Merge pull request #95 from ottogroup/metascope-security-bug

Metascope security fix
ottogroup · Jul 1, 2016 · 14fde80 · 14fde80
2 parents f151d91 + 6f41066
commit 14fde80
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/...metascope/src/main/java/org/schedoscope/metascope/conf/ProductionSpringConfiguration.java b/...metascope/src/main/java/org/schedoscope/metascope/conf/ProductionSpringConfiguration.java
@@ -63,10 +63,17 @@ protected void configure(HttpSecurity http) throws Exception {
     if (config.getAuthenticationMethod().equalsIgnoreCase("ldap")) {
       String[] allgroups = appendRolePrefix(config.getAllowedGroups(), config.getAdminGroups());
       String[] adminGroups = appendRolePrefix(config.getAdminGroups());
-      http.authorizeRequests().antMatchers("/", "/?error=cred", "/status/*", "/expired").permitAll().antMatchers("/**")
-          .hasAnyAuthority(allgroups).antMatchers("/admin**").hasAnyAuthority(adminGroups).antMatchers("/admin/")
-          .hasAnyAuthority(adminGroups).antMatchers("/admin/**").hasAnyAuthority(adminGroups).anyRequest()
-          .authenticated().and().formLogin().loginPage("/").failureUrl("/?error=cred").defaultSuccessUrl("/home").and()
+      http.authorizeRequests()
+          .antMatchers("/", "/?error=cred", "/status/*", "/expired").permitAll()
+          .antMatchers("/admin**").hasAnyAuthority(adminGroups)
+          .antMatchers("/admin/").hasAnyAuthority(adminGroups)
+          .antMatchers("/admin/**").hasAnyAuthority(adminGroups)
+          .antMatchers("/**").hasAnyAuthority(allgroups)
+          .anyRequest().authenticated()
+          .and()
+          .formLogin().loginPage("/").failureUrl("/?error=cred")
+          .defaultSuccessUrl("/home")
+          .and()
           .logout().logoutSuccessUrl("/").and().rememberMe().and().exceptionHandling()
           .accessDeniedPage("/accessdenied");
     } else {

diff --git a/schedoscope-metascope/src/main/java/org/schedoscope/metascope/index/SolrQueryExecutor.java b/schedoscope-metascope/src/main/java/org/schedoscope/metascope/index/SolrQueryExecutor.java
@@ -47,6 +47,7 @@
 import org.schedoscope.metascope.service.ViewEntityService;
 import org.schedoscope.metascope.util.URLUtil;
 
+//TODO this class should be refactored..
 public class SolrQueryExecutor {
 
   public static final String ID = "id";
@@ -186,7 +187,7 @@ public SolrQueryResult query(Map<String, String> params) {
     Map<String, List<String>> activeFilterValues = new HashMap<String, List<String>>();
 
     /*
-     * determine on which type is searched for (either 'Table' or 'Partition'
+     * determine on which type is searched for (either 'Table' or 'Partition')
      */
     String typeFilterValue = params.get(TYPE);
     filter.add(new SolrQueryParameter(FILTER_TYPE, TYPE, FilterType.EXCLUSIVE, FacetSort.COUNT));
@@ -284,6 +285,7 @@ public SolrQueryResult query(Map<String, String> params) {
       if (queryFilter.getFacetSort().equals(FacetSort.INDEX)) {
         query.add("f." + queryFilter.getName() + ".facet.sort", "index");
       }
+      query.add("f." + queryFilter.getName() + ".facet.limit", "-1");
     }
 
     /* set facet queries */