| Code with Finding: |
class SocialNetworkDatabaseBoards { /** Returns whether the user is authorized to go to this board. * Equivalent checking as in GetBoardList: * For Admins: Must be within the "admin" list of the board * For Users: Must be within the "RegionPrivileges" list of the board for some region * Assumes the board already exists and is not 'freeforall' board */ public static Boolean authorizedGoToBoard(Connection conn, String username, String boardname) { Statement stmt = null; PreparedStatement pstmt = null; ResultSet boards = null; ResultSet privResult = null; Boolean authorized = null; try { String getRegionPrivs, getRegionAdmins; String role = DatabaseAdmin.getUserRole(conn, username); if (role.equals("admin") || role.equals("sa")) { // an admin getRegionAdmins = "SELECT * FROM main.boardadmins WHERE bname = ? AND username = ?"; pstmt = conn.prepareStatement(getRegionAdmins); pstmt.setString(1, boardname); pstmt.setString(2, username); privResult = pstmt.executeQuery(); authorized = new Boolean(privResult.next()); privResult.close(); pstmt.close(); privResult = null; pstmt = null; } else if (!role.equals("")) { stmt = conn.createStatement(); getRegionPrivs = "SELECT privilege FROM " + boardname + ".regionprivileges WHERE username = ?"; pstmt = conn.prepareStatement(getRegionPrivs); pstmt.setString(1, username); privResult = pstmt.executeQuery(); authorized = new Boolean(privResult.next()); privResult.close(); pstmt.close(); privResult = null; pstmt = null; } else { //there was an sql exception when getting the role. } } catch (SQLException e) { e.printStackTrace(); } finally { DBManager.closeStatement(stmt); DBManager.closePreparedStatement(pstmt); DBManager.closeResultSet(boards); } return authorized; }}
class SocialNetworkDatabaseBoards { public static ArrayList<String> getBoardAdmins(Connection conn, String board) { if (board.equals("freeforall")) { return null; } ArrayList<String> admins = new ArrayList<String>(); String query = "SELECT * FROM main.boardadmins WHERE bname = ?"; PreparedStatement pstmt = null; ResultSet adminResults = null; try { pstmt = conn.prepareStatement(query); pstmt.setString(1, board); adminResults = pstmt.executeQuery(query); while (adminResults.next()) { admins.add(adminResults.getString("username")); } } catch (SQLException e) { e.printStackTrace(); } finally { DBManager.closePreparedStatement(pstmt); DBManager.closeResultSet(adminResults); } return admins; }}
|
