diff --git a/jams-common/src/main/java/net/jami/jams/common/servlets/ScopedServlet.java b/jams-common/src/main/java/net/jami/jams/common/servlets/ScopedServlet.java
index ac50808f6f4e6bfb2f95e793f5b3dbfe3d193a1d..7a31733f6323e7b8846f0d170b0a93db934e8b56 100644
--- a/jams-common/src/main/java/net/jami/jams/common/servlets/ScopedServlet.java
+++ b/jams-common/src/main/java/net/jami/jams/common/servlets/ScopedServlet.java
@@ -23,11 +23,11 @@ public abstract class ScopedServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- if(req.getAttribute("accessLevel") instanceof AccessLevel){
+ if(!(req.getAttribute("accessLevel") instanceof AccessLevel)){
resp.sendError(403,"No valid access level found!");
return;
}
- if(!GET_accessLevels.contains(req.getAttribute("accessLevel"))){
+ if(!GET_accessLevels.contains((AccessLevel) req.getAttribute("accessLevel"))){
resp.sendError(403,"You do not have enough rights to access this endpoint!");
return;
}
@@ -35,11 +35,11 @@ public abstract class ScopedServlet extends HttpServlet {
@Override
protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- if(req.getAttribute("accessLevel") instanceof AccessLevel){
+ if(!(req.getAttribute("accessLevel") instanceof AccessLevel)){
resp.sendError(403,"No valid access level found!");
return;
}
- if(!POST_accessLevels.contains(req.getAttribute("accessLevel"))){
+ if(!POST_accessLevels.contains((AccessLevel) req.getAttribute("accessLevel"))){
resp.sendError(403,"You do not have enough rights to access this endpoint!");
return;
}
@@ -47,11 +47,11 @@ public abstract class ScopedServlet extends HttpServlet {
@Override
protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- if(req.getAttribute("accessLevel") instanceof AccessLevel){
+ if(!(req.getAttribute("accessLevel") instanceof AccessLevel)){
resp.sendError(403,"No valid access level found!");
return;
}
- if(!PUT_accessLevels.contains(req.getAttribute("accessLevel"))){
+ if(!PUT_accessLevels.contains((AccessLevel) req.getAttribute("accessLevel"))){
resp.sendError(403,"You do not have enough rights to access this endpoint!");
return;
}
@@ -59,11 +59,11 @@ public abstract class ScopedServlet extends HttpServlet {
@Override
protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
- if(req.getAttribute("accessLevel") instanceof AccessLevel){
+ if(!(req.getAttribute("accessLevel") instanceof AccessLevel)){
resp.sendError(403,"No valid access level found!");
return;
}
- if(!DELETE_accessLevels.contains(req.getAttribute("accessLevel"))){
+ if(!DELETE_accessLevels.contains((AccessLevel) req.getAttribute("accessLevel"))){
resp.sendError(403,"You do not have enough rights to access this endpoint!");
return;
}
diff --git a/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/SubscriptionServlet.java b/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/SubscriptionServlet.java
index f2b48ab0c4394be7ef09dfa449596b3adbf244ab..e30132d3b03d645949ad62aaedda3d2d43962b02 100644
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/SubscriptionServlet.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/SubscriptionServlet.java
@@ -34,7 +34,7 @@ import net.jami.jams.server.Server;
import java.io.IOException;
-@WebServlet("/api/subscription")
+@WebServlet("/api/admin/subscription")
public class SubscriptionServlet extends HttpServlet {
//Get the subscription status (see: SubscriptionStatusResponse.class)
diff --git a/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/UpdateServlet.java b/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/UpdateServlet.java
index 08785810da8620c18b10afc7416f1a65a2c5ee92..1b3a5e45bd899e92b83c3187b68bb335b61e163f 100644
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/UpdateServlet.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/api/admin/update/UpdateServlet.java
@@ -34,7 +34,7 @@ import java.io.IOException;
import static net.jami.jams.server.Server.appUpdater;
-@WebServlet("/api/update")
+@WebServlet("/api/admin/update")
public class UpdateServlet extends HttpServlet {
//Return the current version number and the available version number.
diff --git a/jams-server/src/main/java/net/jami/jams/server/servlets/filters/ApiFilter.java b/jams-server/src/main/java/net/jami/jams/server/servlets/filters/ApiFilter.java
index 519aa48f0656e3f321bda5b140b4af211f7f6604..8bbee8f2acd046487f346c2616ec994566ea4b8e 100644
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/filters/ApiFilter.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/filters/ApiFilter.java
@@ -75,7 +75,7 @@ public class ApiFilter implements Filter {
if ((Boolean) signedJWT.getJWTClaimsSet().getClaim("oneTimePassword")) {
//TODO: use redirect to enforce the /changepassword url or something.
}
- request.setAttribute("accessLevel", AccessLevel.valueOf(signedJWT.getJWTClaimsSet().getClaim("accessLevel").toString()));
+ request.setAttribute("accessLevel", AccessLevel.valueOf(signedJWT.getJWTClaimsSet().getClaim("scope").toString()));
}
} catch (Exception e) {
log.info("Received an invalid token, declining access...");