Added validation to reject things disallowed on the current user

6 years ago · 983d688cce
parent a4c62f6860
commit 983d688cce
2 changed files with 16 additions and 0 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/validator/UserSettingsValidator.java
@ -29,6 +29,8 @@ import org.springframework.stereotype.Component;
 import org.springframework.validation.Errors;
 import org.springframework.validation.Validator;

+import javax.servlet.http.HttpServletRequest;
+
 /**
 * Validator for {@link UserSettingsController}.
 *
@ -41,6 +43,8 @@ public class UserSettingsValidator implements Validator {
    private SecurityService securityService;
    @Autowired
    private SettingsService settingsService;
+    @Autowired
+    private HttpServletRequest request;

    /**
     * {@inheritDoc}
@ -85,6 +89,16 @@ public class UserSettingsValidator implements Validator {
            errors.rejectValue("password", "usersettings.passwordnotsupportedforldap");
        }

+        if (securityService.getCurrentUser(request).getUsername().equals(username)) {
+            // These errors don't need translation since the option isn't exposed to the user
+            if (command.isDeleteUser()) {
+                errors.rejectValue("deleteUser", null, "Cannot delete the current user");
+            }
+            if (! command.isAdminRole()) {
+                errors.rejectValue("adminRole", null, "Cannot remove admin from the current user");
+            }
+        }
+
    }

 }
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/userSettings.jsp
@ -66,6 +66,7 @@
            <tr style="${command.currentUser ? 'display:none' : ''}">
                <td><form:checkbox path="adminRole" id="admin" cssClass="checkbox"/></td>
                <td><label for="admin"><fmt:message key="usersettings.admin"/></label></td>
+                <td class="warning"><form:errors path="adminRole"/></td>
            </tr>
            <tr>
                <td><form:checkbox path="settingsRole" id="settings" cssClass="checkbox"/></td>
@ -141,6 +142,7 @@
            <tr>
                <td><form:checkbox path="deleteUser" id="delete" cssClass="checkbox"/></td>
                <td><label for="delete"><fmt:message key="usersettings.delete"/></label></td>
+                <td class="warning"><form:errors path="deleteUser"/></td>
            </tr>
        </table>
    </c:if>