From b3e3e9bd708a06e3f894a1cc84b55e4926b23bd0 Mon Sep 17 00:00:00 2001
From: catalry <catalry@users.noreply.github.com>
Date: Fri, 21 Feb 2020 14:31:59 +0100
Subject: [PATCH 1/3] solved the 2 firsts

---
 .../controller/AddressBookController.java     | 16 +++----
 .../ec/survey/service/AttendeeService.java    | 44 +++++++++++++------
 .../WEB-INF/views/addressbook/addressbook.jsp |  2 +-
 3 files changed, 39 insertions(+), 23 deletions(-)

diff --git a/src/main/java/com/ec/survey/controller/AddressBookController.java b/src/main/java/com/ec/survey/controller/AddressBookController.java
index 922406944..261a96289 100644
--- a/src/main/java/com/ec/survey/controller/AddressBookController.java
+++ b/src/main/java/com/ec/survey/controller/AddressBookController.java
@@ -1,5 +1,6 @@
 package com.ec.survey.controller;
 
+import com.ec.survey.exception.ForbiddenURLException;
 import com.ec.survey.exception.MessageException;
 import com.ec.survey.model.Paging;
 import com.ec.survey.model.ParticipationGroup;
@@ -70,7 +71,6 @@ public class AddressBookController extends BasicController {
 	@SuppressWarnings("unchecked")
 	@RequestMapping(method = {RequestMethod.GET, RequestMethod.HEAD})
 	public ModelAndView attendees(HttpServletRequest request) throws Exception {
-		
 		User user = sessionService.getCurrentUser(request);		
 		int ownerId;
 		if (user.getGlobalPrivileges().get(GlobalPrivilege.ContactManagement) == 2)
@@ -132,9 +132,7 @@ public ModelAndView attendees(HttpServletRequest request) throws Exception {
     	
     	if (request.getParameter("added") != null)
     	{
-    		Attendee addedContact = attendeeService.get(Integer.parseInt(request.getParameter("added")));
     		result.addObject("added", true);
-    		result.addObject("addedContact", addedContact);
     	} else if (request.getParameter("edited") != null && request.getParameter("edited").length() > 0)
 		{
 			if (!request.getParameter("edited").equalsIgnoreCase("batch"))
@@ -1316,12 +1314,9 @@ public String delete(@RequestParam("id") String id, HttpServletRequest request)
 	@SuppressWarnings("unchecked")
 	@RequestMapping( value = "/editAttendee/{id}", method = {RequestMethod.GET, RequestMethod.HEAD})
 	public ModelAndView edit(@PathVariable("id") String id, HttpServletRequest request) throws Exception {	
-		
 		Attendee attendee = attendeeService.get(Integer.parseInt(id));
-		
 		Paging<Attendee> paging = (Paging<Attendee>) request.getSession().getAttribute("attendees-paging");
 		HashMap<String, String> filter = (HashMap<String, String>) request.getSession().getAttribute("attendees-filter");
-		
 		User user = sessionService.getCurrentUser(request);
 		
 		int ownerId;
@@ -1330,8 +1325,13 @@ public ModelAndView edit(@PathVariable("id") String id, HttpServletRequest reque
     	{
 			ownerId = -1;
     	} else {
-    		ownerId = user.getId();    		
-    	}
+			ownerId = user.getId();  
+			if (attendee.getOwnerId() != ownerId) {
+				if (!attendeeService.getAccessibleAttendees(ownerId, null).contains(ownerId)) {
+					throw new ForbiddenURLException();
+				}
+			}		
+		}
 		
 		paging.setItems(attendeeService.getAttendees(ownerId, filter, paging.getCurrentPage(), paging.getItemsPerPage()));		
  						
diff --git a/src/main/java/com/ec/survey/service/AttendeeService.java b/src/main/java/com/ec/survey/service/AttendeeService.java
index 4334846cd..43e4dd40f 100644
--- a/src/main/java/com/ec/survey/service/AttendeeService.java
+++ b/src/main/java/com/ec/survey/service/AttendeeService.java
@@ -175,22 +175,38 @@ public int getNumberOfAttendees(Integer ownerId, HashMap<String, String> attribu
 		
