powered by Jive Software

[pull request] plugin: userservice - add new request type: grouplist & usergrouplist

Hello!

I have added 2 new tiny types of request for the userservice plugin on openfire:

  • grouplist: return the list of all groups in the form of xml elements under

  • usergrouplist: return the list of all groups for a specific user in the form of xml elements under

I have made a pull request on github which you can see here.

I am wondering if the first could present a security issue (knowing all the group names) but since the userservice is enabled at will and protected by a passkey and maybe ip adress filtering , it’s okay in my book. Furthermore, it’s rather insignificant since if you get access to userservice, you can delete/add/update users and other stuff.

Thanks for reviewing & considering my pull request

Here’s a copy of the patch:

From 9bdacb5ae3e676cafe68c90259b4aadb50abf213 Mon Sep 17 00:00:00 2001
From: Poko <poko@MacBook-Pro-de-Poko.local>
Date: Sat, 31 May 2014 02:51:42 +0200
Subject: [PATCH] Plugin: user service - add new request type: grouplist & usergrouplist which returns xml with groupnames elements containing all group names or group names of a user. --- src/plugins/userservice/plugin.xml                 |   4 +- .../openfire/plugin/UserServicePlugin.java         |  29 ++++++ .../plugin/userService/UserServiceServlet.java     | 101 ++++++++++++--------- 3 files changed, 91 insertions(+), 43 deletions(-) diff --git a/src/plugins/userservice/plugin.xml b/src/plugins/userservice/plugin.xml
index acacb6d..0827cea 100644
--- a/src/plugins/userservice/plugin.xml
+++ b/src/plugins/userservice/plugin.xml
@@ -5,8 +5,8 @@
     <name>User Service</name>
     <description>Allows administration of users via HTTP requests.</description>
     <author>Justin Hunt</author>
-    <version>1.4.3</version>
-    <date>05/05/2014</date>
+    <version>1.4.4</version>
+    <date>26/05/2014</date>
     <minServerVersion>3.9.0</minServerVersion>
          <adminconsole> diff --git a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
index 478011d..ae98c7e 100644
--- a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
+++ b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
@@ -329,6 +329,35 @@ private User getUser(String username) throws UserNotFoundException {
     }      /**
+    * Returns all group names or an empty collection.
+    * +    */
+    public Collection<String> getAllGroups(){
+        Collection<Group> groups = GroupManager.getInstance().getGroups();
+        Collection<String> groupNames = new ArrayList<String>();
+        for(Group group : groups)
+        {
+            groupNames.add(group.getName());
+        }
+        return groupNames;
+    }
+
+    /**
+    * Returns all group names or an empty collection for specific user
+    * +    */
+    public Collection<String> getUserGroups(String username) throws UserNotFoundException{
+        User user = getUser(username);
+        Collection<Group> groups = GroupManager.getInstance().getGroups(user);
+        Collection<String> groupNames = new ArrayList<String>();
+        for(Group group : groups)
+        {
+            groupNames.add(group.getName());
+        }
+        return groupNames;
+    }
+
+    /**
      * Returns the secret key that only valid requests should know.
      *
      * @return the secret key.
diff --git a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
index 23c32f4..224bf26 100644
--- a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
+++ b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
@@ -120,7 +120,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
          }          // Some checking is required on the username
-        if (username == null){
+        if (username == null && !"grouplist".equals(type)){
             replyError("IllegalArgumentException",response, out);
             return;
         }
@@ -134,47 +134,66 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)        try {
-            username = username.trim().toLowerCase();
-            username = JID.escapeNode(username);
-            username = Stringprep.nodeprep(username);
-            if ("add".equals(type)) {
-                plugin.createUser(username, password, name, email, groupNames);
-                replyMessage("ok",response, out);
-                //imageProvider.sendInfo(request, response, presence);
-            }
-            else if ("delete".equals(type)) {
-                plugin.deleteUser(username);
-                replyMessage("ok",response,out);
-                //xmlProvider.sendInfo(request, response, presence);
-            }
-            else if ("enable".equals(type)) {
-                plugin.enableUser(username);
-                replyMessage("ok",response,out);
-            }
-            else if ("disable".equals(type)) {
-                plugin.disableUser(username);
-                replyMessage("ok",response,out);
-            }
-            else if ("update".equals(type)) {
-                plugin.updateUser(username, password,name,email, groupNames);
-                replyMessage("ok",response,out);
-                //xmlProvider.sendInfo(request, response, presence);
-            }
-            else if ("add_roster".equals(type)) {
-                plugin.addRosterItem(username, item_jid, name, sub, groupNames);
-                replyMessage("ok",response, out);
-            }
-            else if ("update_roster".equals(type)) {
-                plugin.updateRosterItem(username, item_jid, name, sub, groupNames);
-                replyMessage("ok",response, out);
-            }
-            else if ("delete_roster".equals(type)) {
-                plugin.deleteRosterItem(username, item_jid);
-                replyMessage("ok",response, out);
+            if ("grouplist".equals(type)){
+                String message = "";
+                for(String groupname : plugin.getAllGroups())
+                {
+                    message += "<groupname>"+groupname+"</groupname>";
+                }
+                replyMessage(message, response, out);
             }
-            else {
-                Log.warn("The userService servlet received an invalid request of type: " + type);
-                // TODO Do something
+            else
+            {
+                username = username.trim().toLowerCase();
+                username = JID.escapeNode(username);
+                username = Stringprep.nodeprep(username);
+                if ("add".equals(type)) {
+                    plugin.createUser(username, password, name, email, groupNames);
+                    replyMessage("ok",response, out);
+                    //imageProvider.sendInfo(request, response, presence);
+                }
+                else if ("delete".equals(type)) {
+                    plugin.deleteUser(username);
+                    replyMessage("ok",response,out);
+                    //xmlProvider.sendInfo(request, response, presence);
+                }
+                else if ("enable".equals(type)) {
+                    plugin.enableUser(username);
+                    replyMessage("ok",response,out);
+                }
+                else if ("disable".equals(type)) {
+                    plugin.disableUser(username);
+                    replyMessage("ok",response,out);
+                }
+                else if ("update".equals(type)) {
+                    plugin.updateUser(username, password,name,email, groupNames);
+                    replyMessage("ok",response,out);
+                    //xmlProvider.sendInfo(request, response, presence);
+                }
+                else if ("add_roster".equals(type)) {
+                    plugin.addRosterItem(username, item_jid, name, sub, groupNames);
+                    replyMessage("ok",response, out);
+                }
+                else if ("update_roster".equals(type)) {
+                    plugin.updateRosterItem(username, item_jid, name, sub, groupNames);
+                    replyMessage("ok",response, out);
+                }
+                else if ("delete_roster".equals(type)) {
+                    plugin.deleteRosterItem(username, item_jid);
+                    replyMessage("ok",response, out);
+                }
+                if ("usergrouplist".equals(type)){
+                    String message = "";
+                    for(String groupname : plugin.getUserGroups(username))
+                    {
+                        message += "<groupname>"+groupname+"</groupname>";
+                    }
+                    replyMessage(message, response, out);
+                }
+                else {
+                    Log.warn("The userService servlet received an invalid request of type: " + type);
+                    // TODO Do something
+                }
             }
         }
         catch (UserAlreadyExistsException e) {
-- 1.9.3

meneo