From b4846550c0c545a1447c2b6064b51e09f360ded9 Mon Sep 17 00:00:00 2001
From: pb <pb@8810af33-2d31-482b-a856-94f89814c4df>
Date: Fri, 15 Feb 2008 16:59:50 +0000
Subject: [PATCH] incorporating: r1649 | chrisg23 | 2007-09-18 11:57:51 +0200
 (Di, 18 Sep 2007) Sourceforge patch 1793030 - small fix to prevent
 possibility of creating infinite group hierarchy

------------------------------------------------------------------------

r1650 | chrisg23 | 2007-09-18 12:01:35 +0200 (Di, 18 Sep 2007)
Sourceforge patch 1793009 - allow requests to switch back from https to http (eg when user logs out)


git-svn-id: https://svn.libreccm.org/ccm/trunk@22 8810af33-2d31-482b-a856-94f89814c4df
---
 .../arsdigita/ui/admin/GroupSearchForm.java   |  3 ++-
 .../src/com/arsdigita/web/SecureFilter.java   | 27 ++++++++++++++++++-
 ccm-core/src/com/arsdigita/web/WebConfig.java | 17 ++++++++++++
 .../web/WebConfig_parameter.properties        |  4 +++
 4 files changed, 49 insertions(+), 2 deletions(-)

diff --git a/ccm-core/src/com/arsdigita/ui/admin/GroupSearchForm.java b/ccm-core/src/com/arsdigita/ui/admin/GroupSearchForm.java
index d9accab4c..992d057b7 100755
--- a/ccm-core/src/com/arsdigita/ui/admin/GroupSearchForm.java
+++ b/ccm-core/src/com/arsdigita/ui/admin/GroupSearchForm.java
@@ -101,10 +101,11 @@ public class GroupSearchForm extends Form implements FormProcessListener, AdminC
 			excludedList.add(subgroups.getGroup().getID());
 		}
 		GroupCollection supergroups = parent.getAllSupergroups();
-				List supergroupsList = new ArrayList();
 				while (supergroups.next()) {
 					excludedList.add(supergroups.getGroup().getID());
 				}
+				// make sure we can't add current group as child of itself!!!
+				excludedList.add(parent.getID());
 		
 		if (!excludedList.isEmpty()) {
 		
diff --git a/ccm-core/src/com/arsdigita/web/SecureFilter.java b/ccm-core/src/com/arsdigita/web/SecureFilter.java
index 077a266cb..a7ad8f43f 100755
--- a/ccm-core/src/com/arsdigita/web/SecureFilter.java
+++ b/ccm-core/src/com/arsdigita/web/SecureFilter.java
@@ -10,6 +10,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import org.apache.log4j.Logger;
 
 import com.arsdigita.util.servlet.HttpHost;
 
@@ -21,6 +22,8 @@ import com.arsdigita.util.servlet.HttpHost;
  */
 public class SecureFilter implements Filter {
 
+    private static Logger s_log = Logger.getLogger(SecureFilter.class);
+
     public void init(FilterConfig filterConfig) throws ServletException {
     }
 