 		return ConversionTools.getValue(query.uniqueResult());		
 	}
+
+	@Transactional(readOnly = true)
+	@SuppressWarnings("unchecked")
+	public List<Integer> getAccessibleAttendees(Integer ownerId, HashMap<String,String> attributeFilter) throws Exception {
+		Session session = sessionFactory.getCurrentSession();
+		
+		HashMap<String, Object> parameters = new HashMap<>();
+		String sql = getSql(session, ownerId, attributeFilter, parameters, false);
+		
+		SQLQuery query = session.createSQLQuery("SELECT a.ATTENDEE_ID " + sql);
+		sqlQueryService.setParameters(query, parameters);
+
+		@SuppressWarnings("rawtypes")
+		List res = query.list();
+		return res;
+	}
 	
-	private String getSql(Session session, Integer ownerId, Map<String, String> hashMap, HashMap<String, Object> oQueryParameters, boolean onlywritableshares) {
+	private String getSql(Session session, Integer ownerId, Map<String, String> attributeFilter, HashMap<String, Object> oQueryParameters, boolean onlywritableshares) {
 		
 		StringBuilder sql = new StringBuilder("FROM ATTENDEE a");
 		
-		if (hashMap != null && hashMap.size() > 0)
+		if (attributeFilter != null && attributeFilter.size() > 0)
 		{
-			for (String key : hashMap.keySet())
+			for (String key : attributeFilter.keySet())
 			{
-				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner") && !key.equalsIgnoreCase("_csrf") && !key.startsWith("visibleAttendee") && hashMap.get(key) != null && hashMap.get(key).trim().length() > 0)
+				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner") && !key.equalsIgnoreCase("_csrf") && !key.startsWith("visibleAttendee") && attributeFilter.get(key) != null && attributeFilter.get(key).trim().length() > 0)
 				{
 					sql.append(" LEFT OUTER JOIN ATTRIBUTE at ON at.ATTE_ID = a.ATTENDEE_ID ");
 					break;
 				}					
 			}
-			if (hashMap.containsKey("owner") && hashMap.get("owner") != null && hashMap.get("owner").length() > 0)
+			if (attributeFilter.containsKey("owner") && attributeFilter.get("owner") != null && attributeFilter.get("owner").length() > 0)
 			{
 				sql.append(" JOIN USERS u ON u.USER_ID = a.OWNER_ID ");
 			}
@@ -212,15 +228,15 @@ private String getSql(Session session, Integer ownerId, Map<String, String> hash
 		
 		sql.append(" AND a.ATTENDEE_HIDDEN IS NULL");
 		
-		if (hashMap != null && hashMap.size() > 0)
+		if (attributeFilter != null && attributeFilter.size() > 0)
 		{
 			int counter = 0;
-			for (String key : hashMap.keySet())
+			for (String key : attributeFilter.keySet())
 			{
 				if (!key.equalsIgnoreCase("name") && !key.equalsIgnoreCase("email") && !key.equalsIgnoreCase("owner"))
 				try {
 					int intKey = Integer.parseInt(key);
-					String value = hashMap.get(key).trim();
+					String value = attributeFilter.get(key).trim();
 					
 					if (value.length() > 0)
 					{
@@ -234,22 +250,22 @@ private String getSql(Session session, Integer ownerId, Map<String, String> hash
 				}			
 			}
 		
-			if (hashMap.containsKey("name") && hashMap.get("name") != null && hashMap.get("name").length() > 0)
+			if (attributeFilter.containsKey("name") && attributeFilter.get("name") != null && attributeFilter.get("name").length() > 0)
 			{
 				sql.append(" AND a.ATTENDEE_NAME like :name");
-				oQueryParameters.put("name", "%" + hashMap.get("name") + "%");
+				oQueryParameters.put("name", "%" + attributeFilter.get("name") + "%");
 			}
 			
-			if (hashMap.containsKey("email") && hashMap.get("email") != null && hashMap.get("email").length() > 0)
+			if (attributeFilter.containsKey("email") && attributeFilter.get("email") != null && attributeFilter.get("email").length() > 0)
 			{
 				sql.append(" AND a.ATTENDEE_EMAIL like :email");
-				oQueryParameters.put("email", "%" + hashMap.get("email") + "%");
+				oQueryParameters.put("email", "%" + attributeFilter.get("email") + "%");
 			}
 			
