Admin should also be able to see the solution, source and lesson plan.

2016-03-29 01:24:07 +02:00 · 2016-03-29 01:24:07 +02:00 · b06d9ffd81
commit b06d9ffd81
parent a52df28ec6
4 changed files with 11 additions and 26 deletions
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/LessonPlanService.java
@ -29,17 +29,15 @@
 */
 package org.owasp.webgoat.service;

-import javax.servlet.http.HttpSession;
-import static org.owasp.webgoat.LessonSource.END_SOURCE_SKIP;
-import static org.owasp.webgoat.LessonSource.START_SOURCE_SKIP;
 import org.owasp.webgoat.lessons.AbstractLesson;
-import org.owasp.webgoat.lessons.model.SourceListing;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;

+import javax.servlet.http.HttpSession;
+
 /**
 * <p>LessonPlanService class.</p>
 *
@ -61,9 +59,6 @@ public class LessonPlanService extends BaseService {
        WebSession ws = getWebSession(session);
        String plan = getPlan(ws);
        return plan;
-        //SourceListing sl = new SourceListing();
-        //sl.setSource(source);
-        //return sl;
    }

    /**
@ -73,15 +68,12 @@ public class LessonPlanService extends BaseService {
     * @return Description of the Return Value
     */
    protected String getPlan(WebSession s) {
-
        String plan = null;
        int scr = s.getCurrentScreen();
        Course course = s.getCourse();

-        if (s.isUser() || s.isChallenge()) {
-
+        if (s.isUser() || s.isAdmin()) {
            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
            if (lesson != null) {
                plan = lesson.getLessonPlan(s);
            }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SolutionService.java
@ -29,7 +29,6 @@
 */
 package org.owasp.webgoat.service;

-import javax.servlet.http.HttpSession;
 import org.owasp.webgoat.lessons.AbstractLesson;
 import org.owasp.webgoat.session.Course;
 import org.owasp.webgoat.session.WebSession;
@ -37,6 +36,8 @@ import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.ResponseBody;

+import javax.servlet.http.HttpSession;
+
 /**
 * <p>SolutionService class.</p>
 *
@ -67,23 +68,19 @@ public class SolutionService extends BaseService {
     * @return a {@link java.lang.String} object.
     */
    protected String getSolution(WebSession s) {
-
        String source = null;
        int scr = s.getCurrentScreen();
        Course course = s.getCourse();

-        if (s.isUser() || s.isChallenge()) {
-
+        if (s.isUser() || s.isAdmin()) {
            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
            if (lesson != null) {
                source = lesson.getSolution(s);
            }
        }
        if (source == null) {
-            return "Solution  is not available. Contact "
-                    + s.getWebgoatContext().getFeedbackAddressHTML();
+            return "Solution  is not available. Contact " + s.getWebgoatContext().getFeedbackAddressHTML();
        }
-        return (source);
+        return source;
    }
 }
--- a/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
+++ b/webgoat-container/src/main/java/org/owasp/webgoat/service/SourceService.java
@ -75,15 +75,12 @@ public class SourceService extends BaseService {
     * @return Description of the Return Value
     */
    protected String getSource(WebSession s) {
-
        String source = null;
        int scr = s.getCurrentScreen();
        Course course = s.getCourse();

-        if (s.isUser() || s.isChallenge()) {
-
+        if (s.isUser() || s.isAdmin()) {
            AbstractLesson lesson = course.getLesson(s, scr, AbstractLesson.USER_ROLE);
-
            if (lesson != null) {
                source = lesson.getRawSource(s);
            }
@ -91,7 +88,7 @@ public class SourceService extends BaseService {
        if (source == null) {
            return "Source code is not available for this lesson.";
        }
-        return (source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
-                "Code Section Deliberately Omitted"));
+        return source.replaceAll("(?s)" + START_SOURCE_SKIP + ".*" + END_SOURCE_SKIP,
+                "Code Section Deliberately Omitted");
    }
 }
--- a/webgoat-container/src/main/webapp/WEB-INF/webgoat.properties
+++ b/webgoat-container/src/main/webapp/WEB-INF/webgoat.properties
@ -10,7 +10,6 @@ lesson.BasicAuthentication.hidden=true
 lesson.BlindScript.hidden=true
 lesson.RemoteAdminFlaw.hidden=true
 lesson.HttpSplitting.hidden=true
-lesson.BasicAuthentication.hidden=true
 lesson.SameOriginPolicyProtection.hidden=true
 lesson.SilentTransactions.hidden=true
 lesson.TraceXSS.hidden=true