Move Lesson specific checks out of DefaultLessonAction

git-svn-id: http://webgoat.googlecode.com/svn/trunk@148 4033779f-a91e-0410-96ef-6bf7bf53c507
2007-07-10 11:54:55 +00:00 · 2007-07-10 11:54:55 +00:00 · a8119f6982
commit a8119f6982
parent 3dc1a04d62
3 changed files with 46 additions and 57 deletions
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/DefaultLessonAction.java
@ -278,19 +278,6 @@ public abstract class DefaultLessonAction implements LessonAction
 			e.printStackTrace();
 		}
 				
-		// Update lesson status if necessary.
-		if (getStage(s) == 2)
-		{
-			//System.out.println("Checking for stage 2 completion handling action " + functionId);
-			if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized &&
-					functionId.equals(RoleBasedAccessControl.DELETEPROFILE_ACTION))
-			{
-				s.setMessage( "Welcome to stage 3 -- exploiting the data layer" );
-				setStage(s, 3);
-			}
-		}
-		//System.out.println("isAuthorized() exit stage: " + getStage(s));		
-		
 		//System.out.println("Authorized? " + authorized);
 		return authorized;
 	}
@ -326,51 +313,8 @@ public abstract class DefaultLessonAction implements LessonAction
 			e.printStackTrace();
 		}
 		
-		// Update lesson status if necessary.
-		if (getStage(s) == 4)
-		{
-			//System.out.println("Checking for stage 4 completion");
-			if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized)
-			{
-			    s.setMessage("Congratulations. You have successfully completed this lesson.");
-			    getLesson().getLessonTracker( s ).setCompleted( true );
-			}			
-		}
-		
 		return authorized;
 	}
-	/**
-	 * Determine if the calling method was in turn called from a compiled JSP class.
-	 * This skips calling methods that start with the given string (e.g. isAuthorized).
-	 * @return
-	 */
-	private boolean calledFromJsp(String caller)
-	{
-		boolean fromJsp = false;
-		
-		Throwable throwable = new Throwable();
-		StackTraceElement[] trace = throwable.getStackTrace();
-		int callerIndex = 0;
-		boolean done = false;
-		for (int i = 1; i < trace.length && !done; i++)
-		{
-			String callerMethodName = trace[i].getMethodName();
-			//System.out.println("calledFromJsp() callee (" + i + ") is " + callerMethodName);
-			if (!callerMethodName.startsWith(caller))		// Yikes what a hack!
-			{
-				callerIndex = i;
-				done = true;
-			}
-		}
-		String callerClassName = trace[callerIndex].getClassName();
-		//System.out.println("calledFromJsp() callee class (" + (callerIndex) + ") is " + callerClassName);
-		
-		if (callerClassName.endsWith("_jsp"))
-			fromJsp = true;
-		
-		//System.out.println("calledFromJsp() result: " + fromJsp);
-		return fromJsp;
-	}
 	
 	protected void setStage(WebSession s, int stage)
 	{
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/DeleteProfile.java
@ -159,7 +159,8 @@ public class DeleteProfile extends DefaultLessonAction

    private void updateLessonStatus(WebSession s)
    {
-	// If the logged in user is not authorized to be here, stage is complete.
+	// If the logged in user is not authorized to be here, stage 1 is complete.
+	if (getStage(s) == 1) 
 	try
 	{
 	    int userId = getIntSessionAttribute(s, getLessonName() + "."
--- a/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
+++ b/webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java
@ -12,6 +12,7 @@ import org.apache.ecs.ElementContainer;
 import org.apache.ecs.html.A;
 import org.apache.ecs.html.IMG;
 import org.owasp.webgoat.lessons.Category;
+import org.owasp.webgoat.lessons.DefaultLessonAction;
 import org.owasp.webgoat.lessons.LessonAction;
 import org.owasp.webgoat.lessons.LessonAdapter;
 import org.owasp.webgoat.session.DatabaseUtilities;
@ -355,6 +356,49 @@ public class RoleBasedAccessControl extends LessonAdapter
 	}
 	catch (UnauthorizedException ue2)
 	{
+		// Update lesson status if necessary.
+		if (getStage(s) == 2)
+		{
+			try
+			{
+			if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
+					!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
+			{
+				s.setMessage( "Welcome to stage 3 -- exploiting the data layer" );
+				setStage(s, 3);
+			}
+			} catch (ParameterNotFoundException pnfe)
+			{
+			pnfe.printStackTrace();
+			}
+		}
+		//System.out.println("isAuthorized() exit stage: " + getStage(s));
+		// Update lesson status if necessary.
+		if (getStage(s) == 4)
+		{
+			try
+			{
+			//System.out.println("Checking for stage 4 completion");
+			DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
+			int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
+					+ RoleBasedAccessControl.USER_ID));
+			int employeeId = s.getParser().getIntParameter(
+				RoleBasedAccessControl.EMPLOYEE_ID);
+
+			if (!action.isAuthorizedForEmployee(s, userId, employeeId))
+			{
+			    s.setMessage("Congratulations. You have successfully completed this lesson.");
+			    getLessonTracker( s ).setCompleted( true );
+			}
+			} catch (Exception e)
+			{
+				// swallow this - shouldn't happen inthe normal course
+				// e.printStackTrace();
+			}
+		}
+		
+
+
 	    s.setMessage("You are not authorized to perform this function");
 	    System.out.println("Authorization failure");
 	    setCurrentAction(s, ERROR_ACTION);