-			if (hashMap.containsKey("owner") && hashMap.get("owner") != null && hashMap.get("owner").length() > 0)
+			if (attributeFilter.containsKey("owner") && attributeFilter.get("owner") != null && attributeFilter.get("owner").length() > 0)
 			{
 				sql.append(" AND (u.USER_DISPLAYNAME like :owner OR u.USER_LOGIN like :owner)");
-				oQueryParameters.put("owner", "%" + hashMap.get("owner") + "%");
+				oQueryParameters.put("owner", "%" + attributeFilter.get("owner") + "%");
 			}
 		}
 		
diff --git a/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp b/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
index 984af84f4..9c2c1a8f4 100644
--- a/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
+++ b/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
@@ -881,7 +881,7 @@
 	
 	<c:if test="${added != null}">
 		<script type="text/javascript">
-			showInfo('<spring:message code="label.Contact" />&nbsp;<esapi:encodeForHTML>${addedContact.name}</esapi:encodeForHTML>&nbsp;<spring:message code="message.AttendeeAdded" />');
+			showInfo('<spring:message code="label.Contact" />&nbsp;<spring:message code="message.AttendeeAdded" />');
 		</script>
 	</c:if>
 

From 63e5ed57a2a066f6e7c0b87314d5595cda8f2c16 Mon Sep 17 00:00:00 2001
From: catalry <catalry@users.noreply.github.com>
Date: Fri, 21 Feb 2020 18:02:39 +0100
Subject: [PATCH 2/3] ESURVEY-6660 : last and 3d requirement

---
 .../survey/controller/SettingsController.java | 47 ++++++++++++++-----
 .../ec/survey/model/administration/User.java  | 18 +++++++
 .../WEB-INF/classes/messages_en.properties    |  2 +
 .../WEB-INF/views/addressbook/addressbook.jsp |  2 +
 .../webapp/WEB-INF/views/settings/shares.jsp  |  1 +
 src/main/webapp/resources/js/addressbook.js   |  4 +-
 src/main/webapp/resources/js/shares.js        |  3 ++
 7 files changed, 65 insertions(+), 12 deletions(-)

diff --git a/src/main/java/com/ec/survey/controller/SettingsController.java b/src/main/java/com/ec/survey/controller/SettingsController.java
index d58444924..60d2dd7c4 100644
--- a/src/main/java/com/ec/survey/controller/SettingsController.java
+++ b/src/main/java/com/ec/survey/controller/SettingsController.java
@@ -1,5 +1,6 @@
 package com.ec.survey.controller;
 
+import com.ec.survey.exception.ForbiddenURLException;
 import com.ec.survey.model.administration.GlobalPrivilege;
 import com.ec.survey.model.administration.User;
 import com.ec.survey.model.attendees.Attendee;
@@ -29,6 +30,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
@@ -48,7 +50,7 @@ public class SettingsController extends BasicController {
 	
 	@Resource(name="attendeeService")
 	private AttendeeService attendeeService;
-	
+
 	@Autowired private LocaleResolver localeResolver;
 	
 	@RequestMapping(method = {RequestMethod.GET, RequestMethod.HEAD})
@@ -285,19 +287,42 @@ public ModelAndView shareEdit(@PathVariable String pid, HttpServletRequest reque
 	}
 	
 	@RequestMapping(value = "/userExists", headers="Accept=*/*", method=RequestMethod.GET)
-	public @ResponseBody boolean userExists(HttpServletRequest request, HttpServletResponse response ) {
+	public @ResponseBody boolean userExists(HttpServletRequest request, HttpServletResponse response )
+			throws NotAgreedToTosException, WeakAuthenticationException, ForbiddenURLException {
 		HashMap<String,String[]> parameters = Ucs2Utf8.requestToHashMap(request);
-		
-		String login = parameters.get("login")[0];
-		
-		User user;
-		try {
-			user = administrationService.getUserForLogin(login);			
-		} catch (Exception e) {
-			return false;
+		User userInRequest = sessionService.getCurrentUser(request);
+		User user = administrationService.getUser(userInRequest.getId());
+		Date now = new Date();
+		Date lastAttemptMoment = new Date();
+		if (user.getUserExistsAttemptDate() != null) {
+			lastAttemptMoment = user.getUserExistsAttemptDate();
+		} else {
+			user.setUserExistsAttemptDate(now);
 		}
 		
