MentaTutorials

Compare Revisions

Ignore whitespace Rev 56 → Rev 57

/MentaRefApp/trunk/src/main/java/org/menta/AppManager.java
20,6 → 20,7
import org.mentawai.db.ConnectionHandler;
import org.mentawai.db.mysql.MySQLBoneCPConnectionHandler;
import org.mentawai.filter.AuthenticationFilter;
import org.mentawai.filter.BlacklistParamFilter;
import org.mentawai.filter.ExceptionFilter;
import org.mentawai.filter.MentaContainerFilter;
import org.mentawai.filter.TransactionFilter;
144,6 → 145,7
action("/User", UserAction.class, "edit")
.comeBackAfterLogin()
.authorize(Group.ADMIN, Group.MASTER)
.filter(new BlacklistParamFilter("id")) // project against param injection
.on(ERROR, fwd("/jsp/user/edit.jsp"))
.on(SHOW, fwd("/jsp/user/edit.jsp"))
.on(UPDATED, redir("/jsp/index.jsp"));
/MentaRefApp/trunk/src/main/java/org/menta/action/UserAction.java
156,17 → 156,13
} else {
int id = input.getInt("id");
User sessionUser = getSessionObj();
if (id != sessionUser.getId()) {
throw new SecurityException("You can only update your own id!");
}
int id = sessionUser.getId();
User newUser = userDAO.load(id);
User newUser = userDAO.load(id); // load a fresh new one
input.inject(newUser);
input.inject(newUser); // BlacklistParamFilter should be used here to project against malicious param injection (see AppManager)
userDAO.update(newUser);
/MentaRefApp/trunk/pom.xml
45,7 → 45,7
<dependency>
<groupId>me.soliveirajr</groupId>
<artifactId>mentawai</artifactId>
<version>2.5.3</version>
<version>2.5.4-SNAPSHOT</version>
</dependency>
 
</dependencies>