added security for stats and context parameter

Author: FreakyBytes

src/main/java/de/unirostock/sems/cbarchive/web/Fields.java

@@ -160,6 +160,22 @@ else if (desiredLogLevel.equals ("NONE"))
 		// max stats age
 		STATS_MAX_AGE = parseLong( context.getInitParameter("MAX_STATS_AGE"), STATS_MAX_AGE );
 
+		// public stats
+		String statsPublic = context.getInitParameter("STATS_PUBLIC");
+		if( statsPublic != null && statsPublic.isEmpty() == false ) {
+			statsPublic = statsPublic.toLowerCase();
+			if( statsPublic.equals("true") || statsPublic.equals("1") )
+				STATS_PUBLIC = true;
+			else
+				STATS_PUBLIC = false;
+		}
+		
+		String statsSecret = context.getInitParameter("STATS_SECRET");
+		if( statsSecret != null && statsSecret.isEmpty() == false )
+			STATS_SECRET = statsSecret;
+		else
+			STATS_SECRET = null;
+		
 		// feedback Url
 		String feedbackUrl = context.getInitParameter("FEEDBACK_URL");
 		if( feedbackUrl != null && feedbackUrl.isEmpty() == true )

src/main/java/de/unirostock/sems/cbarchive/web/rest/RestApi.java

@@ -189,6 +189,7 @@ public Response getStats( @CookieParam(Fields.COOKIE_PATH) String userPath, @Que
 			return buildErrorResponse(500, null, "user not creatable!", e.getMessage() );
 		}
 
+		// only fetch user stats, if they are avialable
 		StatisticData stats = null;
 		if( user != null )
 			stats = QuotaManager.getInstance().getUserStats(user);
@@ -198,6 +199,10 @@ public Response getStats( @CookieParam(Fields.COOKIE_PATH) String userPath, @Que
 		// if secret is corret -> enable full stats
 		if( secret != null && Fields.STATS_SECRET != null && secret.equals(Fields.STATS_SECRET) )
 			stats.setFullStats(true);
+		else if( Fields.STATS_PUBLIC == false ) {
+			// stats are not public and no secret was provided
+			return buildErrorResponse(400, user, "no or wrong secret was provided.", "public stats are disabled");
+		}
 
 		return buildResponse(200, user).entity(stats).build();
 	}

src/main/webapp/WEB-INF/Index.jsp

@@ -74,12 +74,12 @@
 			<div class="nav-container">
 				<small>The current workspace contains the following archives:</small>
 				<div style="clear: both;"></div>
-				<ul id="nav-workspace" style="float: left; width: 65%;">
+				<ul id="nav-workspace">
 					{{#	_.each(entries, function(entry) { }}
 					<li><a class="mainLinks archive-link archives" data-linktype="archive" data-archiveid="{{# print(entry.id); }}" id="nav-archivelink-{{# print(entry.id); }}" title="Archive {{# print(escape(entry.name)); }} in current Workspace">{{# print(escape(entry.name)); }}</a></li>
 					{{# }); }}
 				</ul>
-				<ul id="nav-main" style="float: right; width: 34%;">
+				<ul id="nav-main">
 					<li><a class="mainLinks command-link highlight" data-linktype="page" data-page="start-page" id="nav-startlink">start</a></li>
 					<li><a class="mainLinks command-link" data-linktype="page" data-page="about-page" id="nav-aboutlink">about</a></li>
 					<% if( Fields.STATS_PUBLIC ) { %>

src/main/webapp/WEB-INF/web.xml

@@ -32,18 +32,28 @@
 		<description>sets the persistent storage directory.</description>
 	</context-param>
 
+	<context-param>
+		<param-name>FEEDBACK_URL</param-name>
+		<param-value>https://sems.uni-rostock.de/trac/combinearchive-web/newticket?from=WEBCAT-INTERFACE</param-value>
+	</context-param>
+	
+	<context-param>
+		<param-name>SEDML_WEBTOOLS</param-name>
+		<param-value></param-value>
+	</context-param>
+	
 	<context-param>
 		<param-name>MAX_STATS_AGE</param-name>
 		<param-value>180</param-value>
 	</context-param>
 
 	<context-param>
-		<param-name>FEEDBACK_URL</param-name>
-		<param-value>https://sems.uni-rostock.de/trac/combinearchive-web/newticket?from=WEBCAT-INTERFACE</param-value>
+		<param-name>STATS_PUBLIC</param-name>
+		<param-value>true</param-value>
 	</context-param>
 
 	<context-param>
-		<param-name>SEDML_WEBTOOLS</param-name>
+		<param-name>STATS_SECRET</param-name>
 		<param-value></param-value>
 	</context-param>
 

src/main/webapp/res/css/css.css

@@ -98,6 +98,16 @@ nav .highlight
 	font-weight: bold;
 }
 
+#nav-workspace {
+	float: left;
+	width: 65%;
+}
+#nav-main {
+	float: right;
+	width: calc(35% - 5px);
+	text-align: right;
+}
+
 div.nav-container
 {
 	background-color: #fafafa;

src/main/webapp/res/js/models.js

@@ -2037,6 +2037,8 @@ var StatsView = Backbone.View.extend({
 			return;
 
 		this.timeout = null;
+		messageView.removeMessages("stats-error");
+		
 		var self = this;
 		this.model.fetch({
 			success: function(model, response, options) {
@@ -2047,9 +2049,9 @@ var StatsView = Backbone.View.extend({
 			error: function(model, response, options) {
 				self.$el.fadeOut();
 				if( response.responseJSON !== undefined && response.responseJSON.status == "error" )
-					messageView.error("Error while fetching stats", response.responseJSON.errors);
+					messageView.error("Error while fetching stats", response.responseJSON.errors, "stats-error");
 				else
-					messageView.error("Error while fetching stats!");
+					messageView.error("Error while fetching stats!", "stats-error");
 
 			}
 		});

src/main/webapp/res/js/router.js

@@ -15,12 +15,13 @@ var PageRouter = Backbone.Router.extend({
 		// init views
 		workspaceArchives = new ArchiveCollection();
 		navigationView = new NavigationView({ collection: workspaceArchives });
+		messageView = new MessageView();
+		
 		archiveView = new ArchiveView();
 		startView = new StartView();
 		createView = new CreateView();
 		statsView = new StatsView();
 		aboutView = new AboutView();
-		messageView = new MessageView();
 
 		workspaceArchives.once("sync", function(eventName) {
 			Backbone.history.start();