-		return user != null;
+		long lastAttemptMomentPlusOneHourLong = lastAttemptMoment.getTime() + 1000L * 60L * 60L;
+		Date lastAttemptMomentPlusOneHour = new Date(lastAttemptMomentPlusOneHourLong);
+		int numberOfAttemptsInOneHour = user.getUserExistsAttempts();
+		if (now.after(lastAttemptMomentPlusOneHour)) {
+			// reinit
+			numberOfAttemptsInOneHour = 1;
+			user.setUserExistsAttempts(numberOfAttemptsInOneHour);
+			user.setUserExistsAttemptDate(now);
+		} else {
+			// adding
+			numberOfAttemptsInOneHour += 1;
+			user.setUserExistsAttempts(numberOfAttemptsInOneHour);
+			if (numberOfAttemptsInOneHour > 30) {
+				throw new ForbiddenURLException();
+				// not saving the user since this would overload the Users table
+			}
+		}
+		administrationService.updateUser(user);
+		sessionService.setCurrentUser(request, user);	
+	
+		String login = parameters.get("login")[0];
+		User searchedUser = administrationService.getUserForLogin(login);	
+		return searchedUser != null;
 	}
 	
 	@RequestMapping(value = "/createStaticShare", method = RequestMethod.POST)
diff --git a/src/main/java/com/ec/survey/model/administration/User.java b/src/main/java/com/ec/survey/model/administration/User.java
index 2c3ccb9ea..a4a005748 100644
--- a/src/main/java/com/ec/survey/model/administration/User.java
+++ b/src/main/java/com/ec/survey/model/administration/User.java
@@ -46,6 +46,8 @@ public class User implements java.io.Serializable {
 	private Date validationCodeGeneration;
 	private List<String> departments = new ArrayList<>();
 	private int badLoginAttempts = 0;
+	private int userExistsAttempts = 0;
+	private Date userExistsAttemptDate;
 	private boolean agreedToToS;
 	private Integer lastEditedSurvey;
 	private boolean canCreateSurveys = true;
@@ -271,6 +273,22 @@ public int getBadLoginAttempts() {
 	public void setBadLoginAttempts(Integer badLoginAttempts) {
 		this.badLoginAttempts = badLoginAttempts != null ? badLoginAttempts : 0;
 	}
+
+	@Column(name = "USER_EXISTS_ATTEMPS") 
+	public int getUserExistsAttempts() {
+		return this.userExistsAttempts;
+	}
+	public void setUserExistsAttempts(Integer userExistsAttempts) {
+		this.userExistsAttempts = userExistsAttempts != null ? userExistsAttempts : 0;
+	}
+
+	@Column(name = "USER_EXISTS_ATTEMPT_DATE")
+	public Date getUserExistsAttemptDate() {
+		return userExistsAttemptDate;
+	}	
+	public void setUserExistsAttemptDate(Date userExistsAttemptDate) {
+		this.userExistsAttemptDate = userExistsAttemptDate;
+	}
 	
 	@Column(name = "USER_TOS")
 	public boolean isAgreedToToS() {
diff --git a/src/main/webapp/WEB-INF/classes/messages_en.properties b/src/main/webapp/WEB-INF/classes/messages_en.properties
index 54853e4bb..1d9295cc5 100644
--- a/src/main/webapp/WEB-INF/classes/messages_en.properties
+++ b/src/main/webapp/WEB-INF/classes/messages_en.properties
@@ -142,6 +142,8 @@ error.nouserselected = Please select a user
 error.OwnerNotValid = The selected owner is not a valid user
 error.PasswordWeak = Please choose a password between 8 and 16 characters with at least one digit and one non-alphanumeric character (e.g. !?$%...).
 error.PleaseReload = There was a problem. Please reload the page.
+error.UsersTooOftenAddressBook = You have exceeded the number of contact edits you may perform per hour.
+error.UsersTooOftenShares = You have exceeded the number of shares you may perform per hour.
 error.RequestTranslation = Request for translation failed
 error.ResetCodeInvalid = You did not provide a valid password reset code!
 error.ResetCodeOutdated = This password reset code is not valid anymore! Please request a new one.
diff --git a/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp b/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
index 9c2c1a8f4..d0e1a610a 100644
--- a/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
+++ b/src/main/webapp/WEB-INF/views/addressbook/addressbook.jsp
@@ -16,6 +16,7 @@
 	<script type="text/javascript" src="${contextpath}/resources/js/configure.js?version=<%@include file="../version.txt" %>"></script>
 	<script type="text/javascript" src="${contextpath}/resources/js/jquery.stickytableheaders.js?version=<%@include file="../version.txt" %>"></script>
 	<script type="text/javascript" src="${contextpath}/resources/js/fileuploader.js?version=<%@include file="../version.txt" %>"></script>
+	<script type="text/javascript" src="${contextpath}/resources/js/menu.js?version=<%@include file="../version.txt" %>"></script>
 		
