Skip to content

Commit

Permalink
fixes for user permissions (#892)
Browse files Browse the repository at this point in the history
  • Loading branch information
Frooodle authored Mar 9, 2024
1 parent 82c4e9c commit 121af05
Show file tree
Hide file tree
Showing 12 changed files with 163 additions and 152 deletions.
5 changes: 3 additions & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
curl \
openjdk17-jre \
su-exec \
shadow \
# Doc conversion
libreoffice@testing \
# OCR MY PDF (unpaper for descew and other advanced featues)
Expand All @@ -52,8 +53,8 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
chmod +x /scripts/init.sh && \
# User permissions
addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \
chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto /configs /customFiles /pipeline && \
chown stirlingpdfuser:stirlingpdfgroup /app.jar
chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto /configs /customFiles /pipeline && \
chown stirlingpdfuser:stirlingpdfgroup /app.jar

EXPOSE 8080

Expand Down
2 changes: 2 additions & 0 deletions Dockerfile-lite
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
tini \
bash \
curl \
gcc \
openjdk17-jre \
su-exec \
shadow \
# Doc conversion
libreoffice@testing \
# python and pip
Expand Down
1 change: 1 addition & 0 deletions Dockerfile-ultra-lite
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ RUN mkdir /configs /logs /customFiles && \
bash \
curl \
su-exec \
shadow \
openjdk17-jre && \
echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories && \
echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories && \
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ plugins {
import com.github.jk1.license.render.*

group = 'stirling.software'
version = '0.22.0'
version = '0.22.1'
sourceCompatibility = '17'

repositories {
Expand Down
3 changes: 3 additions & 0 deletions exampleYmlFiles/docker-compose-latest-security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ services:
environment:
DOCKER_ENABLE_SECURITY: "true"
SECURITY_ENABLELOGIN: "true"
PUID: 1002
GGID: 1002
UMASK: "022"
SYSTEM_DEFAULTLOCALE: en-US
UI_APPNAME: Stirling-PDF
UI_HOMEDESCRIPTION: Demo site for Stirling-PDF Latest with Security
Expand Down
7 changes: 3 additions & 4 deletions scripts/init-without-ocr.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,18 @@ if [ ! -z "$PUID" ] && [ "$PUID" != "$(id -u stirlingpdfuser)" ]; then
usermod -o -u "$PUID" stirlingpdfuser
fi

if [ ! -z "$PGID" ] && [ "$PGID" != "$(id -g stirlingpdfgroup)" ]; then
if [ ! -z "$PGID" ] && [ "$PGID" != "$(getent group stirlingpdfgroup | cut -d: -f3)" ]; then
groupmod -o -g "$PGID" stirlingpdfgroup
fi
umask "$UMASK"

echo "Setting permissions and ownership for necessary directories..."
chown -R stirlingpdfuser:stirlingpdfgroup /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar
chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar
if [[ "$INSTALL_BOOK_AND_ADVANCED_HTML_OPS" == "true" ]]; then
apk add --no-cache calibre@testing
fi


/scripts/download-security-jar.sh

# Run the main command
Expand Down
8 changes: 4 additions & 4 deletions scripts/init.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,20 +13,20 @@ if [ -d /usr/share/tesseract-ocr/5/tessdata ]; then
cp -r /usr/share/tesseract-ocr/5/tessdata/* /usr/share/tessdata || true;
fi


# Update the user and group IDs as per environment variables
if [ ! -z "$PUID" ] && [ "$PUID" != "$(id -u stirlingpdfuser)" ]; then
usermod -o -u "$PUID" stirlingpdfuser
fi

if [ ! -z "$PGID" ] && [ "$PGID" != "$(id -g stirlingpdfgroup)" ]; then

if [ ! -z "$PGID" ] && [ "$PGID" != "$(getent group stirlingpdfgroup | cut -d: -f3)" ]; then
groupmod -o -g "$PGID" stirlingpdfgroup
fi
umask "$UMASK"

echo "Setting permissions and ownership for necessary directories..."
chown -R stirlingpdfuser:stirlingpdfgroup /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
chown -R stirlingpdfuser:stirlingpdfgroup $HOME /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar
chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles /pipeline /app.jar



Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,5 @@ private boolean isDemoUser(String username) {
return user.isPresent()
&& user.get().getAuthorities().stream()
.anyMatch(authority -> "ROLE_DEMO_USER".equals(authority.getAuthority()));

}
}
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,11 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
sessionManagement ->
sessionManagement
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.maximumSessions(3)
.maxSessionsPreventsLogin(true)
.maximumSessions(10)
.maxSessionsPreventsLogin(false)
.sessionRegistry(sessionRegistry())
.expiredUrl("/login?logout=true"));

http.formLogin(
formLogin ->
formLogin
Expand All @@ -92,8 +93,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
.addLogoutHandler(
(request, response, authentication) -> {
HttpSession session =
request.getSession(
false);
request.getSession(false);
if (session != null) {
String sessionId = session.getId();
sessionRegistry()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,8 @@ public String register(@ModelAttribute UsernameAndPass requestModel, Model model
@PostMapping("/change-username")
public RedirectView changeUsername(
Principal principal,
@RequestParam String currentPassword,
@RequestParam String newUsername,
@RequestParam(name = "currentPassword") String currentPassword,
@RequestParam(name = "newUsername") String newUsername,
HttpServletRequest request,
HttpServletResponse response,
RedirectAttributes redirectAttributes) {
Expand Down Expand Up @@ -95,8 +95,8 @@ public RedirectView changeUsername(
@PostMapping("/change-password-on-login")
public RedirectView changePasswordOnLogin(
Principal principal,
@RequestParam String currentPassword,
@RequestParam String newPassword,
@RequestParam(name = "currentPassword") String currentPassword,
@RequestParam(name = "newPassword") String newPassword,
HttpServletRequest request,
HttpServletResponse response,
RedirectAttributes redirectAttributes) {
Expand Down Expand Up @@ -128,8 +128,8 @@ public RedirectView changePasswordOnLogin(
@PostMapping("/change-password")
public RedirectView changePassword(
Principal principal,
@RequestParam String currentPassword,
@RequestParam String newPassword,
@RequestParam(name = "currentPassword") String currentPassword,
@RequestParam(name = "newPassword") String newPassword,
HttpServletRequest request,
HttpServletResponse response,
RedirectAttributes redirectAttributes) {
Expand Down Expand Up @@ -180,9 +180,9 @@ public String updateUserSettings(HttpServletRequest request, Principal principal
@PreAuthorize("hasRole('ROLE_ADMIN')")
@PostMapping("/admin/saveUser")
public RedirectView saveUser(
@RequestParam String username,
@RequestParam String password,
@RequestParam String role,
@RequestParam(name = "username") String username,
@RequestParam(name = "password") String password,
@RequestParam(name = "role") String role,
@RequestParam(name = "forceChange", required = false, defaultValue = "false")
boolean forceChange) {

Expand All @@ -207,7 +207,8 @@ public RedirectView saveUser(

@PreAuthorize("hasRole('ROLE_ADMIN')")
@PostMapping("/admin/deleteUser/{username}")
public RedirectView deleteUser(@PathVariable String username, Authentication authentication) {
public RedirectView deleteUser(
@PathVariable(name = "username") String username, Authentication authentication) {

if (!userService.usernameExists(username)) {
return new RedirectView("/addUsers?messageType=deleteUsernameExists");
Expand Down
Loading

0 comments on commit 121af05

Please sign in to comment.