VIVO-581 Restrict access, and don’t give out the DB password.

2013-12-10 14:59:30 -05:00 · 2013-12-10 14:59:30 -05:00 · d4443fe601
commit d4443fe601
parent 0c79185254
3 changed files with 13 additions and 3 deletions
--- a/webapp/rdf/auth/everytime/permission_config.n3
+++ b/webapp/rdf/auth/everytime/permission_config.n3
@ -20,6 +20,7 @@ auth:ADMIN
    auth:hasPermission simplePermission:ManageUserAccounts ;
    auth:hasPermission simplePermission:RebuildVClassGroupCache ;
    auth:hasPermission simplePermission:RefreshVisualizationCache ;
+    auth:hasPermission simplePermission:SeeConfiguration ;
    auth:hasPermission simplePermission:SeeStartupStatus ;
    auth:hasPermission simplePermission:UseAdvancedDataToolsPages ;
    auth:hasPermission simplePermission:UseMiscellaneousAdminPages ;
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/permissions/SimplePermission.java
@ -64,6 +64,8 @@ public class SimplePermission extends Permission {
 		NAMESPACE + "RebuildVClassGroupCache");
 	public static final SimplePermission REFRESH_VISUALIZATION_CACHE = new SimplePermission(
 		NAMESPACE + "RefreshVisualizationCache");
+	public static final SimplePermission SEE_CONFIGURATION = new SimplePermission(
+			NAMESPACE + "SeeConfiguration");
 	public static final SimplePermission SEE_INDVIDUAL_EDITING_PANEL = new SimplePermission(
 		NAMESPACE + "SeeIndividualEditingPanel");
 	public static final SimplePermission SEE_REVISION_INFO = new SimplePermission(
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowConfiguration.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/admin/ShowConfiguration.java
@ -8,6 +8,7 @@ import java.util.Properties;
 import java.util.SortedMap;
 import java.util.TreeMap;

+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions;
 import edu.cornell.mannlib.vitro.webapp.config.ConfigurationProperties;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
@ -21,7 +22,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.freemarker.responsevalues.Tem
 public class ShowConfiguration extends FreemarkerHttpServlet {
 	@Override
 	protected Actions requiredActions(VitroRequest vreq) {
-		return Actions.AUTHORIZED;
+		return SimplePermission.SEE_CONFIGURATION.ACTIONS;
 	}

 	@Override
@ -34,8 +35,14 @@ public class ShowConfiguration extends FreemarkerHttpServlet {

 	private SortedMap<String, String> getConfigurationProperties(
 			VitroRequest vreq) {
-		return new TreeMap<>(ConfigurationProperties.getBean(vreq)
-				.getPropertyMap());
+		ConfigurationProperties props = ConfigurationProperties.getBean(vreq);
+		TreeMap<String, String> map = new TreeMap<>(props.getPropertyMap());
+		for (String key : map.keySet()) {
+			if (key.toLowerCase().endsWith("password")) {
+				map.put(key, "********");
+			}
+		}
+		return map;
 	}

 	private SortedMap<String, String> getSystemProperties() {