Well, that took a while to track down. Both the permissions check and the validation need to be done on the body, not the client.
git-svn-id: svn+ssh://src.earth.threerings.net/narya/trunk@6311 542714f4-19e9-0310-aa3c-eee0fc999fb1
This commit is contained in:
@@ -103,7 +103,7 @@ public class SpeakHandler
|
||||
|
||||
// ensure that the speaker is valid
|
||||
if ((mode == ChatCodes.BROADCAST_MODE) ||
|
||||
(_validator != null && !_validator.isValidSpeaker(_speakObj, caller, mode))) {
|
||||
(_validator != null && !_validator.isValidSpeaker(_speakObj, source, mode))) {
|
||||
log.warning("Refusing invalid speak request", "caller", caller.who(),
|
||||
"speakObj", _speakObj.which(), "message", message, "mode", mode);
|
||||
|
||||
|
||||
@@ -21,25 +21,30 @@
|
||||
|
||||
package com.threerings.crowd.data;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Singleton;
|
||||
|
||||
import com.threerings.presents.data.ClientObject;
|
||||
import com.threerings.presents.data.Permission;
|
||||
import com.threerings.presents.data.PermissionPolicy;
|
||||
|
||||
import com.threerings.crowd.chat.data.ChatCodes;
|
||||
import com.threerings.crowd.server.BodyLocator;
|
||||
|
||||
/**
|
||||
* Implements some Crowd permissions.
|
||||
*/
|
||||
@Singleton
|
||||
public class CrowdPermissionPolicy extends PermissionPolicy
|
||||
{
|
||||
@Override // from PermissionPolicy
|
||||
public String checkAccess (ClientObject clobj, Permission perm, Object context)
|
||||
{
|
||||
if (!(clobj instanceof BodyObject)) {
|
||||
BodyObject body = _locator.forClient(clobj);
|
||||
if (body == null) {
|
||||
return super.checkAccess(clobj, perm, context);
|
||||
}
|
||||
|
||||
BodyObject body = (BodyObject)clobj;
|
||||
if (perm == ChatCodes.BROADCAST_ACCESS) {
|
||||
return body.getTokens().isAdmin() ? null : ACCESS_DENIED;
|
||||
} else if (perm == ChatCodes.CHAT_ACCESS) {
|
||||
@@ -48,4 +53,6 @@ public class CrowdPermissionPolicy extends PermissionPolicy
|
||||
return super.checkAccess(clobj, perm, context);
|
||||
}
|
||||
}
|
||||
|
||||
@Inject protected transient BodyLocator _locator;
|
||||
}
|
||||
|
||||
@@ -21,6 +21,10 @@
|
||||
|
||||
package com.threerings.crowd.server;
|
||||
|
||||
import com.google.inject.Inject;
|
||||
import com.google.inject.Injector;
|
||||
import com.google.inject.Singleton;
|
||||
|
||||
import com.threerings.presents.data.ClientObject;
|
||||
import com.threerings.presents.data.PermissionPolicy;
|
||||
import com.threerings.presents.server.ClientLocal;
|
||||
@@ -32,6 +36,7 @@ import com.threerings.crowd.data.CrowdPermissionPolicy;
|
||||
/**
|
||||
* Used to configure crowd-specific client object data.
|
||||
*/
|
||||
@Singleton
|
||||
public class CrowdClientResolver extends ClientResolver
|
||||
{
|
||||
@Override // from ClientResolver
|
||||
@@ -49,6 +54,8 @@ public class CrowdClientResolver extends ClientResolver
|
||||
@Override // from ClientResolver
|
||||
public PermissionPolicy createPermissionPolicy ()
|
||||
{
|
||||
return new CrowdPermissionPolicy();
|
||||
return _injector.getInstance(CrowdPermissionPolicy.class);
|
||||
}
|
||||
|
||||
@Inject protected Injector _injector;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user