 	<style>
 	    #sortable { list-style-type: none; margin: 0; padding: 0; width: 190px; }
@@ -35,6 +36,7 @@
 	
 	<script type="text/javascript"> 
 		var labelRemoveAttribute = '<spring:message code="label.RemoveAttribute" />';
+		var usersTooOftenAddressBook = '<spring:message code="error.UsersTooOftenAddressBook" />';
 	
 		$(function() {					
 			$("#addressbook-menu-tab").addClass("active");
diff --git a/src/main/webapp/WEB-INF/views/settings/shares.jsp b/src/main/webapp/WEB-INF/views/settings/shares.jsp
index 6fc4a7f94..8d3bb1ce5 100644
--- a/src/main/webapp/WEB-INF/views/settings/shares.jsp
+++ b/src/main/webapp/WEB-INF/views/settings/shares.jsp
@@ -13,6 +13,7 @@
 	<script type="text/javascript" src="${contextpath}/resources/js/shares.js?version=<%@include file="../version.txt" %>"></script>	
 	
 	<script type="text/javascript">
+		var usersTooOftenShares = '<spring:message code="error.UsersTooOftenShares" />';
 		$(function() {					
 			$("#settings-menu-tab").addClass("active");
 			$("#shares-button").removeClass("InactiveLinkButton").addClass("ActiveLinkButton");
diff --git a/src/main/webapp/resources/js/addressbook.js b/src/main/webapp/resources/js/addressbook.js
index 17ad7cf2b..06edfca24 100644
--- a/src/main/webapp/resources/js/addressbook.js
+++ b/src/main/webapp/resources/js/addressbook.js
@@ -784,8 +784,10 @@ function checkOwnerAndSubmit()
 			  data: "login=" + owner,
 			  dataType: 'json',
 			  cache: false,
+			  error: function() {
+				showError(usersTooOftenAddressBook);
+			  },
 			  success: function( exists ) {
-				  
 				  if (exists == true)
 				  {
 					  ok = true;
diff --git a/src/main/webapp/resources/js/shares.js b/src/main/webapp/resources/js/shares.js
index c0bb05d02..e6e62f824 100644
--- a/src/main/webapp/resources/js/shares.js
+++ b/src/main/webapp/resources/js/shares.js
@@ -441,6 +441,9 @@
 				  data: "login=" + recipient,
 				  dataType: 'json',
 				  cache: false,
+				  error: function() {
+					showError(usersTooOftenShares);
+				  },
 				  success: function( exists ) {
 					  
 					  if (exists == true)

From 3610c78113ccbe08f195407e1816b76962a820da Mon Sep 17 00:00:00 2001
From: catalry <catalry@users.noreply.github.com>
Date: Mon, 24 Feb 2020 10:24:31 +0100
Subject: [PATCH 3/3] ESURVEY-6660 : updates as requested

