Skip to content

Commit

Permalink
Misc fixes and improvements
Browse files Browse the repository at this point in the history 
- Check extensions of uploaded files to deny webshell uploading
- Forbid admin to delete/relegate himself
- Improve error pages
- Disable Struts devmode
  • Loading branch information
@gousaiyang
gousaiyang committed May 18, 2018
1 parent c5b1755 commit 43b901e
Show file tree
Hide file tree
Showing 6 changed files with 90 additions and 64 deletions.
91 changes: 51 additions & 40 deletions src/main/java/bookstore/action/AdminUserAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,18 +19,18 @@ public class AdminUserAction extends BaseAction {
private String password;
private String passwordConfirm;
private String nickname;
private String avatar;
private String avatar;
private String balance;
private String role;

private String addresses;

private Object retJson;

private AppService appService;

// Getters and setters

public String getId() {
return StringUtil.replaceNull(id);
}
Expand Down Expand Up @@ -118,17 +118,16 @@ public AppService getAppService() {
public void setAppService(AppService appService) {
this.appService = appService;
}



// Actions

public String allUsersView() throws Exception {
User user = (User) session().getAttribute("user");
if (user == null)
return LOGIN;
if (!user.isAdmin())
return "forbidden";

setPageTitle("网上书店管理系统 - 用户管理");
setViewProfile();
return SUCCESS;
Expand All @@ -144,11 +143,11 @@ public String getAllUsers() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

retJson = appService.getAllUsers();
return SUCCESS;
}

public String getUserDetail() throws Exception {
User user = (User) session().getAttribute("user");
if (user == null) {
Expand All @@ -159,23 +158,23 @@ public String getUserDetail() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

Validator vd = new Validator(getId(), "编号");
if (!vd.validateNotEmpty() || !vd.validatePositiveInt()) {
retJson = vd.getFailureMessage();
return ERROR;
}

UserDetail userDetail = appService.getUserDetailById(Integer.parseInt(getId()), true);
if (userDetail == null) {
retJson = new FailureMessage("该用户编号不存在。");
return NONE;
}

retJson = userDetail;
return SUCCESS;
}

public String addUser() throws Exception {
User currentUser = (User) session().getAttribute("user");
if (currentUser == null) {
Expand All @@ -186,9 +185,10 @@ public String addUser() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

Validator vd = new Validator(getUsername(), "用户名");
if (!vd.validateNotEmpty() || !vd.validatePattern("^[-_0-9a-zA-Z]{5,}$", "用户名只能由字母、数字、破折号(-)和下划线(_)组成,且最小长度为 5 个字符。")) {
if (!vd.validateNotEmpty()
|| !vd.validatePattern("^[-_0-9a-zA-Z]{5,}$", "用户名只能由字母、数字、破折号(-)和下划线(_)组成,且最小长度为 5 个字符。")) {
retJson = vd.getFailureMessage();
return ERROR;
}
Expand Down Expand Up @@ -221,14 +221,14 @@ public String addUser() throws Exception {
retJson = vd.getFailureMessage();
return ERROR;
}

if (appService.usernameExists(getUsername())) {
retJson = new FailureMessage("用户名 " + getUsername() + " 已经存在。");
return ERROR;
}
retJson = new SuccessMessage(appService.addUser(getUsername(), getPassword(), getNickname(),
getAvatar(), getBalance(), getRole()));

retJson = new SuccessMessage(
appService.addUser(getUsername(), getPassword(), getNickname(), getAvatar(), getBalance(), getRole()));
return SUCCESS;
}

Expand All @@ -242,14 +242,15 @@ public String updateUser() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

Validator vd = new Validator(getId(), "编号");
if (!vd.validateNotEmpty() || !vd.validatePositiveInt()) {
retJson = vd.getFailureMessage();
return ERROR;
}
vd = new Validator(getUsername(), "用户名");
if (!vd.validateNotEmpty() || !vd.validatePattern("^[-_0-9a-zA-Z]{5,}$", "用户名只能由字母、数字、破折号(-)和下划线(_)组成,且最小长度为 5 个字符。")) {
if (!vd.validateNotEmpty()
|| !vd.validatePattern("^[-_0-9a-zA-Z]{5,}$", "用户名只能由字母、数字、破折号(-)和下划线(_)组成,且最小长度为 5 个字符。")) {
retJson = vd.getFailureMessage();
return ERROR;
}
Expand Down Expand Up @@ -279,24 +280,29 @@ public String updateUser() throws Exception {
retJson = vd.getFailureMessage();
return ERROR;
}

User user = appService.getUserById(Integer.parseInt(getId()));
if (user == null) {
retJson = new FailureMessage("该用户编号不存在。");
return NONE;
}


if (user.getId() == currentUser.getId() && getRole().equals("0")) {
retJson = new FailureMessage("禁止更改当前用户权限。");
return "forbidden";
}

if (!getUsername().equals(user.getUsername()) && appService.usernameExists(getUsername())) {
retJson = new FailureMessage("用户名 " + getUsername() + " 已经存在。");
return ERROR;
}

appService.updateUser(user, getUsername(), getPassword(), getNickname(), getAvatar(), getBalance(), getRole());

retJson = new SuccessMessage();
return SUCCESS;
}

public String deleteUser() throws Exception {
User currentUser = (User) session().getAttribute("user");
if (currentUser == null) {
Expand All @@ -313,19 +319,24 @@ public String deleteUser() throws Exception {
retJson = vd.getFailureMessage();
return ERROR;
}

