incubator-sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bdelacre...@apache.org
Subject svn commit: r1560342 - in /sling/trunk: bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/ launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/
Date Wed, 22 Jan 2014 13:10:25 GMT
Author: bdelacretaz
Date: Wed Jan 22 13:10:25 2014
New Revision: 1560342

URL: http://svn.apache.org/r1560342
Log:
SLING-3203 - :delete POST operation fails with 403 if the request includes selectors, extension
or suffix

Added:
    sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/PostServletDeleteParentTest.java
Modified:
    sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/DeleteOperation.java

Modified: sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/DeleteOperation.java
URL: http://svn.apache.org/viewvc/sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/DeleteOperation.java?rev=1560342&r1=1560341&r2=1560342&view=diff
==============================================================================
--- sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/DeleteOperation.java
(original)
+++ sling/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/operations/DeleteOperation.java
Wed Jan 22 13:10:25 2014
@@ -21,8 +21,10 @@ import java.util.List;
 
 import javax.jcr.Node;
 import javax.jcr.RepositoryException;
+import javax.servlet.http.HttpServletResponse;
 
 import org.apache.sling.api.SlingHttpServletRequest;
+import org.apache.sling.api.request.RequestPathInfo;
 import org.apache.sling.api.resource.PersistenceException;
 import org.apache.sling.api.resource.Resource;
 import org.apache.sling.servlets.post.AbstractPostOperation;
@@ -52,6 +54,19 @@ public class DeleteOperation extends Abs
     protected void doRun(final SlingHttpServletRequest request,
             final PostResponse response, final List<Modification> changes)
             throws RepositoryException {
+
+        // SLING-3203: selectors, extension and suffix make no sense here and
+        // might lead to deleting other resources than the one the user means.
+        final RequestPathInfo rpi = request.getRequestPathInfo();
+        if( (rpi.getSelectors() != null && rpi.getSelectors().length > 0) 
+                || (rpi.getExtension() != null && rpi.getExtension().length() >
0)
+                || (rpi.getSuffix() != null && rpi.getSuffix().length() > 0))
{
+            response.setStatus(
+                    HttpServletResponse.SC_FORBIDDEN, 
+                    "DeleteOperation request cannot include any selectors, extension or suffix");
+            return;
+        }
+        
         final VersioningConfiguration versioningConfiguration = getVersioningConfiguration(request);
         final boolean deleteChunks = isDeleteChunkRequest(request);
         final Iterator<Resource> res = getApplyToResources(request);

Added: sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/PostServletDeleteParentTest.java
URL: http://svn.apache.org/viewvc/sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/PostServletDeleteParentTest.java?rev=1560342&view=auto
==============================================================================
--- sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/PostServletDeleteParentTest.java
(added)
+++ sling/trunk/launchpad/integration-tests/src/main/java/org/apache/sling/launchpad/webapp/integrationtest/servlets/post/PostServletDeleteParentTest.java
Wed Jan 22 13:10:25 2014
@@ -0,0 +1,89 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sling.launchpad.webapp.integrationtest.servlets.post;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.apache.commons.httpclient.methods.PostMethod;
+import org.apache.sling.commons.testing.integration.HttpTest;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+
+/** SLING-3203 - POST servlet should not delete parent
+ *  of non-existing node */
+@RunWith(Parameterized.class)
+public class PostServletDeleteParentTest {
+    private final HttpTest H = new HttpTest();
+    private static final String TEST_PATH = PostServletDeleteParentTest.class.getSimpleName()
+ "/" + System.currentTimeMillis();
+    private final String deletePath;
+    private final static String EXISTING_PATH = "test/some.node"; 
+    
+    @Parameters(name="{0}")
+    public static Collection<Object[]> data() {
+        final List<Object []> result = new ArrayList<Object []>();
+        result.add(new Object[] { "test.other/nothing" });
+        result.add(new Object[] { "test.other" });
+        result.add(new Object[] { "test.html" });
+        result.add(new Object[] { "test/some.node.html" });
+        result.add(new Object[] { "test/some.node.selector.html" });
+        result.add(new Object[] { "test/some.node.selector.html/another" });
+        return result;
+    }
+    
+    public PostServletDeleteParentTest(String deletePath) {
+        this.deletePath = deletePath;
+    }
+
+    @Before
+    public void setup() throws Exception {
+        H.setUp();
+    }
+    
+    @After
+    public void cleanup() throws Exception {
+        H.getTestClient().delete(HttpTest.HTTP_BASE_URL + "/" + TEST_PATH);
+        H.tearDown();
+    }
+ 
+    @Test
+    public void testDeleteNonExisting() throws Exception {
+        final String path = TEST_PATH + "/" + EXISTING_PATH;
+        final String testNodeUrl = H.getTestClient().createNode(HttpTest.HTTP_BASE_URL +
"/" + path, null);
+        assertTrue("Expecting created node path to end with " + path, testNodeUrl.endsWith(path));
+        H.assertHttpStatus(testNodeUrl + ".json", 200, "Expecting test node to exist before
test");
+
+        // POST :delete to non-existing child node with a path that
+        // generates selector + suffix
+        final String selectorsPath = TEST_PATH + "/" + deletePath;
+        final PostMethod post = new PostMethod(HttpTest.HTTP_BASE_URL + "/" + selectorsPath);
+        post.setParameter(":operation",  "delete");
+        final int status = H.getHttpClient().executeMethod(post);
+        assertEquals("Expecting 403 status for delete operation", 403, status);
+
+        // Test node should still be here
+        H.assertHttpStatus(testNodeUrl + ".json", 200, "Expecting test node to exist after
test");
+    }
+}
\ No newline at end of file



Mime
View raw message