Пример #1
0
  /**
   * Gets a session's info. This end point requires authentication and can only be accessed by
   * ROLE_ADMIN users and the owner of the session being browsed.
   *
   * @param sessionHeader The authentication header. Feed into UserSession.resume().
   * @param username The username from the URL.
   * @param sessionId The unique session identifier.
   * @return 200 OK.
   */
  @GET
  @Produces(MediaType.APPLICATION_JSON)
  @Path("{sessionId}")
  public Response getSession(
      @HeaderParam(UserSession.HEADER) String sessionHeader,
      @PathParam("username") String username,
      @PathParam("sessionId") String sessionId)
      throws ApiException {

    SQLConnection sql = SQLConnection.connectDefault();

    UserSession session = null;
    UserSession desired = null;
    try {
      session = UserSession.resume(sql, sessionHeader);
      desired = UserSession.resume(sql, username, sessionId);

      OMUtil.adminOrOwnerCheck(session.getUser(), desired.getUser());

    } finally {
      sql.close();
    }

    UserSessionResponse response = desired.toResponse(ApiStatus.OK);
    return Response.ok(response.serialize()).build();
  }
Пример #2
0
  /**
   * Deletes all of a user's sessions. Requires authentication by the session owner or a ROLE_ADMIN
   * user.
   *
   * @param sessionHeader The authentication information of the caller.
   * @param username The username of the session owner.
   * @return 200 OK.
   */
  @DELETE
  @Produces(MediaType.APPLICATION_JSON)
  public Response deleteAllSessions(
      @HeaderParam(UserSession.HEADER) String sessionHeader, @PathParam("username") String username)
      throws ApiException {

    SQLConnection sql = SQLConnection.connectDefault();

    try {
      UserSession session = UserSession.resume(sql, sessionHeader);

      if (!session.getUser().getUsername().equals(username)
          && !session.getUser().isRole("ROLE_ADMIN")) {
        throw new ApiException(ApiStatus.ACCESS_DENIED);
      }

      UserSession.endAll(sql, username);
    } finally {
      sql.close();
    }

    // TODO: we should probably return the sessions that were killed.
    ApiResponse response = new ApiResponse(ApiStatus.OK);
    return Response.ok(response.serialize()).build();
  }