public boolean isValidSession(AuthorizedDTO dto, String ipAddress, String path) throws Exception {
String username = "";
appDAO.deleteExpiredPatientSessions();
if (dto == null || dto.getSessionId() == null) {
log.info(
"======= isValidSession() no session id submitted by user at ip address of " + ipAddress);
return false;
}
PatientSession patientSession = appDAO.findPatientSessionBySessionId(dto.getSessionId());
if (patientSession == null) {
log.info("======= isValidSession() no session found for : " + dto.getSessionId());
return false;
}
if (patientSession.getIpAddress().equals(ipAddress) == false) {
log.info(
"======= isValidSession() submitted IP address is of "
+ ipAddress
+ " does not match the one found in current session");
return false;
}
// check for proper access level
int accessLevel = patientSession.getPatient().getCred().getAccessLevel();
log.info("======= isValidSession() checking " + path);
if (Permissions.patientPermissionsMap.get(path) != null) {
username = patientSession.getPatient().getCred().getUsername();
log.info(
"======= isValidSession() checking "
+ path
+ " for user "
+ username
+ " with a permissions level of "
+ accessLevel);
if (Permissions.patientPermissionsMap.get(path)[accessLevel] == false) {
log.info(
"======= isValidSession() user "
+ username
+ " lacks permission level to execute "
+ path);
return false;
}
}
// update session timestamp to current time
patientSession.setLastAccessTime(new Date());
appDAO.update(patientSession);
log.info(
"======= isValidSession() user "
+ username
+ "'s timestamp updated to "
+ patientSession.getLastAccessTime());
return true;
}