@@ -31,7 +34,8 @@ public class SecureFilter implements Filter {
         HttpServletResponse hresp = (HttpServletResponse) response;
         String uri = hreq.getRequestURI();
         WebConfig conf = Web.getConfig(); 
-        if (conf.isSecureRequired(uri) && !request.isSecure()) {
+        if (conf.isSecureRequired(uri) && !request.isSecure() && !conf.isNonSecureSwitchRequired(uri)) {
+            s_log.debug("uri - " + uri + " should be accessed via https - redirecting");
             StringBuffer secureEquivalent = new StringBuffer("https://");
             HttpHost secureServer = conf.getSecureServer(); 
             secureEquivalent.append(secureServer.getName());
@@ -50,6 +54,27 @@ public class SecureFilter implements Filter {
                 	.append(queryString);
             }
             hresp.sendRedirect(secureEquivalent.toString());
+        } else if (conf.isNonSecureSwitchRequired(uri) && request.isSecure()) {
+            s_log.debug("uri - " + uri + " triggers a return to http from https - redirecting");
+            StringBuffer nonSecureEquivalent = new StringBuffer("http://");
+            HttpHost standardServer = conf.getServer();
+            nonSecureEquivalent.append(standardServer.getName());
+            int securePort = standardServer.getPort();
+            if (securePort != 80) {
+                nonSecureEquivalent
+                       .append(':')
+                       .append(securePort);
+            }
+            if (uri != null) {
+                nonSecureEquivalent.append(uri);
+            }
+            String queryString = hreq.getQueryString();
+            if (queryString != null) {
+                nonSecureEquivalent.append('?')
+                       .append(queryString);
+            }
+            hresp.sendRedirect(nonSecureEquivalent.toString());
+
         } else {
             filterChain.doFilter(request, response);
         }
diff --git a/ccm-core/src/com/arsdigita/web/WebConfig.java b/ccm-core/src/com/arsdigita/web/WebConfig.java
index c5419beb2..70818c2f5 100755
--- a/ccm-core/src/com/arsdigita/web/WebConfig.java
+++ b/ccm-core/src/com/arsdigita/web/WebConfig.java
@@ -66,6 +66,7 @@ public final class WebConfig extends AbstractConfig {
     private final Parameter m_dynamic_host_provider;
     private final Parameter m_deactivate_cache_host_notifications;
     private final Parameter m_secureRequired;
+    private final Parameter m_secureSwitchBack;
 
     public WebConfig() {
         m_scheme = new DefaultSchemeParameter
@@ -113,6 +114,9 @@ public final class WebConfig extends AbstractConfig {
         m_secureRequired = new StringArrayParameter(
                 "waf.web.secure_required", Parameter.OPTIONAL, null);
 
+        m_secureSwitchBack = new StringArrayParameter (
+               "waf.web.secure_switchback", Parameter.OPTIONAL, null);
+
         m_dynamic_host_provider = new StringParameter
             ("waf.web.dynamic_host_provider", Parameter.OPTIONAL, "");
 
@@ -131,6 +135,7 @@ public final class WebConfig extends AbstractConfig {
         register(m_dynamic_host_provider);
         register(m_deactivate_cache_host_notifications);
         register(m_secureRequired);
+        register(m_secureSwitchBack);
 
         loadInfo();
     }
@@ -159,6 +164,18 @@ public final class WebConfig extends AbstractConfig {
         return false;
     }
 
+    public final boolean isNonSecureSwitchRequired(String uri) {
+        String[] switchBack = (String[])get(m_secureSwitchBack);
+        if (switchBack != null) {
+            for (int i=0, n=switchBack.length; i<n; i++) {
+                if (uri.startsWith(switchBack[i])) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     public final HttpHost getHost() {
         return (HttpHost) get(m_host);
     }
diff --git a/ccm-core/src/com/arsdigita/web/WebConfig_parameter.properties b/ccm-core/src/com/arsdigita/web/WebConfig_parameter.properties
index cd153dd40..1a6956aec 100755
--- a/ccm-core/src/com/arsdigita/web/WebConfig_parameter.properties
+++ b/ccm-core/src/com/arsdigita/web/WebConfig_parameter.properties
@@ -34,6 +34,10 @@ waf.web.secure_required.title=List of URLs where HTTPS is required
 waf.web.secure_required.purpose=List of URLs which accessed by insecure (normal HTTP) connection produce a redirect to a HTTPS equivalent
 waf.web.secure_required.example=/ccm/register/,/ccm/admin/
 waf.web.secure_required.format=url1,url2,...
+waf.web.secure_switchback.title=List of URLs that switch back to unsecure
+waf.web.secure_switchback.purpose=List of URLs which accessed by secure (HTTPS) connection produce a redirect to a HTTP equivalent
+waf.web.secure_switchback.example=/ccm/register/logout
+waf.web.secure_switchback.format=url1,url2,...
 waf.web.site_name.title=Site name
 waf.web.site_name.purpose=The name of your website, for use in page footers for example
 waf.web.site_name.example=Joe's House of HTML