Improve Action classes: security enhancements, refactoring, and code quality improvements (#2961)

* Improve Action classes implementation

- Add file path validation in FessAdminAction
- Add URL validation in GoAction
- Fix unsafe Optional.get() calls in LoginAction and ProfileAction
- Refactor verifyCrudMode() to base class (31 files updated)
- Extract permission encoding logic to base class helper method
- Add audit logging for CRUD operations in User, Role, Group, and WebConfig actions
- Improve error messages to be more specific

* Fix Javadoc comment syntax errors

* Fix Javadoc syntax in AdminGroupAction

* Fix compilation errors in Action classes

- Fix VaErrorHook type in verifyCrudMode method
- Add StreamUtil.split static import
- Make encodePermissions method static
- Fix invalid error method in GoAction

* Replace IllegalStateException with proper validation errors

- Replace orElseThrow(IllegalStateException) with session validation
- Redirect to login page when session is not found during password change
- Use throwValidationError with addErrorsLoginError for missing session

---------

Co-authored-by: Claude <[email protected]>

Author: marevol

src/main/java/org/codelibs/fess/app/web/admin/accesstoken/AdminAccesstokenAction.java

@@ -208,7 +208,7 @@ public HtmlResponse createnew() {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return asDetailsHtml().useForm(EditForm.class, op -> {
             op.setup(form -> {
@@ -272,7 +272,7 @@ public HtmlResponse edit(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse create(final CreateForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.CREATE);
+        verifyCrudMode(form.crudMode, CrudMode.CREATE, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getAccessToken(form).ifPresent(entity -> {
@@ -299,7 +299,7 @@ public HtmlResponse create(final CreateForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse update(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.EDIT);
+        verifyCrudMode(form.crudMode, CrudMode.EDIT, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getAccessToken(form).ifPresent(entity -> {
@@ -325,7 +325,7 @@ public HtmlResponse update(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -383,31 +383,11 @@ public static OptionalEntity<AccessToken> getAccessToken(final CreateForm form)
                     op -> op.exclude(Constants.COMMON_CONVERSION_RULE)
                             .exclude(TOKEN, Constants.PERMISSIONS, EXPIRED_TIME)
                             .dateConverter(Constants.DEFAULT_DATETIME_FORMAT, EXPIRES));
-            final PermissionHelper permissionHelper = ComponentUtil.getPermissionHelper();
-            entity.setPermissions(split(form.permissions, "\n").get(stream -> stream.map(s -> permissionHelper.encode(s))
-                    .filter(StringUtil::isNotBlank)
-                    .distinct()
-                    .toArray(n -> new String[n])));
+            entity.setPermissions(encodePermissions(form.permissions));
             return entity;
         });
     }
 
-    // ===================================================================================
-    //                                                                        Small Helper
-    //                                                                        ============
-    /**
-     * Verify the CRUD mode.
-     * @param crudMode The CRUD mode.
-     * @param expectedMode The expected mode.
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     // ===================================================================================
     //                                                                              JSP
     //                                                                           =========

src/main/java/org/codelibs/fess/app/web/admin/badword/AdminBadwordAction.java

@@ -230,7 +230,7 @@ public HtmlResponse edit(final EditForm form) {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return asDetailsHtml().useForm(EditForm.class, op -> {
             op.setup(form -> {
@@ -313,7 +313,7 @@ public HtmlResponse uploadpage() {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse create(final CreateForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.CREATE);
+        verifyCrudMode(form.crudMode, CrudMode.CREATE, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getBadWord(form).ifPresent(entity -> {
@@ -340,7 +340,7 @@ public HtmlResponse create(final CreateForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse update(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.EDIT);
+        verifyCrudMode(form.crudMode, CrudMode.EDIT, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getBadWord(form).ifPresent(entity -> {
@@ -367,7 +367,7 @@ public HtmlResponse update(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -451,19 +451,6 @@ public static OptionalEntity<BadWord> getBadWord(final CreateForm form) {
     // ===================================================================================
     //                                                                        Small Helper
     //                                                                        ============
-    /**
-     * Verify the CRUD mode.
-     * @param crudMode The CRUD mode.
-     * @param expectedMode The expected mode.
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     private String getCsvEncoding() {
         return fessConfig.getCsvFileEncoding();
     }

src/main/java/org/codelibs/fess/app/web/admin/boostdoc/AdminBoostdocAction.java

@@ -208,7 +208,7 @@ public HtmlResponse edit(final EditForm form) {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return asDetailsHtml().useForm(EditForm.class, op -> {
             op.setup(form -> {
@@ -235,7 +235,7 @@ public HtmlResponse details(final int crudMode, final String id) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse create(final CreateForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.CREATE);
+        verifyCrudMode(form.crudMode, CrudMode.CREATE, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getBoostDocumentRule(form).ifPresent(entity -> {
@@ -261,7 +261,7 @@ public HtmlResponse create(final CreateForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse update(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.EDIT);
+        verifyCrudMode(form.crudMode, CrudMode.EDIT, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getBoostDocumentRule(form).ifPresent(entity -> {
@@ -287,7 +287,7 @@ public HtmlResponse update(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -346,22 +346,6 @@ public static OptionalEntity<BoostDocumentRule> getBoostDocumentRule(final Creat
         });
     }
 
-    // ===================================================================================
-    //                                                                        Small Helper
-    //                                                                        ============
-    /**
-     * Verify the CRUD mode.
-     * @param crudMode The CRUD mode.
-     * @param expectedMode The expected mode.
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     // ===================================================================================
     //                                                                              JSP
     //                                                                           =========

src/main/java/org/codelibs/fess/app/web/admin/crawlinginfo/AdminCrawlinginfoAction.java

