java/code/src/com/redhat/rhn/frontend/action/errata/AddPackagesAction.java | 1
java/code/src/com/redhat/rhn/frontend/action/user/DeleteUserAction.java | 5 ++--
java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml | 3 ++
java/code/src/com/redhat/rhn/frontend/struts/RequestContext.java | 12
++++++++++
4 files changed, 19 insertions(+), 2 deletions(-)
New commits:
commit d3f52a06f3b992403293f0149c9a628c8c6da787
Author: Justin Sherrill <jsherril(a)redhat.com>
Date: Tue Dec 15 15:16:24 2009 -0500
adding post checking to a couple of pages
diff --git a/java/code/src/com/redhat/rhn/frontend/action/errata/AddPackagesAction.java
b/java/code/src/com/redhat/rhn/frontend/action/errata/AddPackagesAction.java
index 36af626..a1bdf4b 100644
--- a/java/code/src/com/redhat/rhn/frontend/action/errata/AddPackagesAction.java
+++ b/java/code/src/com/redhat/rhn/frontend/action/errata/AddPackagesAction.java
@@ -86,6 +86,7 @@ public class AddPackagesAction extends RhnAction implements Listable {
helper.execute();
if (helper.isDispatched()) {
+ context.requirePost();
Long eid = context.getRequiredParam("eid");
StrutsDelegate strutsDelegate = getStrutsDelegate();
return
strutsDelegate.forwardParam(actionMapping.findForward("confirm"),
diff --git a/java/code/src/com/redhat/rhn/frontend/action/user/DeleteUserAction.java
b/java/code/src/com/redhat/rhn/frontend/action/user/DeleteUserAction.java
index d17484b..daf5a08 100644
--- a/java/code/src/com/redhat/rhn/frontend/action/user/DeleteUserAction.java
+++ b/java/code/src/com/redhat/rhn/frontend/action/user/DeleteUserAction.java
@@ -50,7 +50,8 @@ public class DeleteUserAction extends RhnAction {
HttpServletResponse response) {
RequestContext requestContext = new RequestContext(request);
-
+ requestContext.requirePost();
+
if (!AclManager.hasAcl("user_role(org_admin)",
request, null)) {
//Throw an exception with a nice error message so the user
@@ -84,7 +85,7 @@ public class DeleteUserAction extends RhnAction {
return
getStrutsDelegate().forwardParams(mapping.findForward("failure"),
params);
}
-
+
try {
UserManager.deleteUser(loggedInUser, uid);
}
diff --git a/java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml
b/java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml
index 740caf3..e2683be 100644
--- a/java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml
+++ b/java/code/src/com/redhat/rhn/frontend/strings/java/StringResource_en_US.xml
@@ -8448,6 +8448,9 @@ Follow this url to see the full list of inactive systems:
<trans-unit id="package.jsp.key.unkown">
<source>(Unknown)</source>
</trans-unit>
+ <trans-unit id="request.post.check">
+ <source>This action requires a POST request, but this was not
one.</source>
+ </trans-unit>
<trans-unit id="kickstart.cobbler.distro.syncfail">
<source>
The following is a list of errors gathered while Spacewalk attempts to
diff --git a/java/code/src/com/redhat/rhn/frontend/struts/RequestContext.java
b/java/code/src/com/redhat/rhn/frontend/struts/RequestContext.java
index 1be782b..692cbd1 100644
--- a/java/code/src/com/redhat/rhn/frontend/struts/RequestContext.java
+++ b/java/code/src/com/redhat/rhn/frontend/struts/RequestContext.java
@@ -17,6 +17,7 @@ package com.redhat.rhn.frontend.struts;
import com.redhat.rhn.common.conf.Config;
import com.redhat.rhn.common.conf.ConfigDefaults;
import com.redhat.rhn.common.localization.LocalizationService;
+import com.redhat.rhn.common.security.PermissionException;
import com.redhat.rhn.domain.errata.Errata;
import com.redhat.rhn.domain.kickstart.KickstartData;
import com.redhat.rhn.domain.kickstart.KickstartFactory;
@@ -110,6 +111,7 @@ public class RequestContext {
public static final String NO_SCRIPT = "noscript";
/** the name of the Red Hat session cookie */
public static final String WEB_SESSION_COOKIE_NAME = "pxt-session-cookie";
+ public static final String POST = "POST";
private HttpServletRequest request;
@@ -726,4 +728,14 @@ public class RequestContext {
return Boolean.TRUE.toString().equals(getParam(RhnAction.SUBMITTED, false));
}
+ /**
+ * verify that the request is a POST and throw an exception otherwise.
+ */
+ public void requirePost() {
+ if (!POST.equals(request.getMethod())) {
+ throw new PermissionException(
+
LocalizationService.getInstance().getMessage("request.post.check"));
+ }
+ }
+
}
Show replies by date