| Code with Finding: |
class SocialNetworkDatabaseBoards {
/** Returns whether the user is authorized to go to this board.
* Equivalent checking as in GetBoardList:
* For Admins: Must be within the "admin" list of the board
* For Users: Must be within the "RegionPrivileges" list of the board for some region
* Assumes the board already exists and is not 'freeforall' board
*/
public static Boolean authorizedGoToBoard(Connection conn, String username, String boardname) {
Statement stmt = null;
PreparedStatement pstmt = null;
ResultSet boards = null;
ResultSet privResult = null;
Boolean authorized = null;
try {
String getRegionPrivs, getRegionAdmins;
String role = DatabaseAdmin.getUserRole(conn, username);
if (role.equals("admin") || role.equals("sa")) { // an admin
getRegionAdmins = "SELECT * FROM main.boardadmins WHERE bname = ? AND username = ?";
pstmt = conn.prepareStatement(getRegionAdmins);
pstmt.setString(1, boardname);
pstmt.setString(2, username);
privResult = pstmt.executeQuery();
authorized = new Boolean(privResult.next());
privResult.close();
pstmt.close();
privResult = null;
pstmt = null;
}
else if (!role.equals("")) {
stmt = conn.createStatement();
getRegionPrivs = "SELECT privilege FROM "
+ boardname + ".regionprivileges WHERE username = ?";
pstmt = conn.prepareStatement(getRegionPrivs);
pstmt.setString(1, username);
privResult = pstmt.executeQuery();
authorized = new Boolean(privResult.next());
privResult.close();
pstmt.close();
privResult = null;
pstmt = null;
}
else { //there was an sql exception when getting the role.
}
}
catch (SQLException e) {
e.printStackTrace();
}
finally {
DBManager.closeStatement(stmt);
DBManager.closePreparedStatement(pstmt);
DBManager.closeResultSet(boards);
}
return authorized;
}
}
class SocialNetworkDatabaseBoards {
public static ArrayList<String> getBoardAdmins(Connection conn, String board) {
if (board.equals("freeforall")) {
return null;
}
ArrayList<String> admins = new ArrayList<String>();
String query = "SELECT * FROM main.boardadmins WHERE bname = ?";
PreparedStatement pstmt = null;
ResultSet adminResults = null;
try {
pstmt = conn.prepareStatement(query);
pstmt.setString(1, board);
adminResults = pstmt.executeQuery(query);
while (adminResults.next()) {
admins.add(adminResults.getString("username"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
DBManager.closePreparedStatement(pstmt);
DBManager.closeResultSet(adminResults);
}
return admins;
}
}
|