---
 .../controller/AddressBookController.java     |  2 +-
 .../views/addressbook/addressbook-batch.jsp   | 48 ++++++++++---------
 src/main/webapp/resources/js/addressbook.js   |  4 +-
 3 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/src/main/java/com/ec/survey/controller/AddressBookController.java b/src/main/java/com/ec/survey/controller/AddressBookController.java
index 261a96289..bd9c297bb 100644
--- a/src/main/java/com/ec/survey/controller/AddressBookController.java
+++ b/src/main/java/com/ec/survey/controller/AddressBookController.java
@@ -1327,7 +1327,7 @@ public ModelAndView edit(@PathVariable("id") String id, HttpServletRequest reque
     	} else {
 			ownerId = user.getId();  
 			if (attendee.getOwnerId() != ownerId) {
-				if (!attendeeService.getAccessibleAttendees(ownerId, null).contains(ownerId)) {
+				if (!attendeeService.getAccessibleAttendees(ownerId, null).contains(attendee.getId())) {
 					throw new ForbiddenURLException();
 				}
 			}		
diff --git a/src/main/webapp/WEB-INF/views/addressbook/addressbook-batch.jsp b/src/main/webapp/WEB-INF/views/addressbook/addressbook-batch.jsp
index 0c011eca0..c30d4c3bf 100644
--- a/src/main/webapp/WEB-INF/views/addressbook/addressbook-batch.jsp
+++ b/src/main/webapp/WEB-INF/views/addressbook/addressbook-batch.jsp
@@ -89,29 +89,31 @@
 							</c:if>
 
 							<c:forEach items="${attributeNames}" var="attributeName">
-								<tr>
-									<td><esapi:encodeForHTML>${attributeName.name}</esapi:encodeForHTML><input type="hidden" class="existingbatchkey" value="<esapi:encodeForHTMLAttribute>${attributeName.name}</esapi:encodeForHTMLAttribute>" /></td>
-									<td style="width: 250px;"><select class="form-control" onchange="checkAttributeSelection(this)"
-										name="attribute<esapi:encodeForHTMLAttribute>${attributeName.id}</esapi:encodeForHTMLAttribute>">
-											<option value="0" selected="selected">
-												<spring:message code="label.KeepValue" />
-											</option>
-											<option value="-1">
-												<spring:message code="label.ClearValue" />
-											</option>
-											<option value="-2">
-												<spring:message code="label.NewValue" />
-											</option>
-
-											<c:if test="${attributeValues.get(attributeName.id).size() > 0}">
-												<option disabled="disabled">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;</option>
-											</c:if>
-
-											<c:forEach items="${attributeValues.get(attributeName.id)}" var="value">
-												<option><esapi:encodeForHTML>${value}</esapi:encodeForHTML></option>
-											</c:forEach>
-									</select></td>
-								</tr>
+								<c:if test="${attributeName.name != 'Owner'}">
+									<tr>
+										<td><esapi:encodeForHTML>${attributeName.name}</esapi:encodeForHTML><input type="hidden" class="existingbatchkey" value="<esapi:encodeForHTMLAttribute>${attributeName.name}</esapi:encodeForHTMLAttribute>" /></td>
+										<td style="width: 250px;"><select class="form-control" onchange="checkAttributeSelection(this)"
+											name="attribute<esapi:encodeForHTMLAttribute>${attributeName.id}</esapi:encodeForHTMLAttribute>">
+												<option value="0" selected="selected">
+													<spring:message code="label.KeepValue" />
+												</option>
+												<option value="-1">
+													<spring:message code="label.ClearValue" />
+												</option>
+												<option value="-2">
+													<spring:message code="label.NewValue" />
+												</option>
+
+												<c:if test="${attributeValues.get(attributeName.id).size() > 0}">
+													<option disabled="disabled">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;</option>
+												</c:if>
+
+												<c:forEach items="${attributeValues.get(attributeName.id)}" var="value">
+													<option><esapi:encodeForHTML>${value}</esapi:encodeForHTML></option>
+												</c:forEach>
+										</select></td>
+									</tr>
+								</c:if>
 							</c:forEach>
 
 						</tbody>
diff --git a/src/main/webapp/resources/js/addressbook.js b/src/main/webapp/resources/js/addressbook.js
index 06edfca24..827c4d7ea 100644
--- a/src/main/webapp/resources/js/addressbook.js
+++ b/src/main/webapp/resources/js/addressbook.js
@@ -775,16 +775,18 @@ function checkOwnerAndSubmit()
 			  ok = false;
 		}
 	}
-	
+
 	if (owner != null && owner.trim().length > 0)
 	{				
 		$.ajax({
 			type:'GET',
+			  async: false,
 			  url: contextpath + "/settings/userExists",
 			  data: "login=" + owner,
 			  dataType: 'json',
 			  cache: false,
 			  error: function() {
+				ok = false;
 				showError(usersTooOftenAddressBook);
 			  },
 			  success: function( exists ) {