@@ -177,7 +177,7 @@ protected void searchPaging(final RenderData data, final SearchForm form) {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return crawlingInfoService.getCrawlingInfo(id)
                 .map(entity -> asHtml(path_AdminCrawlinginfo_AdminCrawlinginfoDetailsJsp).useForm(EditForm.class, op -> {
@@ -205,7 +205,7 @@ public HtmlResponse details(final int crudMode, final String id) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse threaddump(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -234,7 +234,7 @@ public HtmlResponse threaddump(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -266,19 +266,6 @@ public HtmlResponse deleteall() {
     // ===================================================================================
     //                                                                        Small Helper
     //                                                                        ============
-    /**
-     * Verify the CRUD mode.
-     * @param crudMode The CRUD mode.
-     * @param expectedMode The expected mode.
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     // ===================================================================================
     //                                                                              JSP
     //                                                                           =========

src/main/java/org/codelibs/fess/app/web/admin/dataconfig/AdminDataconfigAction.java

@@ -253,7 +253,7 @@ public HtmlResponse edit(final EditForm form) {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return asDetailsHtml().useForm(EditForm.class, op -> {
             op.setup(form -> {
@@ -288,7 +288,7 @@ public HtmlResponse details(final int crudMode, final String id) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse create(final CreateForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.CREATE);
+        verifyCrudMode(form.crudMode, CrudMode.CREATE, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getDataConfig(form).ifPresent(entity -> {
@@ -314,7 +314,7 @@ public HtmlResponse create(final CreateForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse update(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.EDIT);
+        verifyCrudMode(form.crudMode, CrudMode.EDIT, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getDataConfig(form).ifPresent(entity -> {
@@ -340,7 +340,7 @@ public HtmlResponse update(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -402,11 +402,7 @@ public static OptionalEntity<DataConfig> getDataConfig(final CreateForm form) {
                     op -> op.exclude(Stream
                             .concat(Stream.of(Constants.COMMON_CONVERSION_RULE), Stream.of(Constants.PERMISSIONS, Constants.VIRTUAL_HOSTS))
                             .toArray(n -> new String[n])));
-            final PermissionHelper permissionHelper = ComponentUtil.getPermissionHelper();
-            entity.setPermissions(split(form.permissions, "\n").get(stream -> stream.map(s -> permissionHelper.encode(s))
-                    .filter(StringUtil::isNotBlank)
-                    .distinct()
-                    .toArray(n -> new String[n])));
+            entity.setPermissions(encodePermissions(form.permissions));
             entity.setVirtualHosts(split(form.virtualHosts, "\n")
                     .get(stream -> stream.filter(StringUtil::isNotBlank).distinct().map(String::trim).toArray(n -> new String[n])));
             return entity;
@@ -440,19 +436,6 @@ protected void registerHandlerNames(final RenderData data) {
     // ===================================================================================
     //                                                                        Small Helper
     //                                                                        ============
-    /**
-     * Verify the CRUD mode.
-     * @param crudMode The CRUD mode.
-     * @param expectedMode The expected mode.
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     // ===================================================================================
     //                                                                              JSP
     //                                                                           =========

src/main/java/org/codelibs/fess/app/web/admin/duplicatehost/AdminDuplicatehostAction.java

@@ -217,7 +217,7 @@ public HtmlResponse edit(final EditForm form) {
     @Execute
     @Secured({ ROLE, ROLE + VIEW })
     public HtmlResponse details(final int crudMode, final String id) {
-        verifyCrudMode(crudMode, CrudMode.DETAILS);
+        verifyCrudMode(crudMode, CrudMode.DETAILS, this::asListHtml);
         saveToken();
         return asHtml(path_AdminDuplicatehost_AdminDuplicatehostDetailsJsp).useForm(EditForm.class, op -> {
             op.setup(form -> {
@@ -245,7 +245,7 @@ public HtmlResponse details(final int crudMode, final String id) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse create(final CreateForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.CREATE);
+        verifyCrudMode(form.crudMode, CrudMode.CREATE, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getDuplicateHost(form).ifPresent(entity -> {
@@ -272,7 +272,7 @@ public HtmlResponse create(final CreateForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse update(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.EDIT);
+        verifyCrudMode(form.crudMode, CrudMode.EDIT, this::asListHtml);
         validate(form, messages -> {}, this::asEditHtml);
         verifyToken(this::asEditHtml);
         getDuplicateHost(form).ifPresent(entity -> {
@@ -299,7 +299,7 @@ public HtmlResponse update(final EditForm form) {
     @Execute
     @Secured({ ROLE })
     public HtmlResponse delete(final EditForm form) {
-        verifyCrudMode(form.crudMode, CrudMode.DETAILS);
+        verifyCrudMode(form.crudMode, CrudMode.DETAILS, this::asListHtml);
         validate(form, messages -> {}, this::asDetailsHtml);
         verifyToken(this::asDetailsHtml);
         final String id = form.id;
@@ -366,23 +366,6 @@ public static OptionalEntity<DuplicateHost> getDuplicateHost(final CreateForm fo
         });
     }
 
-    // ===================================================================================
-    //                                                                        Small Helper
-    //                                                                        ============
-    /**
-     * Verifies that the CRUD mode matches the expected mode.
-     *
-     * @param crudMode the actual CRUD mode
-     * @param expectedMode the expected CRUD mode
-     */
-    protected void verifyCrudMode(final int crudMode, final int expectedMode) {
-        if (crudMode != expectedMode) {
-            throwValidationError(messages -> {
-                messages.addErrorsCrudInvalidMode(GLOBAL, String.valueOf(expectedMode), String.valueOf(crudMode));
-            }, this::asListHtml);
-        }
-    }
-
     // ===================================================================================
     //                                                                              JSP
     //                                                                           =========