Validate tz (#134)

* Validations for things not covered by Struts Validator.

app/pom.xml

@@ -24,7 +24,7 @@ limitations under the License.
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -627,7 +627,7 @@ limitations under the License.
                     <dependency>
                         <groupId>org.apache.roller</groupId>
                         <artifactId>db-utils</artifactId>
-                        <version>6.1.2</version>
+                        <version>6.1.3</version>
                     </dependency>
                     <dependency>
                         <groupId>commons-dbcp</groupId>

app/src/main/java/org/apache/roller/weblogger/business/jpa/JPABookmarkManagerImpl.java

@@ -148,15 +148,14 @@ public void importBookmarks(
 
             WeblogBookmarkFolder newFolder = getFolder(website, folderName);
             if (newFolder == null) {
-                newFolder = new WeblogBookmarkFolder(
-                        folderName, website);
+                newFolder = new WeblogBookmarkFolder(folderName, website);
                 this.strategy.store(newFolder);
             }
 
             // Iterate through children of OPML body, importing each
             Element body = doc.getRootElement().getChild("body");
-            for (Object elem : body.getChildren()) {
-                importOpmlElement((Element) elem, newFolder );
+            for (Element elem : body.getChildren()) {
+                importOpmlElement(elem, newFolder );
             }
         } catch (Exception ex) {
             throw new WebloggerException(ex);
@@ -216,8 +215,8 @@ private void importOpmlElement(
             }
         } else {
             // Import suboutline's children into folder
-            for (Object subelem : elem.getChildren("outline")) {
-                importOpmlElement((Element) subelem, folder );
+            for (Element subelem : elem.getChildren("outline")) {
+                importOpmlElement(subelem, folder );
             }
         }
     }

app/src/main/java/org/apache/roller/weblogger/business/jpa/JPAUserManagerImpl.java

@@ -67,8 +67,8 @@ public void release() {}
     //--------------------------------------------------------------- user CRUD
 
     @Override
-    public void saveUser(User data) throws WebloggerException {
-        this.strategy.store(data);
+    public void saveUser(User user) throws WebloggerException {
+        this.strategy.store(user);
     }
 
 

app/src/main/java/org/apache/roller/weblogger/pojos/User.java

@@ -28,6 +28,7 @@
 import org.apache.roller.util.UUIDGenerator;
 import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.ui.core.RollerContext;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
 
@@ -36,7 +37,7 @@
  */
 public class User implements Serializable {
 
-    public static final long serialVersionUID = -6354583200913127874L;
+    private static final long serialVersionUID = -6354583200913127874L;
 
     private String  id = UUIDGenerator.generateUUID();
     private String  userName;
@@ -60,15 +61,15 @@ public User( String id, String userName,
             String locale, String timeZone,
             Date dateCreated,
             Boolean isEnabled) {
-        //this.id = id;
+
         this.userName = userName;
         this.password = password;
-        this.fullName = fullName;
         this.emailAddress = emailAddress;
         this.dateCreated = (Date)dateCreated.clone();
-        this.locale = locale;
-        this.timeZone = timeZone;
         this.enabled = isEnabled;
+        setFullName(fullName);
+        setLocale(locale);
+        setTimeZone(timeZone);
     }
 
     /**
@@ -91,7 +92,7 @@ public String getUserName() {
     }
 
     public void setUserName( String userName ) {
-        this.userName = userName;
+        this.userName =  HTMLSanitizer.conditionallySanitize(userName);
     }
 
     /**
@@ -128,7 +129,7 @@ public String getOpenIdUrl() {
     }
 
     public void setOpenIdUrl(String openIdUrl) {
-        this.openIdUrl = openIdUrl;
+        this.openIdUrl =  HTMLSanitizer.conditionallySanitize(openIdUrl);
     }
 
     /**
@@ -139,7 +140,7 @@ public String getScreenName() {
     }
 
     public void setScreenName( String screenName ) {
-        this.screenName = screenName;
+        this.screenName =  HTMLSanitizer.conditionallySanitize(screenName);
     }
 
