Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java =================================================================== diff -u -r5b9f590b301c276f8df06b30c26981b0eb634e69 -r399fafea8d30e59f81414f332a7e8a5ed527aee4 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java (.../UserController.java) (revision 5b9f590b301c276f8df06b30c26981b0eb634e69) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserController.java (.../UserController.java) (revision 399fafea8d30e59f81414f332a7e8a5ed527aee4) @@ -30,6 +30,7 @@ import java.util.TreeSet; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; import org.apache.commons.beanutils.BeanUtils; import org.apache.log4j.Logger; @@ -143,9 +144,10 @@ return "error"; } + User user = null; // editing a user if ((userId != null) && (userId != 0)) { - User user = (User) userManagementService.findById(User.class, userId); + user = (User) userManagementService.findById(User.class, userId); log.debug("got userid to edit: " + userId); BeanUtils.copyProperties(userForm, user); userForm.setPassword(null); @@ -193,9 +195,14 @@ userForm.setOrgId(org == null ? null : org.getOrganisationId()); // appadmins can mark users as required to use two-factor authentication - if (request.isUserInRole(Role.APPADMIN)) { + boolean isAppadmin = request.isUserInRole(Role.APPADMIN); + if (isAppadmin) { request.setAttribute("isAppadmin", true); } + if (isAppadmin && (request.isUserInRole(Role.SYSADMIN) || user == null + || !userManagementService.hasRoleInOrganisation(user, Role.ROLE_APPADMIN))) { + request.setAttribute("canSetTwoFactorAuthentication", true); + } // Get all available time zones List availableTimeZones = timezoneService.getDefaultTimezones(); @@ -334,7 +341,7 @@ request.setAttribute("errorMessage", messageService.getMessage("error.authorisation")); return "error"; } - UserDTO appadmin = (UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER); + Integer currentUserId = getUserId(); Integer orgId = WebUtil.readIntParam(request, "orgId", true); Integer userId = WebUtil.readIntParam(request, "userId"); @@ -348,8 +355,7 @@ String[] args = new String[1]; args[0] = userId.toString(); String message = messageService.getMessage("audit.user.delete", args); - logEventService.logEvent(LogEvent.TYPE_USER_ORG_ADMIN, appadmin != null ? appadmin.getUserID() : null, userId, - null, null, message); + logEventService.logEvent(LogEvent.TYPE_USER_ORG_ADMIN, currentUserId, userId, null, null, message); if ((orgId == null) || (orgId == 0)) { return "forward:/usersearch.do"; } else { @@ -377,4 +383,9 @@ return "forward:/disabledmanage.do"; } -} + private Integer getUserId() { + HttpSession ss = SessionManager.getSession(); + UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER); + return user != null ? user.getUserID() : null; + } +} \ No newline at end of file Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgRoleSaveController.java =================================================================== diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -r399fafea8d30e59f81414f332a7e8a5ed527aee4 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgRoleSaveController.java (.../UserOrgRoleSaveController.java) (revision f2ad75cef0c507a64877942631fee13efbc6ed50) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgRoleSaveController.java (.../UserOrgRoleSaveController.java) (revision 399fafea8d30e59f81414f332a7e8a5ed527aee4) @@ -25,15 +25,22 @@ import java.util.ArrayList; import java.util.Arrays; +import java.util.List; import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.lamsfoundation.lams.admin.web.dto.UserBean; import org.lamsfoundation.lams.admin.web.form.UserOrgRoleForm; +import org.lamsfoundation.lams.security.ISecurityService; +import org.lamsfoundation.lams.usermanagement.Role; import org.lamsfoundation.lams.usermanagement.User; +import org.lamsfoundation.lams.usermanagement.dto.UserDTO; import org.lamsfoundation.lams.usermanagement.service.IUserManagementService; import org.lamsfoundation.lams.util.MessageService; +import org.lamsfoundation.lams.web.session.SessionManager; +import org.lamsfoundation.lams.web.util.AttributeNames; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Controller; @@ -47,18 +54,20 @@ /** * @author jliew * - * Saves roles for users that were just added. - * Uses session scope because using request scope doesn't copy the form data - * into UserOrgRoleForm's userBeans ArrayList (the list becomes empty). + * Saves roles for users that were just added. + * Uses session scope because using request scope doesn't copy the form data + * into UserOrgRoleForm's userBeans ArrayList (the list becomes empty). */ @Controller @SessionAttributes("userOrgRoleForm") public class UserOrgRoleSaveController { private static Logger log = Logger.getLogger(UserOrgRoleSaveController.class); - + @Autowired private IUserManagementService userManagementService; @Autowired + private ISecurityService securityService; + @Autowired @Qualifier("adminMessageService") private MessageService messageService; @@ -70,6 +79,12 @@ Integer orgId = userOrgRoleForm.getOrgId(); log.debug("orgId: " + orgId); + Integer rootOrgId = userManagementService.getRootOrganisation().getOrganisationId(); + boolean isGlobalRolesSet = orgId.equals(rootOrgId); + if (isGlobalRolesSet) { + securityService.isSysadmin(getUserId(), "add user with global roles", true); + } + request.setAttribute("org", orgId); request.getSession().removeAttribute("userOrgRoleForm"); @@ -88,16 +103,23 @@ request.setAttribute("orgId", orgId); return "forward:/userorg.do"; } - userManagementService.setRolesForUserOrganisation(user, orgId, Arrays.asList(roleIds)); - // FMALIKOFF 5/7/7 Commented out the following code that set the roles in the course if the current org is a class, as the logic - // is done in service.setRolesForUserOrganisation() - //if (organisation.getOrganisationType().getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) { - // if (service.getUserOrganisation(bean.getUserId(), organisation.getParentOrganisation().getOrganisationId())==null) { - // service.setRolesForUserOrganisation(user, organisation.getParentOrganisation(), (List)Arrays.asList(roleIds)); - // } - //} + + List userRolesList = Arrays.asList(roleIds); + userManagementService.setRolesForUserOrganisation(user, orgId, userRolesList); + + if (userRolesList.contains(Role.ROLE_APPADMIN.toString()) + && !userRolesList.contains(Role.ROLE_SYSADMIN.toString())) { + // appadmin need to have 2FA on, unless sysadmin says otherwise in user edit panels + user.setTwoFactorAuthenticationEnabled(true); + userManagementService.save(user); + } } return "redirect:/usermanage.do?org=" + orgId; } -} + private Integer getUserId() { + HttpSession ss = SessionManager.getSession(); + UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER); + return user != null ? user.getUserID() : null; + } +} \ No newline at end of file Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesSaveController.java =================================================================== diff -u -rdd60c645ebe32ff15180cff47caa583cb41b7ee1 -r399fafea8d30e59f81414f332a7e8a5ed527aee4 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesSaveController.java (.../UserRolesSaveController.java) (revision dd60c645ebe32ff15180cff47caa583cb41b7ee1) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesSaveController.java (.../UserRolesSaveController.java) (revision 399fafea8d30e59f81414f332a7e8a5ed527aee4) @@ -74,14 +74,16 @@ Integer orgId = userRolesForm.getOrgId(); Integer rootOrgId = userManagementService.getRootOrganisation().getOrganisationId(); - if (orgId.equals(rootOrgId)) { + boolean isGlobalRolesSet = orgId.equals(rootOrgId); + if (isGlobalRolesSet) { securityService.isSysadmin(getUserId(), "save global roles", true); } if (rolelist == null) { rolelist = userManagementService.findAll(Role.class); Collections.sort(rolelist); } + Integer userId = userRolesForm.getUserId(); String[] roles = userRolesForm.getRoles(); @@ -98,7 +100,7 @@ MultiValueMap errorMap = new LinkedMultiValueMap<>(); // user must have at least 1 role - if (roles == null || roles.length < 1) { + if (!isGlobalRolesSet && (roles == null || roles.length < 1)) { errorMap.add("roles", messageService.getMessage("error.roles.empty")); request.setAttribute("errorMap", errorMap); request.setAttribute("rolelist", userManagementService.filterRoles(rolelist, @@ -108,8 +110,16 @@ return "forward:/userroles.do"; } - userManagementService.setRolesForUserOrganisation(user, orgId, Arrays.asList(roles)); + List userRolesList = roles == null || roles.length < 1 ? List.of() : Arrays.asList(roles); + userManagementService.setRolesForUserOrganisation(user, orgId, userRolesList); + if (userRolesList.contains(Role.ROLE_APPADMIN.toString()) + && !userRolesList.contains(Role.ROLE_SYSADMIN.toString())) { + // appadmin need to have 2FA on, unless sysadmin says otherwise in user edit panels + user.setTwoFactorAuthenticationEnabled(true); + userManagementService.save(user); + } + return "redirect:/usermanage.do?org=" + orgId; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java =================================================================== diff -u -r5b9f590b301c276f8df06b30c26981b0eb634e69 -r399fafea8d30e59f81414f332a7e8a5ed527aee4 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java (.../UserSaveController.java) (revision 5b9f590b301c276f8df06b30c26981b0eb634e69) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java (.../UserSaveController.java) (revision 399fafea8d30e59f81414f332a7e8a5ed527aee4) @@ -118,7 +118,7 @@ UserDTO appadmin = (UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER); log.debug("orgId: " + orgId); - Boolean edit = false; + boolean edit = false; SupportedLocale locale = (SupportedLocale) userManagementService.findById(SupportedLocale.class, userForm.getLocaleId()); AuthenticationMethod authenticationMethod = (AuthenticationMethod) userManagementService @@ -194,6 +194,12 @@ user.setLocale(locale); user.setAuthenticationMethod(authenticationMethod); + if (userManagementService.hasRoleInOrganisation(user, Role.ROLE_APPADMIN) + && !request.isUserInRole(Role.SYSADMIN)) { + // appadmins need to have two factor auths always on, unless sysadmin says otherwise + user.setTwoFactorAuthenticationEnabled(true); + } + Theme cssTheme = (Theme) userManagementService.findById(Theme.class, userForm.getUserTheme()); user.setTheme(cssTheme); Index: lams_admin/web/user.jsp =================================================================== diff -u -r5b9f590b301c276f8df06b30c26981b0eb634e69 -r399fafea8d30e59f81414f332a7e8a5ed527aee4 --- lams_admin/web/user.jsp (.../user.jsp) (revision 5b9f590b301c276f8df06b30c26981b0eb634e69) +++ lams_admin/web/user.jsp (.../user.jsp) (revision 399fafea8d30e59f81414f332a7e8a5ed527aee4) @@ -469,7 +469,7 @@ - + :