Hello!
I have added 2 new tiny types of request for the userservice plugin on openfire:
-
grouplist: return the list of all groups in the form of xml elements under
-
usergrouplist: return the list of all groups for a specific user in the form of xml elements under
I have made a pull request on github which you can see here.
I am wondering if the first could present a security issue (knowing all the group names) but since the userservice is enabled at will and protected by a passkey and maybe ip adress filtering , it’s okay in my book. Furthermore, it’s rather insignificant since if you get access to userservice, you can delete/add/update users and other stuff.
Thanks for reviewing & considering my pull request
Here’s a copy of the patch:
From 9bdacb5ae3e676cafe68c90259b4aadb50abf213 Mon Sep 17 00:00:00 2001
From: Poko <poko@MacBook-Pro-de-Poko.local>
Date: Sat, 31 May 2014 02:51:42 +0200
Subject: [PATCH] Plugin: user service - add new request type: grouplist & usergrouplist which returns xml with groupnames elements containing all group names or group names of a user. --- src/plugins/userservice/plugin.xml | 4 +- .../openfire/plugin/UserServicePlugin.java | 29 ++++++ .../plugin/userService/UserServiceServlet.java | 101 ++++++++++++--------- 3 files changed, 91 insertions(+), 43 deletions(-) diff --git a/src/plugins/userservice/plugin.xml b/src/plugins/userservice/plugin.xml
index acacb6d..0827cea 100644
--- a/src/plugins/userservice/plugin.xml
+++ b/src/plugins/userservice/plugin.xml
@@ -5,8 +5,8 @@
<name>User Service</name>
<description>Allows administration of users via HTTP requests.</description>
<author>Justin Hunt</author>
- <version>1.4.3</version>
- <date>05/05/2014</date>
+ <version>1.4.4</version>
+ <date>26/05/2014</date>
<minServerVersion>3.9.0</minServerVersion>
<adminconsole> diff --git a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
index 478011d..ae98c7e 100644
--- a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
+++ b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/UserServicePlugin.java
@@ -329,6 +329,35 @@ private User getUser(String username) throws UserNotFoundException {
} /**
+ * Returns all group names or an empty collection.
+ * + */
+ public Collection<String> getAllGroups(){
+ Collection<Group> groups = GroupManager.getInstance().getGroups();
+ Collection<String> groupNames = new ArrayList<String>();
+ for(Group group : groups)
+ {
+ groupNames.add(group.getName());
+ }
+ return groupNames;
+ }
+
+ /**
+ * Returns all group names or an empty collection for specific user
+ * + */
+ public Collection<String> getUserGroups(String username) throws UserNotFoundException{
+ User user = getUser(username);
+ Collection<Group> groups = GroupManager.getInstance().getGroups(user);
+ Collection<String> groupNames = new ArrayList<String>();
+ for(Group group : groups)
+ {
+ groupNames.add(group.getName());
+ }
+ return groupNames;
+ }
+
+ /**
* Returns the secret key that only valid requests should know.
*
* @return the secret key.
diff --git a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
index 23c32f4..224bf26 100644
--- a/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
+++ b/src/plugins/userservice/src/java/org/jivesoftware/openfire/plugin/userService/UserServiceServlet.java
@@ -120,7 +120,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
} // Some checking is required on the username
- if (username == null){
+ if (username == null && !"grouplist".equals(type)){
replyError("IllegalArgumentException",response, out);
return;
}
@@ -134,47 +134,66 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) try {
- username = username.trim().toLowerCase();
- username = JID.escapeNode(username);
- username = Stringprep.nodeprep(username);
- if ("add".equals(type)) {
- plugin.createUser(username, password, name, email, groupNames);
- replyMessage("ok",response, out);
- //imageProvider.sendInfo(request, response, presence);
- }
- else if ("delete".equals(type)) {
- plugin.deleteUser(username);
- replyMessage("ok",response,out);
- //xmlProvider.sendInfo(request, response, presence);
- }
- else if ("enable".equals(type)) {
- plugin.enableUser(username);
- replyMessage("ok",response,out);
- }
- else if ("disable".equals(type)) {
- plugin.disableUser(username);
- replyMessage("ok",response,out);
- }
- else if ("update".equals(type)) {
- plugin.updateUser(username, password,name,email, groupNames);
- replyMessage("ok",response,out);
- //xmlProvider.sendInfo(request, response, presence);
- }
- else if ("add_roster".equals(type)) {
- plugin.addRosterItem(username, item_jid, name, sub, groupNames);
- replyMessage("ok",response, out);
- }
- else if ("update_roster".equals(type)) {
- plugin.updateRosterItem(username, item_jid, name, sub, groupNames);
- replyMessage("ok",response, out);
- }
- else if ("delete_roster".equals(type)) {
- plugin.deleteRosterItem(username, item_jid);
- replyMessage("ok",response, out);
+ if ("grouplist".equals(type)){
+ String message = "";
+ for(String groupname : plugin.getAllGroups())
+ {
+ message += "<groupname>"+groupname+"</groupname>";
+ }
+ replyMessage(message, response, out);
}
- else {
- Log.warn("The userService servlet received an invalid request of type: " + type);
- // TODO Do something
+ else
+ {
+ username = username.trim().toLowerCase();
+ username = JID.escapeNode(username);
+ username = Stringprep.nodeprep(username);
+ if ("add".equals(type)) {
+ plugin.createUser(username, password, name, email, groupNames);
+ replyMessage("ok",response, out);
+ //imageProvider.sendInfo(request, response, presence);
+ }
+ else if ("delete".equals(type)) {
+ plugin.deleteUser(username);
+ replyMessage("ok",response,out);
+ //xmlProvider.sendInfo(request, response, presence);
+ }
+ else if ("enable".equals(type)) {
+ plugin.enableUser(username);
+ replyMessage("ok",response,out);
+ }
+ else if ("disable".equals(type)) {
+ plugin.disableUser(username);
+ replyMessage("ok",response,out);
+ }
+ else if ("update".equals(type)) {
+ plugin.updateUser(username, password,name,email, groupNames);
+ replyMessage("ok",response,out);
+ //xmlProvider.sendInfo(request, response, presence);
+ }
+ else if ("add_roster".equals(type)) {
+ plugin.addRosterItem(username, item_jid, name, sub, groupNames);
+ replyMessage("ok",response, out);
+ }
+ else if ("update_roster".equals(type)) {
+ plugin.updateRosterItem(username, item_jid, name, sub, groupNames);
+ replyMessage("ok",response, out);
+ }
+ else if ("delete_roster".equals(type)) {
+ plugin.deleteRosterItem(username, item_jid);
+ replyMessage("ok",response, out);
+ }
+ if ("usergrouplist".equals(type)){
+ String message = "";
+ for(String groupname : plugin.getUserGroups(username))
+ {
+ message += "<groupname>"+groupname+"</groupname>";
+ }
+ replyMessage(message, response, out);
+ }
+ else {
+ Log.warn("The userService servlet received an invalid request of type: " + type);
+ // TODO Do something
+ }
}
}
catch (UserAlreadyExistsException e) {
-- 1.9.3
meneo