From 3fd7b34536dbf359762a8fc5314ca7699ca5acca Mon Sep 17 00:00:00 2001
From: Rick Lawson <lawson89@gmail.com>
Date: Fri, 19 Sep 2014 21:06:46 -0400
Subject: [PATCH] more changes for showSource and showHints

---
 .../owasp/webgoat/lessons/AbstractLesson.java  | 12 +++++++-----
 .../org/owasp/webgoat/service/BaseService.java |  3 +--
 .../webgoat/service/LessonMenuService.java     | 18 ++++++++++++++++--
 .../org/owasp/webgoat/session/WebSession.java  |  4 ++--
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java b/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
index 4ae4469df..130b81ed5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
+++ b/src/main/java/org/owasp/webgoat/lessons/AbstractLesson.java
@@ -60,8 +60,8 @@ import org.slf4j.LoggerFactory;
  *
  * Getting Source ==============
  *
- * Source for this application is maintained at https://github.com/WebGoat/WebGoat, a repository
- * for free software projects.
+ * Source for this application is maintained at
+ * https://github.com/WebGoat/WebGoat, a repository for free software projects.
  *
  * For details, please see http://webgoat.github.io
  *
@@ -70,7 +70,7 @@ import org.slf4j.LoggerFactory;
  */
 public abstract class AbstractLesson extends Screen implements Comparable<Object> {
 
-    final Logger logger = LoggerFactory.getLogger(AbstractLesson.class);
+    private static final Logger logger = LoggerFactory.getLogger(AbstractLesson.class);
 
     /**
      * Description of the Field
@@ -612,6 +612,7 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
      * @return
      */
     public boolean isAuthorized(WebSession s, String role, String functionId) {
+        logger.info("Checking if " + role + " authorized for: " + functionId);
         boolean authorized = false;
         try {
             String query = "SELECT * FROM auth WHERE role = '" + role + "' and functionid = '" + functionId + "'";
@@ -620,13 +621,14 @@ public abstract class AbstractLesson extends Screen implements Comparable<Object
                         .createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
                 ResultSet answer_results = answer_statement.executeQuery(query);
                 authorized = answer_results.first();
+                logger.info("authorized: "+ authorized);
             } catch (SQLException sqle) {
                 s.setMessage("Error authorizing");
-                sqle.printStackTrace();
+                logger.error("Error authorizing", sqle);
             }
         } catch (Exception e) {
             s.setMessage("Error authorizing");
-            e.printStackTrace();
+            logger.error("Error authorizing", e);
         }
         return authorized;
     }
diff --git a/src/main/java/org/owasp/webgoat/service/BaseService.java b/src/main/java/org/owasp/webgoat/service/BaseService.java
index 8806dda45..1232e57b8 100644
--- a/src/main/java/org/owasp/webgoat/service/BaseService.java
+++ b/src/main/java/org/owasp/webgoat/service/BaseService.java
@@ -34,7 +34,6 @@ import java.io.PrintWriter;
 import java.io.StringWriter;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
-import org.owasp.webgoat.controller.Welcome;
 import org.owasp.webgoat.session.WebSession;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -51,7 +50,7 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 @RequestMapping("/service")
 public abstract class BaseService {
 
-    final Logger logger = LoggerFactory.getLogger(BaseService.class);
+    private static final Logger logger = LoggerFactory.getLogger(BaseService.class);
 
     @ExceptionHandler(Exception.class)
     @ResponseStatus(value = HttpStatus.I_AM_A_TEAPOT)
diff --git a/src/main/java/org/owasp/webgoat/service/LessonMenuService.java b/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
index 00e84c2a8..df2973046 100644
--- a/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
+++ b/src/main/java/org/owasp/webgoat/service/LessonMenuService.java
@@ -40,6 +40,8 @@ import org.owasp.webgoat.lessons.model.LessonMenuItem;
 import org.owasp.webgoat.lessons.model.LessonMenuItemType;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -51,6 +53,8 @@ import org.springframework.web.bind.annotation.ResponseBody;
 @Controller
 public class LessonMenuService extends BaseService {
 
+    private static final Logger logger = LoggerFactory.getLogger(LessonMenuService.class);
+
     /**
      * Returns the lesson menu which is used to build the left nav
      *
@@ -72,6 +76,8 @@ public class LessonMenuService extends BaseService {
             categoryItem.setType(LessonMenuItemType.CATEGORY);
             // check for any lessons for this category
             List<AbstractLesson> lessons = ws.getLessons(category);
+            String role = ws.getRole();
+            logger.info("Role: " + role);
             for (AbstractLesson lesson : lessons) {
                 LessonMenuItem lessonItem = new LessonMenuItem();
                 lessonItem.setName(lesson.getTitle());
@@ -80,13 +86,21 @@ public class LessonMenuService extends BaseService {
                 if (lesson.isCompleted(ws)) {
                     lessonItem.setComplete(true);
                 }
-                if (ws.isAuthorizedInLesson(ws.getRole(), WebSession.SHOWHINTS)) {
+
+                if (lesson.isAuthorized(ws, role, WebSession.SHOWHINTS)) {
                     lessonItem.setShowHints(true);
                 }
 
-                if (ws.isAuthorizedInLesson(ws.getRole(), WebSession.SHOWSOURCE)) {
+                if (lesson.isAuthorized(ws, role, WebSession.SHOWSOURCE)) {
                     lessonItem.setShowSource(true);
                 }
+
+                // special handling for challenge role 
+                if (Category.CHALLENGE.equals(lesson.getCategory())) {
+                    lessonItem.setShowHints(lesson.isAuthorized(ws, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS));
+                    lessonItem.setShowSource(lesson.isAuthorized(ws, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS));
+                }
+
                 categoryItem.addChild(lessonItem);
                 // Does the lesson have stages
                 if (lesson instanceof RandomLessonAdapter) {
diff --git a/src/main/java/org/owasp/webgoat/session/WebSession.java b/src/main/java/org/owasp/webgoat/session/WebSession.java
index 7bf0922f4..266f3f80c 100644
--- a/src/main/java/org/owasp/webgoat/session/WebSession.java
+++ b/src/main/java/org/owasp/webgoat/session/WebSession.java
@@ -75,12 +75,12 @@ public class WebSession {
     /**
      * Tomcat role for a webgoat user
      */
-    public final static String WEBGOAT_USER = "webgoat_user";
+    public final static String WEBGOAT_USER = "ROLE_WEBGOAT_USER";
 
     /**
      * Tomcat role for a webgoat admin
      */
-    public final static String WEBGOAT_ADMIN = "webgoat_admin";
+    public final static String WEBGOAT_ADMIN = "ROLE_WEBGOAT_ADMIN";
 
     /**
      * Description of the Field