Move Lesson specific checks out of DefaultLessonAction
git-svn-id: http://webgoat.googlecode.com/svn/trunk@148 4033779f-a91e-0410-96ef-6bf7bf53c507
This commit is contained in:
rogan.dawes
@ -278,19 +278,6 @@ public abstract class DefaultLessonAction implements LessonAction
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
// Update lesson status if necessary.
|
||||
if (getStage(s) == 2)
|
||||
{
|
||||
//System.out.println("Checking for stage 2 completion handling action " + functionId);
|
||||
if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized &&
|
||||
functionId.equals(RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
s.setMessage( "Welcome to stage 3 -- exploiting the data layer" );
|
||||
setStage(s, 3);
|
||||
}
|
||||
}
|
||||
//System.out.println("isAuthorized() exit stage: " + getStage(s));
|
||||
|
||||
//System.out.println("Authorized? " + authorized);
|
||||
return authorized;
|
||||
}
|
||||
@ -326,51 +313,8 @@ public abstract class DefaultLessonAction implements LessonAction
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
// Update lesson status if necessary.
|
||||
if (getStage(s) == 4)
|
||||
{
|
||||
//System.out.println("Checking for stage 4 completion");
|
||||
if (lessonName.equals("RoleBasedAccessControl") && !calledFromJsp("isAuthorized") && !authorized)
|
||||
{
|
||||
s.setMessage("Congratulations. You have successfully completed this lesson.");
|
||||
getLesson().getLessonTracker( s ).setCompleted( true );
|
||||
}
|
||||
}
|
||||
|
||||
return authorized;
|
||||
}
|
||||
/**
|
||||
* Determine if the calling method was in turn called from a compiled JSP class.
|
||||
* This skips calling methods that start with the given string (e.g. isAuthorized).
|
||||
* @return
|
||||
*/
|
||||
private boolean calledFromJsp(String caller)
|
||||
{
|
||||
boolean fromJsp = false;
|
||||
|
||||
Throwable throwable = new Throwable();
|
||||
StackTraceElement[] trace = throwable.getStackTrace();
|
||||
int callerIndex = 0;
|
||||
boolean done = false;
|
||||
for (int i = 1; i < trace.length && !done; i++)
|
||||
{
|
||||
String callerMethodName = trace[i].getMethodName();
|
||||
//System.out.println("calledFromJsp() callee (" + i + ") is " + callerMethodName);
|
||||
if (!callerMethodName.startsWith(caller)) // Yikes what a hack!
|
||||
{
|
||||
callerIndex = i;
|
||||
done = true;
|
||||
}
|
||||
}
|
||||
String callerClassName = trace[callerIndex].getClassName();
|
||||
//System.out.println("calledFromJsp() callee class (" + (callerIndex) + ") is " + callerClassName);
|
||||
|
||||
if (callerClassName.endsWith("_jsp"))
|
||||
fromJsp = true;
|
||||
|
||||
//System.out.println("calledFromJsp() result: " + fromJsp);
|
||||
return fromJsp;
|
||||
}
|
||||
|
||||
protected void setStage(WebSession s, int stage)
|
||||
{
|
||||
|
||||
@ -159,7 +159,8 @@ public class DeleteProfile extends DefaultLessonAction
|
||||
|
||||
private void updateLessonStatus(WebSession s)
|
||||
{
|
||||
// If the logged in user is not authorized to be here, stage is complete.
|
||||
// If the logged in user is not authorized to be here, stage 1 is complete.
|
||||
if (getStage(s) == 1)
|
||||
try
|
||||
{
|
||||
int userId = getIntSessionAttribute(s, getLessonName() + "."
|
||||
|
||||
@ -12,6 +12,7 @@ import org.apache.ecs.ElementContainer;
|
||||
import org.apache.ecs.html.A;
|
||||
import org.apache.ecs.html.IMG;
|
||||
import org.owasp.webgoat.lessons.Category;
|
||||
import org.owasp.webgoat.lessons.DefaultLessonAction;
|
||||
import org.owasp.webgoat.lessons.LessonAction;
|
||||
import org.owasp.webgoat.lessons.LessonAdapter;
|
||||
import org.owasp.webgoat.session.DatabaseUtilities;
|
||||
@ -355,6 +356,49 @@ public class RoleBasedAccessControl extends LessonAdapter
|
||||
}
|
||||
catch (UnauthorizedException ue2)
|
||||
{
|
||||
// Update lesson status if necessary.
|
||||
if (getStage(s) == 2)
|
||||
{
|
||||
try
|
||||
{
|
||||
if (RoleBasedAccessControl.DELETEPROFILE_ACTION.equals(requestedActionName) &&
|
||||
!isAuthorized(s, getUserId(s), RoleBasedAccessControl.DELETEPROFILE_ACTION))
|
||||
{
|
||||
s.setMessage( "Welcome to stage 3 -- exploiting the data layer" );
|
||||
setStage(s, 3);
|
||||
}
|
||||
} catch (ParameterNotFoundException pnfe)
|
||||
{
|
||||
pnfe.printStackTrace();
|
||||
}
|
||||
}
|
||||
//System.out.println("isAuthorized() exit stage: " + getStage(s));
|
||||
// Update lesson status if necessary.
|
||||
if (getStage(s) == 4)
|
||||
{
|
||||
try
|
||||
{
|
||||
//System.out.println("Checking for stage 4 completion");
|
||||
DefaultLessonAction action = (DefaultLessonAction) getAction(getCurrentAction(s));
|
||||
int userId = Integer.parseInt((String)s.getRequest().getSession().getAttribute(getLessonName() + "."
|
||||
+ RoleBasedAccessControl.USER_ID));
|
||||
int employeeId = s.getParser().getIntParameter(
|
||||
RoleBasedAccessControl.EMPLOYEE_ID);
|
||||
|
||||
if (!action.isAuthorizedForEmployee(s, userId, employeeId))
|
||||
{
|
||||
s.setMessage("Congratulations. You have successfully completed this lesson.");
|
||||
getLessonTracker( s ).setCompleted( true );
|
||||
}
|
||||
} catch (Exception e)
|
||||
{
|
||||
// swallow this - shouldn't happen inthe normal course
|
||||
// e.printStackTrace();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
s.setMessage("You are not authorized to perform this function");
|
||||
System.out.println("Authorization failure");
|
||||
setCurrentAction(s, ERROR_ACTION);
|
||||
|
||||
Reference in New Issue
Block a user