hide private info on about page

Author: david-blasby

src/web/core/src/main/java/org/geoserver/web/AboutGeoServerPage.html

@@ -2,37 +2,39 @@
   <body>
     <wicket:extend>
       <form>
-       <fieldset class="mt-3">
-         <legend>
-           <wicket:message key="buildInformation">Build Information</wicket:message>
-         </legend>
-         <ul>
-           <li>
-             <label for="version"><wicket:message key="geoserverVersion">Version</wicket:message></label>
-             <span id="version"><wicket:message key="version"></wicket:message></span>
-           </li>
-           <li>
-             <label for="buildRevision"><wicket:message key="gitRevision">Git Revision</wicket:message></label>
-             <span id="buildRevision"><wicket:message key="build.revision"></wicket:message></span>
-           </li>
-           <li>
-             <label for="buildDate"><wicket:message key="buildDate">Build Date</wicket:message></label>
-             <span id="buildDate"><wicket:message key="build.date"></wicket:message></span>
-           </li>
-           <li>
-             <label for="geotoolsInfo"><wicket:message key="geotoolsVersion">GeoTools Version</wicket:message></label>
-             <span id="geotoolsInfo">
-               <span wicket:id="geotoolsVersion"></span> (rev <span wicket:id="geotoolsRevision"></span>)
-             </span>
-           </li>
-           <li>
-             <label for="geowebcacheInfo"><wicket:message key="geowebcacheVersion">GeoWebCache Version</wicket:message></label>
-             <span id="geotoolsInfo">
-               <span wicket:id="geowebcacheVersion"></span> (rev <span wicket:id="geowebcacheRevision"></span>)
-             </span>
-           </li>
-         </ul>
-       </fieldset>
+          <wicket:container wicket:id="privateInfo">
+               <fieldset  class="mt-3">
+                 <legend>
+                   <wicket:message key="buildInformation">Build Information</wicket:message>
+                 </legend>
+                 <ul>
+                   <li>
+                     <label for="version"><wicket:message key="geoserverVersion">Version</wicket:message></label>
+                     <span id="version"><wicket:message key="version"></wicket:message></span>
+                   </li>
+                   <li>
+                     <label for="buildRevision"><wicket:message key="gitRevision">Git Revision</wicket:message></label>
+                     <span id="buildRevision"><wicket:message key="build.revision"></wicket:message></span>
+                   </li>
+                   <li>
+                     <label for="buildDate"><wicket:message key="buildDate">Build Date</wicket:message></label>
+                     <span id="buildDate"><wicket:message key="build.date"></wicket:message></span>
+                   </li>
+                   <li>
+                     <label for="geotoolsInfo"><wicket:message key="geotoolsVersion">GeoTools Version</wicket:message></label>
+                     <span id="geotoolsInfo">
+                       <span wicket:id="geotoolsVersion"></span> (rev <span wicket:id="geotoolsRevision"></span>)
+                     </span>
+                   </li>
+                   <li>
+                     <label for="geowebcacheInfo"><wicket:message key="geowebcacheVersion">GeoWebCache Version</wicket:message></label>
+                     <span id="geotoolsInfo">
+                       <span wicket:id="geowebcacheVersion"></span> (rev <span wicket:id="geowebcacheRevision"></span>)
+                     </span>
+                   </li>
+                 </ul>
+               </fieldset>
+          </wicket:container>
        <fieldset>
            <legend><wicket:message key="moreInformation">More Information</wicket:message></legend>
            <p>

src/web/core/src/main/java/org/geoserver/web/AboutGeoServerPage.java

@@ -6,7 +6,10 @@
 package org.geoserver.web;
 
 import java.util.logging.Level;
+import org.apache.wicket.markup.html.WebMarkupContainer;
 import org.apache.wicket.markup.html.basic.Label;
+import org.geoserver.platform.GeoServerExtensions;
+import org.geoserver.security.GeoServerSecurityManager;
 import org.geotools.util.factory.GeoTools;
 
 /**
@@ -16,11 +19,28 @@
  */
 public class AboutGeoServerPage extends GeoServerBasePage {
 
+    GeoServerSecurityManager getManager() {
+        return GeoServerExtensions.bean(GeoServerSecurityManager.class);
+    }
+
     public AboutGeoServerPage() {
-        add(new Label("geotoolsVersion", GeoTools.getVersion().toString()));
-        add(new Label("geotoolsRevision", GeoTools.getBuildRevision()));
-        add(new Label("geowebcacheVersion", getGwcVersion()));
-        add(new Label("geowebcacheRevision", getGwcRevision()));
+        // hide info based on if the user is admin or not
+        var privateInfo = new WebMarkupContainer("privateInfo");
+        add(privateInfo);
+
+        var isAdmin = getManager().checkAuthenticationForAdminRole();
+        if (isAdmin) {
+            privateInfo.add(new Label("geotoolsVersion", GeoTools.getVersion().toString()));
+            privateInfo.add(new Label("geotoolsRevision", GeoTools.getBuildRevision()));
+            privateInfo.add(new Label("geowebcacheVersion", getGwcVersion()));
+            privateInfo.add(new Label("geowebcacheRevision", getGwcRevision()));
+        } else {
+            add(new Label("geotoolsVersion", GeoTools.getVersion().toString()));
+            add(new Label("geotoolsRevision", GeoTools.getBuildRevision()));
+            add(new Label("geowebcacheVersion", getGwcVersion()));
+            add(new Label("geowebcacheRevision", getGwcRevision()));
+            privateInfo.setVisible(false);
+        }
     }
 
     public String getGwcVersion() {

src/web/core/src/test/java/org/geoserver/web/GeoServerAboutPageTest.java

@@ -7,6 +7,8 @@
 import static org.hamcrest.CoreMatchers.instanceOf;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import org.apache.wicket.util.tester.TagTester;
 import org.junit.Test;
@@ -26,4 +28,24 @@ public void testLoginFormAction() throws Exception {
                 "http://localhost/context/j_spring_security_check",
                 tagTester.getAttribute("action"));
     }
+
+    /**
+     * The About page should hide the sensitive information (like version info, etc...). This test:
+     * gets the page as a non-admin -> version info should NOT be there gets the page as ADMIN ->
+     * version info SHOULD be there
+     */
+    @Test
+    public void testHideSensitiveInfo() throws Exception {
+        logout();
+        tester.executeUrl("./wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage");
+
+        String responseTxt = tester.getLastResponse().getDocument();
+        assertFalse(responseTxt.contains("geotoolsInfo"));
+
+        login();
+        tester.executeUrl("./wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage");
+
+        responseTxt = tester.getLastResponse().getDocument();
+        assertTrue(responseTxt.contains("geotoolsInfo"));
+    }
 }