From 198d54de7bf984be7274a23fcd95823b871bd651 Mon Sep 17 00:00:00 2001
From: Piotr Gawron <piotr.gawron@uni.lu>
Date: Wed, 28 Aug 2019 16:22:14 +0200
Subject: [PATCH] disable access to admin panel for anonymous user

---
 CHANGELOG                          |  2 ++
 frontend-js/src/main/js/minerva.js | 11 +++++------
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 65aa1b9b07..b748935616 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -49,6 +49,8 @@ minerva (14.0.0~beta.0) unstable; urgency=low
   * Bug fix: too long name for data overlay in info window is trimmed (#919)
   * Bug fix: too long name in general overlay list is wrapped (#857)
   * Bug fix: after genome is removed list of genomes is refreshed (#922)
+  * Bug fix: when session expired anonymous user could access admin panel with
+    very limited access (#928)
 
  -- Piotr Gawron <piotr.gawron@uni.lu>  Mon, 21 Aug 2019 21:00:00 +0200
 
diff --git a/frontend-js/src/main/js/minerva.js b/frontend-js/src/main/js/minerva.js
index d79a2d7c26..15f20b4ad3 100644
--- a/frontend-js/src/main/js/minerva.js
+++ b/frontend-js/src/main/js/minerva.js
@@ -882,16 +882,15 @@ function createAdmin(params) {
   params.getElement().style.display = "table";
   params.getElement().innerHTML = "<div style='vertical-align:middle;display:table-cell;text-align: center'>"
     + "<img src='resources/images/icons/ajax-loader.gif'/>" + "</div>";
-  if (ServerConnector.getSessionData(null).getLogin() === "anonymous" ||
-    ServerConnector.getSessionData(null).getLogin() === null ||
-    ServerConnector.getSessionData(null).getLogin() === undefined) {
-    window.location.href = ServerConnector.getServerBaseUrl() + "login.xhtml?from=" + encodeURI(window.location.href);
-    return Promise.resolve()
-  }
 
   var result;
   // make sure that we are logged in
   return ServerConnector.createSession().then(function () {
+    if (ServerConnector.getSessionData(null).getLogin() === "anonymous" ||
+      ServerConnector.getSessionData(null).getLogin() === null ||
+      ServerConnector.getSessionData(null).getLogin() === undefined) {
+      window.location.href = ServerConnector.getServerBaseUrl() + "login.xhtml?from=" + encodeURI(window.location.href);
+    }
     return ServerConnector.getConfiguration();
   }).then(function (configuration) {
     params.setConfiguration(configuration);
-- 
GitLab