Don't expose default role

[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.mvc / src / main / java / org / argeo / security / mvc / UsersRolesController.java

diff --git a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
index 8b09b94a5d273571184cdf6fae90c88029a19a58..88dc15589b33732e071d515a2e2385a94e99e7c6 100644 (file)
--- a/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
+++ b/security/runtime/org.argeo.security.mvc/src/main/java/org/argeo/security/mvc/UsersRolesController.java
@@ -9,18 +9,11 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.argeo.security.ArgeoSecurityService;
 import org.argeo.security.ArgeoUser;
-import org.argeo.security.BasicArgeoUser;
-import org.argeo.security.core.ArgeoUserDetails;
 import org.argeo.server.BooleanAnswer;
-import org.argeo.server.DeserializingEditor;
 import org.argeo.server.ServerAnswer;
 import org.argeo.server.ServerDeserializer;
 import org.argeo.server.mvc.MvcConstants;
-import org.springframework.security.Authentication;
-import org.springframework.security.context.SecurityContextHolder;
 import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.WebDataBinder;
-import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -34,20 +27,18 @@ public class UsersRolesController implements MvcConstants {
 
        private ServerDeserializer userDeserializer = null;
 
-       @InitBinder
-       public void initBinder(WebDataBinder binder) {
-               binder.registerCustomEditor(BasicArgeoUser.class,
-                               new DeserializingEditor(userDeserializer));
-       }
+       // @InitBinder
+       // public void initBinder(WebDataBinder binder) {
+       // binder.registerCustomEditor(SimpleArgeoUser.class,
+       // new DeserializingEditor(userDeserializer));
+       // }
 
        /* USER */
 
        @RequestMapping("/getCredentials.security")
        @ModelAttribute(ANSWER_MODEL_KEY)
        public ArgeoUser getCredentials() {
-               Authentication authentication = SecurityContextHolder.getContext()
-                               .getAuthentication();
-               return ArgeoUserDetails.asArgeoUser(authentication);
+               return securityService.getSecurityDao().getCurrentUser();
        }
 
        @RequestMapping("/getUsersList.security")
@@ -128,7 +119,25 @@ public class UsersRolesController implements MvcConstants {
        @ModelAttribute(ANSWER_MODEL_KEY)
        public ServerAnswer deleteRole(@RequestParam("role") String role) {
                securityService.getSecurityDao().deleteRole(role);
-               return ServerAnswer.ok("Role " + role + " created");
+               return ServerAnswer.ok("Role " + role + " deleted");
+       }
+
+       @RequestMapping("/updateUserPassword.security")
+       @ModelAttribute(ANSWER_MODEL_KEY)
+       public ServerAnswer updateUserPassword(
+                       @RequestParam("username") String username,
+                       @RequestParam("password") String password) {
+               securityService.updateUserPassword(username, password);
+               return ServerAnswer.ok("Password updated for user " + username);
+       }
+
+       @RequestMapping("/updatePassword.security")
+       @ModelAttribute(ANSWER_MODEL_KEY)
+       public ServerAnswer updatePassword(
+                       @RequestParam("password") String password,
+                       @RequestParam("oldPassword") String oldPassword) {
+               securityService.getSecurityDao().updatePassword(oldPassword, password);
+               return ServerAnswer.ok("Password updated");
        }
 
        protected void cleanUserBeforeCreate(ArgeoUser user) {