User user = appService.getUserById(Integer.parseInt(getId()));
if (user == null) {
retJson = new FailureMessage("该用户编号不存在。");
return NONE;
}


if (user.getId() == currentUser.getId()) {
retJson = new FailureMessage("禁止删除当前用户。");
return "forbidden";
}

appService.deleteUser(user);

retJson = new SuccessMessage();
return SUCCESS;
}

public String getAddress() throws Exception {
User currentUser = (User) session().getAttribute("user");
if (currentUser == null) {
Expand All @@ -336,19 +347,19 @@ public String getAddress() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

Validator vd = new Validator(getId(), "编号");
if (!vd.validateNotEmpty() || !vd.validatePositiveInt()) {
retJson = vd.getFailureMessage();
return ERROR;
}

int userId = Integer.parseInt(getId());
if (appService.getUserById(userId) == null) {
retJson = new FailureMessage("该用户编号不存在。");
return NONE;
}

try {
retJson = appService.getUserAddress(userId);
return SUCCESS;
Expand All @@ -357,7 +368,7 @@ public String getAddress() throws Exception {
return ERROR;
}
}

public String updateAddress() throws Exception {
User currentUser = (User) session().getAttribute("user");
if (currentUser == null) {
Expand All @@ -368,27 +379,27 @@ public String updateAddress() throws Exception {
retJson = new FailureMessage("禁止访问");
return "forbidden";
}

Validator vd = new Validator(getId(), "编号");
if (!vd.validateNotEmpty() || !vd.validatePositiveInt()) {
retJson = vd.getFailureMessage();
return ERROR;
}

int userId = Integer.parseInt(getId());
if (appService.getUserById(userId) == null) {
retJson = new FailureMessage("该用户编号不存在。");
return NONE;
}

List<String> addressArray = StringUtil.JSONStringArrayParse(addresses);
if (addressArray == null) {
retJson = new FailureMessage("收货地址数组格式不正确");
return ERROR;
}

appService.updateUserAddress(userId, addressArray);

retJson = new SuccessMessage();
return SUCCESS;
}
Expand Down
43 changes: 26 additions & 17 deletions src/main/java/bookstore/action/UploadImageAction.java
View file
Original file line number Diff line number Diff line change
@@ -1,71 +1,80 @@
package bookstore.action;

import java.io.File;
import java.util.Arrays;
import java.util.List;

import org.apache.commons.io.FilenameUtils;

import bookstore.model.result.FailureMessage;
import bookstore.model.result.SuccessMessage;
import bookstore.service.AppService;

public class UploadImageAction extends BaseAction {

private static final long serialVersionUID = 1L;

private File file;
private String filename;

private final static String uploadPath = "img/upload/";

private Object retJson;

private AppService appService;

// Getters and setters

public void setImage(File file) {
this.file = file;
this.file = file;
}

public void setImageFileName(String filename) {
this.filename = filename;
}
}

public Object getRetJson() {
return retJson;
}

public void setRetJson(Object retJson) {
this.retJson = retJson;
}

public AppService getAppService() {
return appService;
}

public void setAppService(AppService appService) {
this.appService = appService;
}

// Actions

public String execute() {

if (session().getAttribute("user") == null) {
retJson = new FailureMessage("请先登录");
return LOGIN;
}


List<String> allowedExtensions = Arrays.asList(".jpg", ".jpeg", ".png", ".bmp", ".gif");
if (allowedExtensions.indexOf(FilenameUtils.getExtension(filename)) == -1) {
retJson = new FailureMessage("上传失败!仅支持 JPG、PNG、BMP、GIF 图片格式!");
return ERROR;
}

String newFilename = appService.uploadImage(FilenameUtils.concat(application().getRealPath("/"), uploadPath),
file, filename);

if (newFilename.isEmpty()) {
retJson = new FailureMessage("上传失败!请检查文件大小和格式。");
return ERROR;
}

retJson = new SuccessMessage(newFilename);
return SUCCESS;

}

}
2 changes: 1 addition & 1 deletion src/main/resources/struts.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
<constant name="struts.i18n.encoding" value="utf-8" />
<constant name="struts.devMode" value="true" />
<constant name="struts.devMode" value="false" />
<constant name="struts.json.dateformat" value="yyyy-MM-dd HH:mm:ss" />

<package name="pages" extends="struts-default">
Expand Down
6 changes: 4 additions & 2 deletions src/main/webapp/WEB-INF/jsp/error/401.jsp
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8" %>
<%@ taglib prefix="s" uri="/struts-tags" %>
<% response.setStatus(401); %>
<!DOCTYPE html>
<html>
<head>
<title>Unauthorized.</title>
<title>请先登录</title>

<link href="https://fonts.googleapis.com/css?family=Lato:100" rel="stylesheet" type="text/css">

Expand Down Expand Up @@ -43,7 +44,8 @@
<body>
<div class="container">
<div class="content">
<div class="title">Unauthorized.</div>
<div class="title">请先登录!</div>
<a href="<s:url value="/home"/>">回到首页</a>
</div>
</div>
</body>
Expand Down
Loading

0 comments on commit 43b901e

Please sign in to comment.