send user credentials in the post requests when uploading (instead of…

… get)
Zimbra-Community · Oct 19, 2016 · e3dc19c · e3dc19c
1 parent 6a8f12e
commit e3dc19c
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/extension/src/com/zextras/dav/UploadHandler.java b/extension/src/com/zextras/dav/UploadHandler.java
@@ -117,14 +117,6 @@ public void doPost(
         }
       }
 
-      final DavSoapConnector connector = new DavSoapConnector(
-        userProperties.get(ZimletProperty.DAV_SERVER_NAME),
-        Integer.parseInt(userProperties.get(ZimletProperty.DAV_SERVER_PORT)),
-        userProperties.get(ZimletProperty.DAV_SERVER_PATH),
-        userProperties.get(ZimletProperty.DAV_USER_USERNAME),
-        paramsMap.get("password")
-      );
-
       ServletFileUpload upload = new ServletFileUpload(new DiskFileItemFactory());
       //hard coded upload limiit to 1GB
       upload.setSizeMax(1048576000);
@@ -135,6 +127,25 @@ public void doPost(
         List<String> fileNames = new ArrayList<String>();
 
         String reqId = "";
+        String password = "";
+
+        for (FileItem item : items) {
+          if (item.isFormField()) {
+            if (item.getFieldName().equals("password")) {
+              // correlate this file upload session's request and response
+              password = item.getString();
+            }
+          }
+        }
+
+        final DavSoapConnector connector = new DavSoapConnector(
+                userProperties.get(ZimletProperty.DAV_SERVER_NAME),
+                Integer.parseInt(userProperties.get(ZimletProperty.DAV_SERVER_PORT)),
+                userProperties.get(ZimletProperty.DAV_SERVER_PATH),
+                userProperties.get(ZimletProperty.DAV_USER_USERNAME),
+                password
+        );
+
 
         for (FileItem item : items) {
           if (item.isFormField())

diff --git a/zimlet/UploadToDavDialog.js b/zimlet/UploadToDavDialog.js
@@ -51,7 +51,7 @@ UploadToDavDialog.prototype._createUploadHtml = function() {
 
 UploadToDavDialog.prototype.popup = function(folder, callback, loc) {
   var zimletInstance = appCtxt._zimletMgr.getZimletByName('tk_barrydegraaff_owncloud_zimlet').handlerObject;
-  this._uploadForm.action = UploadToDavDialog.UPLOAD_URL + "?path=" + folder + "&password=" + tk_barrydegraaff_owncloud_zimlet_HandlerObject.settings['owncloud_zimlet_password'];
+  this._uploadForm.action = UploadToDavDialog.UPLOAD_URL + "?path=" + folder;
   this._uploadFolder = folder;
   this._uploadCallback = callback;
   var aCtxt = ZmAppCtxt.handleWindowOpener();
@@ -121,7 +121,7 @@ UploadToDavDialog.prototype._addFileInputRow = function() {
 
   var cell1 = row.insertCell(-1);
   cell1.innerHTML = [
-    "<input id='", inputId, "' type='file' multiple name='", ZmUploadDialog.UPLOAD_FIELD_NAME, "' size=30>"
+    "<input id='", inputId, "' type='file' multiple name='", ZmUploadDialog.UPLOAD_FIELD_NAME, "' size=30><input type='hidden' name='password' value='"+  tk_barrydegraaff_owncloud_zimlet_HandlerObject.settings['owncloud_zimlet_password']+"'>"
   ].join("");
 
   var cell2 = row.insertCell(-1);