| Code with Finding: |
class SocialNetworkDatabasePosts {
/**
* AUTHORIZATION FUNCTION
* Returns whether this user can go to/reply under the specified post # in the FFA board.
* The user must be the post's author or have a privilege in the post.
* Assumes post already exists.
* AuthType = "view" or "reply". For view, merely checks that a priv exists.
* For reply, checks that the priv is "viewpost"
*/
public static Boolean authorizedFFAPost(Connection conn, String username, int postNum, String authType) {
Boolean isPostCreator = isFFAPostCreator(conn, username, postNum);
if (isPostCreator == null) {
return null;
}
else if (isPostCreator.booleanValue()) {
return new Boolean(true);
}
else {
/*Retrieve the privilege for a given post and user*/
PreparedStatement getPriv = null;
String getPrivString = "SELECT privilege " +
"FROM freeforall.postprivileges " +
"WHERE pid = ? AND username = ?";
ResultSet privResult = null;
Boolean authorized = null;
try {
getPriv = conn.prepareStatement(getPrivString);
getPriv.setInt(1, postNum);
getPriv.setString(2, username);
privResult = getPriv.executeQuery();
//the privilege is at least View
if (authType.equals("view")) {
authorized = new Boolean(privResult.next());
}
else if (authType.equals("reply")) {
if (privResult.next()) {
authorized = new Boolean(privResult.getString("privilege").equals("viewpost"));
}
else {
authorized = new Boolean(false);
}
}
}
catch (SQLException e) {
e.printStackTrace();
}
finally {
DBManager.closeResultSet(privResult);
DBManager.closePreparedStatement(getPriv);
}
return authorized;
}
}
}
class SocialNetworkDatabasePosts {
/** Gets a post from the designated board and region
* with the given post number.
* ASSUMES that the board, region, and post are all valid.
*/
public static String getPost(Connection conn, String username, String boardName,
String regionName, int postNum) {
String getOriginalPost = "";
String getReplies = "";
String postAndReplies = "";
/*No joining of results because of redundancy of data returned*/
if (boardName.equals("freeforall")) {
getOriginalPost = "SELECT * FROM freeforall.posts " +
"WHERE pid = ?";
getReplies = "SELECT * FROM freeforall.replies " +
"WHERE pid = ? ORDER BY dateReplied ASC";
}
else {
getOriginalPost = "SELECT * FROM " + boardName + ".posts " +
"WHERE pid = ? AND rname = ?";
getReplies = "SELECT * FROM " + boardName + ".replies " +
"WHERE pid = ? AND rname = ? ORDER BY dateReplied ASC";
}
PreparedStatement originalPost = null;
ResultSet postResult = null;
PreparedStatement replies = null;
ResultSet repliesResult = null;
boolean sqlex = false;
try {
originalPost = conn.prepareStatement(getOriginalPost);
replies = conn.prepareStatement(getReplies);
originalPost.setInt(1, postNum);
replies.setInt(1, postNum);
if (!boardName.equals("freeforall")) {
originalPost.setString(2, regionName);
replies.setString(2, regionName);
}
postResult = originalPost.executeQuery();
if (postResult.next()) { /*Only expect one post result*/
//Make sure the checksum is correct
if (!Arrays.equals(
Hash.generateChecksum((SharedKeyCrypto.decrypt(postResult.getString("content"))).getBytes("UTF8")),
CryptoUtil.decode(postResult.getString("checksum")))) {
postAndReplies +=
"print ----- Post# " + postNum + "[" + postResult.getString("postedBy") + "]----- " +
postResult.getTimestamp("datePosted").toString() + ";print \t" +
"Content could not be fetched -- Integrity Failure!" + ";";
}
else {
postAndReplies +=
"print ----- Post# " + postNum + "[" + postResult.getString("postedBy") + "]----- " +
postResult.getTimestamp("datePosted").toString() + ";print \t" +
SharedKeyCrypto.decrypt(postResult.getString("content")) + ";";
}
repliesResult = replies.executeQuery();
while (repliesResult.next()) { //Print out all replies
//for each reply, make sure the checksum is correct.
if(!Arrays.equals(
Hash.generateChecksum((SharedKeyCrypto.decrypt(repliesResult.getString("content"))).getBytes("UTF8")),
CryptoUtil.decode(repliesResult.getString("checksum")))) {
postAndReplies += "print ----- Reply[" + repliesResult.getString("repliedBy") + "] ----- " +
repliesResult.getTimestamp("dateReplied").toString() + ";print \t" +
"Content could not be fetched -- Integrity Failure!" + ";";
}
else {
postAndReplies += "print ----- Reply[" + repliesResult.getString("repliedBy") + "] ----- " +
repliesResult.getTimestamp("dateReplied").toString() + ";print \t" +
SharedKeyCrypto.decrypt(repliesResult.getString("content")) + ";";
}
}
}
// if there's no postResult, the post DNE.
}
catch (SQLException e) {
e.printStackTrace();
sqlex = true;
} catch (UnsupportedEncodingException e) {
// This should not happen.
}
if (postAndReplies.equals("") && !sqlex) {
return "print Error: Post does not exist. Refresh. If the problem persists, contact an admin.";
}
else if (sqlex) {
return "print Error: Database error while querying post and replies. Contact an admin.";
}
else return postAndReplies;
}
}
|