     /**
@@ -150,7 +151,7 @@ public String getFullName() {
     }
 
     public void setFullName( String fullName ) {
-        this.fullName = fullName;
+        this.fullName =  HTMLSanitizer.conditionallySanitize(fullName);
     }
 
     /**
@@ -161,7 +162,7 @@ public String getEmailAddress() {
     }
 
     public void setEmailAddress( String emailAddress ) {
-        this.emailAddress = emailAddress;
+        this.emailAddress =  HTMLSanitizer.conditionallySanitize(emailAddress);
     }
 
 
@@ -185,7 +186,7 @@ public void setDateCreated(final Date date) {
     }
 
     /**
-     * Locale of the user.
+     * Locale of the user, must be valid Java locale.
      */
     public String getLocale() {
         return this.locale;
@@ -196,7 +197,7 @@ public void setLocale(String locale) {
     }
 
     /**
-     * Timezone of the user.
+     * Timezone of the user, must be valid Java timezone.
      */
     public String getTimeZone() {
         return this.timeZone;
@@ -223,7 +224,7 @@ public String getActivationCode() {
     }
 
     public void setActivationCode(String activationCode) {
-        this.activationCode = activationCode;
+        this.activationCode =  HTMLSanitizer.conditionallySanitize(activationCode);
     }
 
 
@@ -239,7 +240,7 @@ public boolean hasGlobalPermissions(List<String> actions) {
             return false;
         }
     }
-    
+
     //------------------------------------------------------- Good citizenship
 
     @Override

app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmark.java

@@ -18,10 +18,12 @@
 
 package org.apache.roller.weblogger.pojos;
 
-import java.io.Serializable;
 import org.apache.commons.lang3.builder.EqualsBuilder;
 import org.apache.commons.lang3.builder.HashCodeBuilder;
 import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
+
+import java.io.Serializable;
 
 
 /**
@@ -56,16 +58,17 @@ public WeblogBookmark(
             String url,
             String feedUrl,
             String image) {
+
+        setName(name);
+        setDescription(desc);
         this.folder = parent;
-        this.name = name;
-        this.description = desc;
         this.url = url;
         this.feedUrl = feedUrl;
         this.image = image;
         folder.addBookmark(this);
         calculatePriority();
     }
-    
+
     //------------------------------------------------------------- Attributes
     public String getId() {
         return this.id;
@@ -92,7 +95,7 @@ public String getName() {
     }
 
     public void setName(String name) {
-        this.name = name;
+        this.name =  HTMLSanitizer.conditionallySanitize(name);
     }
 
     /**
@@ -103,7 +106,7 @@ public String getDescription() {
     }
 
     public void setDescription(String description) {
-        this.description = description;
+        this.description =  HTMLSanitizer.conditionallySanitize(description);
     }
 
     /**
@@ -143,7 +146,7 @@ public String getFeedUrl() {
     public void setFeedUrl(String feedUrl) {
         this.feedUrl = feedUrl;
     }
-    
+
     //---------------------------------------------------------- Relationships
 
     public org.apache.roller.weblogger.pojos.WeblogBookmarkFolder getFolder() {

app/src/main/java/org/apache/roller/weblogger/pojos/WeblogBookmarkFolder.java

@@ -28,6 +28,7 @@
 import org.apache.roller.weblogger.business.BookmarkManager;
 import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.util.UUIDGenerator;
+import org.apache.roller.weblogger.util.HTMLSanitizer;
 
 
 /**
@@ -54,8 +55,8 @@ public WeblogBookmarkFolder(
             String name,
             Weblog weblog) {
 
-        this.name = name;
-        this.weblog = weblog;
+        setName(name);
+        setWeblog(weblog);
         weblog.addBookmarkFolder(this);
     }
 
@@ -132,7 +133,7 @@ public String getName() {
     }
 
     public void setName(String name) {
-        this.name = name;
+        this.name = HTMLSanitizer.conditionallySanitize(name);
     }
 
