From 02b18f8e84b6a4864563a125239327e6dac68f6d Mon Sep 17 00:00:00 2001 From: Piotr Gawron Date: Mon, 25 Feb 2019 13:26:05 +0100 Subject: [PATCH 1/2] default privileges are available for everyone --- .../mapviewer/model/user/ConfigurationElementType.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/model/src/main/java/lcsb/mapviewer/model/user/ConfigurationElementType.java b/model/src/main/java/lcsb/mapviewer/model/user/ConfigurationElementType.java index e0d5a1590..aaaca22b6 100644 --- a/model/src/main/java/lcsb/mapviewer/model/user/ConfigurationElementType.java +++ b/model/src/main/java/lcsb/mapviewer/model/user/ConfigurationElementType.java @@ -184,13 +184,13 @@ public enum ConfigurationElementType { ConfigurationElementEditType.TEXT, false, ConfigurationElementTypeGroup.EMAIL_NOTIFICATION), DEFAULT_VIEW_PROJECT("Default user privilege for: " + PrivilegeType.VIEW_PROJECT.getCommonName(), "true", - ConfigurationElementEditType.BOOLEAN, true, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), + ConfigurationElementEditType.BOOLEAN, false, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), DEFAULT_EDIT_COMMENTS_PROJECT("Default user privilege for: " + PrivilegeType.EDIT_COMMENTS_PROJECT.getCommonName(), - "false", ConfigurationElementEditType.BOOLEAN, true, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), + "false", ConfigurationElementEditType.BOOLEAN, false, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), DEFAULT_LAYOUT_MANAGEMENT("Default user privilege for: " + PrivilegeType.LAYOUT_MANAGEMENT.getCommonName(), "false", - ConfigurationElementEditType.BOOLEAN, true, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), + ConfigurationElementEditType.BOOLEAN, false, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), SHOW_REACTION_TYPE("Show reaction type", "true", ConfigurationElementEditType.BOOLEAN, false, ConfigurationElementTypeGroup.SEARCH_VISIBLE_PARAMETERS), @@ -232,7 +232,7 @@ public enum ConfigurationElementType { ConfigurationElementEditType.STRING, true, ConfigurationElementTypeGroup.LDAP_CONFIGURATION), DEFAULT_CUSTOM_LAYOUTS("Default user privilege for: " + PrivilegeType.CUSTOM_LAYOUTS.getCommonName(), "0", - ConfigurationElementEditType.INTEGER, true, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), + ConfigurationElementEditType.INTEGER, false, ConfigurationElementTypeGroup.DEFAULT_USER_PRIVILEGES), LDAP_UID("LDAP login (user id)", "uid", ConfigurationElementEditType.STRING, true, ConfigurationElementTypeGroup.LDAP_CONFIGURATION), -- GitLab From 1267da3174b5b9f676bf6e7dc8d4a861e338c77d Mon Sep 17 00:00:00 2001 From: Piotr Gawron Date: Mon, 25 Feb 2019 16:36:44 +0100 Subject: [PATCH 2/2] enforcing session invalidation on logout --- .../src/main/java/lcsb/mapviewer/api/users/UserController.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java index e8f49bd81..086d8bc3e 100644 --- a/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java +++ b/rest-api/src/main/java/lcsb/mapviewer/api/users/UserController.java @@ -154,9 +154,10 @@ public class UserController extends BaseController { if (auth != null) { new SecurityContextLogoutHandler().logout(request, response, auth); } + //for some reason spring doesn't invalidate sessionRegistry data on logout + userService.logout(token); Map result = new TreeMap<>(); - result.put("status", "OK"); final Boolean useSecureCookie = false; final String cookiePath = "/"; -- GitLab