Mercurial > lada > lada-server

changeset 1303:a0da035cc831

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Do not allow access to unknow classes.
author Raimund Renkert <raimund.renkert@intevation.de>
date Tue, 28 Feb 2017 14:03:51 +0100
parents 1bf808b67403
children e51c56914e52
files src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java
diffstat 1 files changed, 3 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java	Tue Feb 28 09:47:54 2017 +0100
+++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java	Tue Feb 28 14:03:51 2017 +0100
@@ -137,9 +137,8 @@
             return data;
         }
         Authorizer authorizer = authorizers.get(clazz);
-        //This is a hack... Allows wildcard for unknown classes.
         if (authorizer == null) {
-            return data;
+            return new Response(false, 699, null);
         }
         return authorizer.filter(data, userInfo, clazz);
     }
@@ -244,7 +243,7 @@
         Authorizer authorizer = authorizers.get(clazz);
         //This is a hack... Allows wildcard for unknown classes.
         if (authorizer == null) {
-            return true;
+            return false;
         }
         return authorizer.isAuthorized(data, RequestMethod.GET, userInfo, clazz);
     }
@@ -263,9 +262,8 @@
         Class<T> clazz
     ) {
         Authorizer authorizer = authorizers.get(clazz);
-        //This is a hack... Allows wildcard for unknown classes.
         if (authorizer == null) {
-            return true;
+            return false;
         }
         return authorizer.isAuthorized(data, RequestMethod.POST, userInfo, clazz);
     }
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)