + if (bExists.booleanValue()) + { + List messages =3D new ArrayList(); + messages.add(this.resources.getObject("CMS_MSG_DESTINATI= ON_ALREADY_EXISTS")); + aReq.getPortletSession().setAttribute("messages", messag= es); + try + { + String sParentPath =3D NodeUtil.getParentPath(sFrom); + aRes.setRenderParameter("path", sParentPath); + } + catch (Exception e) + { = - } - return; + } + return; } = Command copyCommand =3D CMSService.getCommandFactory().crea= teCopyCommand(sFrom, sTo); @@ -1193,7 +1189,7 @@ String sTo =3D aReq.getParameter("destination"); String sFrom =3D aReq.getParameter("source"); String sType =3D aReq.getParameter("type"); - = + if (sTo.startsWith(sFrom)) { List messages =3D new ArrayList(); @@ -1210,33 +1206,33 @@ } return; } - = = + if (!"".equals(sTo) && !"".equals(sFrom) && !"".equals(sType)) { - String sNodeName =3D sFrom.substring(sFrom.lastIndexOf("/")= + 1, sFrom.length()); - sTo =3D FileUtil.cleanDoubleSlashes(sTo + "/" + sNodeName); - = + String sNodeName =3D sFrom.substring(sFrom.lastIndexOf(SLAS= H) + 1, sFrom.length()); + sTo =3D FileUtil.cleanDoubleSlashes(sTo + SLASH + sNodeName= ); + // check if destination already exists Command existsCMD =3D CMSService.getCommandFactory().create= ItemExistsCommand(sTo); Boolean bExists =3D (Boolean)CMSService.execute(existsCMD); if (bExists.booleanValue()) - { = - List messages =3D new ArrayList(); - messages.add(this.resources.getObject("CMS_MSG_DESTINAT= ION_ALREADY_EXISTS")); - aReq.getPortletSession().setAttribute("messages", messa= ges); - try - { - String sParentPath =3D NodeUtil.getParentPath(sFrom); - aRes.setRenderParameter("path", sParentPath); - } - catch (Exception e) - { + { + List messages =3D new ArrayList(); + messages.add(this.resources.getObject("CMS_MSG_DESTINATI= ON_ALREADY_EXISTS")); + aReq.getPortletSession().setAttribute("messages", messag= es); + try + { + String sParentPath =3D NodeUtil.getParentPath(sFrom); + aRes.setRenderParameter("path", sParentPath); + } + catch (Exception e) + { = - } - return; + } + return; } - = + Command moveCommand =3D CMSService.getCommandFactory().crea= teMoveCommand(sFrom, sTo); CMSService.execute(moveCommand); if ("fo".equalsIgnoreCase(sType)) @@ -1246,7 +1242,7 @@ else if ("fi".equalsIgnoreCase(sType)) { aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWF= ILE); - } = + } = aRes.setRenderParameter("path", sTo); } @@ -1298,7 +1294,7 @@ } else // unix { - backslashIndex =3D sFilename.lastIndexOf("/"); + backslashIndex =3D sFilename.lastIndexOf(SLASH); sFilename =3D sFilename.substring(backslashIndex += 1); } = @@ -1319,7 +1315,7 @@ } content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + sLanguage); + content.setBasePath(sBasePath + SLASH + sLanguage); content.setBytes(item.get()); file.setContent(new Locale(sLanguage), content); = @@ -1396,7 +1392,7 @@ if (!"".equals(sFileName) && !"".equals(sDirectory)) { String sContent =3D aReq.getParameter("elm1"); - String sNewFilePath =3D FileUtil.cleanDoubleSlashes(sDirect= ory + "/" + sFileName); + String sNewFilePath =3D FileUtil.cleanDoubleSlashes(sDirect= ory + SLASH + sFileName); = File file =3D new FileImpl(); Content content =3D new ContentImpl(); @@ -1417,7 +1413,7 @@ = content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sBasePath + "/" + new Locale(sLanguage)= ); + content.setBasePath(sBasePath + SLASH + new Locale(sLanguag= e)); content.setBytes(sContent.getBytes()); file.setContent(new Locale(sLanguage), content); = @@ -1429,9 +1425,9 @@ { bExists =3D (Boolean)CMSService.execute(existsCMD); } - catch(CMSException cme) + catch (CMSException cme) { - if(cme.hasPathFormatFailure()) + if (cme.hasPathFormatFailure()) { //Validation Error occurred //FileName should not be empty @@ -1455,7 +1451,7 @@ throw cme; } } - = + if (bExists.booleanValue()) // if file exists, update conte= ntNode { Command cmdUpdate =3D CMSService.getCommandFactory().cre= ateUpdateFileCommand(file, content, true); @@ -1505,7 +1501,7 @@ = content.setTitle(sTitle); content.setDescription(sDescription); - content.setBasePath(sFilePath + "/" + new Locale(sLanguage)= .getLanguage()); + content.setBasePath(sFilePath + SLASH + new Locale(sLanguag= e).getLanguage()); content.setBytes(sContent.getBytes()); file.setContent(new Locale(sLanguage), content); = @@ -1585,11 +1581,11 @@ else if (CMSAdminConstants.OP_APPROVE.equals(op)) { boolean hasWriteAccess =3D