litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

VIVO-825 do not allow access to APIs if the account is not in a valid state.

Browse source 
Before testing the password, test that the account is well-formed: first name, last name, email.
After testing the password, check to see whether a password change is required.
This commit is contained in:
Jim Blake 2014-12-09 12:26:49 -05:00
parent d1b07bcffc
commit 5a54fa171b
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
webapp/src/edu/cornell/mannlib/vitro/webapp/controller/api/VitroApiServlet.java
View file

@ -46,6 +46,13 @@ public class VitroApiServlet extends HttpServlet {
Authenticator auth = Authenticator.getInstance(req); Authenticator auth = Authenticator.getInstance(req);
UserAccount account = auth.getAccountForInternalAuth(email); UserAccount account = auth.getAccountForInternalAuth(email);
if (auth.accountRequiresEditing(account)) {
log.debug("Account " + email + " requires editing.");
throw new AuthException("user account must include first and "
+ "last names and a valid email address.");
}
if (!auth.isCurrentPassword(account, password)) { if (!auth.isCurrentPassword(account, password)) {
log.debug("Invalid: '" + email + "'/'" + password + "'"); log.debug("Invalid: '" + email + "'/'" + password + "'");
throw new AuthException("email/password combination is not valid"); throw new AuthException("email/password combination is not valid");
@ -57,6 +64,11 @@ public class VitroApiServlet extends HttpServlet {
throw new AuthException("Account is not authorized"); throw new AuthException("Account is not authorized");
} }
if (account.isPasswordChangeRequired()) {
log.debug("Account " + email + " requires a new password.");
throw new AuthException("user account requires a new password.");
}
log.debug("Authorized for '" + email + "'"); log.debug("Authorized for '" + email + "'");
} }