     /**
@@ -187,5 +188,4 @@ public List<WeblogBookmark> retrieveBookmarks() throws WebloggerException {
         BookmarkManager bmgr = WebloggerFactory.getWeblogger().getBookmarkManager();
         return bmgr.getBookmarks(this);
     }
-
 }

app/src/main/java/org/apache/roller/weblogger/ui/struts2/core/Profile.java

@@ -22,14 +22,18 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.roller.weblogger.WebloggerException;
-import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.business.UserManager;
+import org.apache.roller.weblogger.business.WebloggerFactory;
 import org.apache.roller.weblogger.config.AuthMethod;
 import org.apache.roller.weblogger.config.WebloggerConfig;
 import org.apache.roller.weblogger.pojos.User;
 import org.apache.roller.weblogger.ui.struts2.util.UIAction;
 import org.apache.struts2.interceptor.validation.SkipValidation;
 
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.Optional;
+import java.util.TimeZone;
 
 /**
  * Allows user to edit his/her profile.
@@ -150,6 +154,26 @@ public void myValidate() {
                 addError("generic.error.check.logs");
             }
         }
+
+        // validate that bean's timeZone field is a valid time zone
+        if (!StringUtils.isEmpty(getBean().getTimeZone())) {
+            // looking up the time zone by id did not work for me
+            final Optional<String> first = Arrays.stream(TimeZone.getAvailableIDs())
+                    .filter(id -> id.equals(getBean().getTimeZone())).findFirst();
+            if (first.isEmpty()) {
+                addError("error.add.user.invalid.timezone");
+            }
+        }
+
+        // validate that bean's locale field is a valid locale
+        if (!StringUtils.isEmpty(getBean().getLocale())) {
+            // looking up the time zone by id did not work for me
+            final Optional<Locale> first = Arrays.stream(Locale.getAvailableLocales())
+                    .filter(locale -> locale.toString().equals(getBean().getLocale())).findFirst();
+            if (first.isEmpty() || "".equals(first.get().getDisplayName())) {
+                addError("error.add.user.invalid.locale");
+            }
+        }
     }
 
     public String getAuthMethod() {

app/src/main/java/org/apache/roller/weblogger/ui/struts2/editor/BookmarkEdit.java

@@ -27,7 +27,6 @@
 import org.apache.roller.weblogger.pojos.WeblogBookmark;
 import org.apache.roller.weblogger.ui.struts2.util.UIAction;
 import org.apache.roller.weblogger.util.cache.CacheManager;
-import org.apache.struts2.convention.annotation.AllowedMethods;
 import org.apache.struts2.interceptor.validation.SkipValidation;
 
 

app/src/main/resources/ApplicationResources.properties

@@ -453,6 +453,8 @@ error.add.user.openIdInUse=Open ID already in use with another account.
 error.add.user.missingUserName=You must specify a username.
 error.add.user.badUserName=Invalid user name (must be alpha-numerics only).
 error.add.user.missingPassword=You must specify a password.
+error.add.user.invalid.timezone=Invalid timezone.
+error.add.user.invalid.locale=Invalid locale.
 error.upload.dirmax=You cannot exceed the maximum directory size of {0} MB.
 error.upload.disabled=File Upload has been turned off
 error.upload.file=No file selected

assembly-release/pom.xml

@@ -22,7 +22,7 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 

assembly-release/sign-release.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 export rcstring="r2"
-export vstring="6.1.2"
+export vstring="6.1.3"
 
 # for rc releases we rename the release files
 if [ rcstring != "" ]; then

db-utils/pom.xml

@@ -7,13 +7,13 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
     <name>Apache Roller DB Utilities</name>
     <artifactId>db-utils</artifactId>
-    <version>6.1.2</version>
+    <version>6.1.3</version>
 
     <build>
         <plugins>

it-selenium/pom.xml

@@ -24,7 +24,7 @@
     <parent>
         <groupId>org.apache.roller</groupId>
         <artifactId>roller-project</artifactId>
-        <version>6.1.2</version>
+        <version>6.1.3</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -188,7 +188,7 @@
                     <dependency>
                         <groupId>org.apache.roller</groupId>
                         <artifactId>db-utils</artifactId>
-                        <version>6.1.2</version>
+                        <version>6.1.3</version>
                     </dependency>
                     <dependency>
                         <groupId>commons-dbcp</groupId>