this.hasWriteAccess(aReq, aReq.getP= arameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - = + String sManager =3D aReq.getUser().getUserName(); String sPID =3D aReq.getParameter("pid"); try @@ -1619,11 +1615,11 @@ else if (CMSAdminConstants.OP_DENY.equals(op)) { boolean hasWriteAccess =3D this.hasWriteAccess(aReq, aReq.getP= arameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - = + String sManager =3D aReq.getUser().getUserName(); String sPID =3D aReq.getParameter("pid"); try @@ -1647,45 +1643,45 @@ } return; } - = + String filePath =3D aReq.getParameter("path"); String parentPath =3D null; try { parentPath =3D NodeUtil.getParentPath(filePath); } - catch(Exception e) + catch (Exception e) { - parentPath =3D "/"; + parentPath =3D SLASH; } - = + //Check if this file still exists Command existsCmd =3D this.CMSService.getCommandFactory().crea= teItemExistsCommand(filePath); - boolean exists =3D ((Boolean)this.CMSService.execute(existsCmd= )).booleanValue(); = - if(exists) + boolean exists =3D ((Boolean)this.CMSService.execute(existsCmd= )).booleanValue(); + if (exists) { aRes.setRenderParameter("path", filePath); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE= ); } else - { = + { aRes.setRenderParameter("path", parentPath); aRes.setRenderParameter("op", CMSAdminConstants.OP_MAIN); } } - else if(CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op)) + else if (CMSAdminConstants.OP_MODIFYANDAPPROVE.equals(op)) { boolean hasWriteAccess =3D this.hasWriteAccess(aReq, aReq.getP= arameter("path")); - if(!hasWriteAccess) + if (!hasWriteAccess) { throw new CMSException("Access to this resource is denied"); } - = + String modifiedContent =3D aReq.getParameter("elm1"); String processId =3D aReq.getParameter("pid"); String path =3D aReq.getParameter("path"); String sManager =3D aReq.getUser().getUserName(); - = + try { //Apply this modifiedContent instead of the one published b= y the original author @@ -1707,7 +1703,7 @@ aRes.setRenderParameter("op", from); } return; - } = + } aRes.setRenderParameter("path", path); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); } @@ -1723,7 +1719,7 @@ = aRes.setRenderParameter("path", path); aRes.setRenderParameter("op", CMSAdminConstants.OP_VIEWFILE); - } = + } } else { @@ -1743,7 +1739,7 @@ { if (sNavPath =3D=3D null) { - sNavPath =3D "/"; + sNavPath =3D SLASH; } Command listCMD =3D CMSService.getCommandFactory().createFolderGetLi= stCommand(sNavPath); Folder mainFolder =3D (Folder)CMSService.execute(listCMD); @@ -1906,11 +1902,11 @@ = if (portletRequest.getUserPrincipal() !=3D null) { - if(portletRequest.getUserPrincipal().getName().equals(this.aut= horizationManager.getProvider().getRoot().getUserName())) + if (portletRequest.getUserPrincipal().getName().equals(this.au= thorizationManager.getProvider().getRoot().getUserName())) { return true; } - = + //Not the Root User. so now make sure the Portlet is accessibl= e to the User that is logged in User user =3D this.userModule.findUserByUserName(portletReques= t.getUserPrincipal().getName()); String uri =3D this.authorizationManager.getProvider().getUser= URI(user.getUserName()); @@ -1958,7 +1954,6 @@ } = /** - * = * @param portletRequest * @return */ @@ -2065,26 +2060,26 @@ this.setApprovePublish(null); } } - = + private void filterResourceBySecurity(List resources, PortalCMSSecurity= Context securityContext) { - = + } - = + private boolean hasWriteAccess(PortletRequest request, String path) { boolean hasAccess =3D false; - = + User user =3D null; - if(request instanceof JBossRenderRequest) + if (request instanceof JBossRenderRequest) { user =3D ((JBossRenderRequest)request).getUser(); } - else if(request instanceof JBossActionRequest) + else if (request instanceof JBossActionRequest) { user =3D ((JBossActionRequest)request).getUser(); } - = + try { user =3D userModule.findUserById(user.getId()); @@ -2097,11 +2092,11 @@ PortalCMSSecurityContext securityContext =3D new PortalCMSSecurityCo= ntext(user); File file =3D new FileImpl(); file.setBasePath(path); - securityContext.setAttribute("command", CMSService.getCommandFactory= ().createFileUpdateCommand(file)); = + securityContext.setAttribute("command", CMSService.getCommandFactory= ().createFileUpdateCommand(file)); = PortalPermission cmsPermission =3D new CMSPermission(securityContext= ); hasAccess =3D this.authorizationManager.checkPermission(cmsPermissio= n); - = + return hasAccess; } } \ No newline at end of file --===============0992530148994802591==--