/**
* Creates a Discussion Post
*
* <p>- Requires a cookie for the session user - Requires a comment and threadId request parameter
* for the POST
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void createPostAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<>();
if (req.getMethod() == HttpMethod.Post) {
DiscussionManager dm = new DiscussionManager();
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
// Create the discussion post
DiscussionPost post = new DiscussionPost();
post.setUserId(userSession.getUserId());
post.setMessage(req.getParameter("comment"));
post.setThreadId(Integer.parseInt(req.getParameter("threadId")));
dm.createPost(post);
redirectToLocal(req, res, "/group/discussion/?threadId=" + req.getParameter("threadId"));
} else {
httpNotFound(req, res);
}
}
/**
* Deletes a meeting from the database
*
* <p>- Requires a cookie for the session user - Requires a meetingId request parameter for the
* HTTP GET
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void deletemeetingAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
if (req.getMethod() == HttpMethod.Get) {
// Get the meeting
int meetingId = Integer.parseInt(req.getParameter("meetingId"));
MeetingManager meetingMan = new MeetingManager();
Meeting meeting = meetingMan.get(meetingId);
meetingMan.deleteMeeting(meetingId);
// Update the User Session to remove meeting
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
List<Meeting> adminMeetings = userSession.getUser().getMeetings();
for (int i = 0; i < adminMeetings.size(); i++) {
Meeting m = adminMeetings.get(i);
if (m.getId() == meeting.getId()) {
adminMeetings.remove(i);
break;
}
}
redirectToLocal(req, res, "/home/dashboard");
return;
} else if (req.getMethod() == HttpMethod.Post) {
httpNotFound(req, res);
}
}
/* good2() reverses the bodies in the if statement */
private void good2(HttpServletRequest request, HttpServletResponse response) throws Throwable {
if (IO.static_returns_t()) {
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FIX: logged message does not contain session id */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
} else {
/* INCIDENTAL: CWE 561 Dead Code, the code below will never run */
Logger tcLog = Logger.getLogger("cwe_testcases_logger");
if (request.getParameter("username") == null) {
return;
}
String username = request.getParameter("username");
if (username.matches("[a-zA-Z0-9]*")) {
HttpSession session = request.getSession(true);
/* FLAW: leak session ID to debug log */
tcLog.log(Level.FINEST, "Username: "******" Session ID:" + session.getId());
} else {
response.getWriter().println("Invalid characters");
}
}
}
/**
* Removes User from the Group
*
* <p>- Requires a cookie for the session user - Requires a groupId request parameter for the HTTP
* GET
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void leaveAction(HttpServletRequest req, HttpServletResponse res) {
if (AccountController.redirectIfNoCookie(req, res)) return;
if (req.getMethod() == HttpMethod.Get) {
int groupId = Integer.parseInt(req.getParameter("groupId"));
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
int userId = userSession.getUser().getId();
GroupManager groupMan = new GroupManager();
groupMan.removeMapping(groupId, userId);
// reload groups into the user
userSession.getUser().setGroups(groupMan.getAllGroups(userId));
redirectToLocal(req, res, "/home/dashboard");
return;
} else {
httpNotFound(req, res);
}
}
/**
* Creates a notification to a Group coordinator signaling that a user wants to join their group
*
* <p>- Requires a groupId request parameter for the GET
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void inviteAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<String, Object>();
int groupId = Integer.parseInt(req.getParameter("groupId"));
try {
// Get the session user
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User user = userSession.getUser();
// Get the coordinator for the group
GroupManager groupMan = new GroupManager();
Group group = groupMan.get(groupId);
User coordinator = groupMan.getCoordinator(groupId);
// Send a notification to the coordinator for them to permit access to the group
NotificationManager notificationMan = new NotificationManager();
Notification notification =
new Notification(
coordinator.getId(),
coordinator,
groupId,
group,
user.getFullName() + " wants to join your group " + group.getGroupName(),
"/home/notifications?addUserId=" + user.getId() + "&groupId=" + group.getId());
notificationMan.createNotification(notification);
redirectToLocal(req, res, "/home/dashboard");
return;
} catch (Exception e) {
redirectToLocal(req, res, "/home/dashboard");
}
}
public void doProcess(HttpServletRequest req, HttpServletResponse res, boolean isPost) {
StringBuffer bodyContent = null;
OutputStream out = null;
PrintWriter writer = null;
String serviceKey = null;
try {
BufferedReader in = req.getReader();
String line = null;
while ((line = in.readLine()) != null) {
if (bodyContent == null) bodyContent = new StringBuffer();
bodyContent.append(line);
}
} catch (Exception e) {
}
try {
if (requireSession) {
// check to see if there was a session created for this request
// if not assume it was from another domain and blow up
// Wrap this to prevent Portlet exeptions
HttpSession session = req.getSession(false);
if (session == null) {
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
serviceKey = req.getParameter("id");
// only to preven regressions - Remove before 1.0
if (serviceKey == null) serviceKey = req.getParameter("key");
// check if the services have been loaded or if they need to be reloaded
if (services == null || configUpdated()) {
getServices(res);
}
String urlString = null;
String xslURLString = null;
String userName = null;
String password = null;
String format = "json";
String callback = req.getParameter("callback");
String urlParams = req.getParameter("urlparams");
String countString = req.getParameter("count");
// encode the url to prevent spaces from being passed along
if (urlParams != null) {
urlParams = urlParams.replace(' ', '+');
}
try {
if (services.has(serviceKey)) {
JSONObject service = services.getJSONObject(serviceKey);
// default to the service default if no url parameters are specified
if (urlParams == null && service.has("defaultURLParams")) {
urlParams = service.getString("defaultURLParams");
}
String serviceURL = service.getString("url");
// build the URL
if (urlParams != null && serviceURL.indexOf("?") == -1) {
serviceURL += "?";
} else if (urlParams != null) {
serviceURL += "&";
}
String apikey = "";
if (service.has("username")) userName = service.getString("username");
if (service.has("password")) password = service.getString("password");
if (service.has("apikey")) apikey = service.getString("apikey");
urlString = serviceURL + apikey;
if (urlParams != null) urlString += "&" + urlParams;
if (service.has("xslStyleSheet")) {
xslURLString = service.getString("xslStyleSheet");
}
}
// code for passing the url directly through instead of using configuration file
else if (req.getParameter("url") != null) {
String serviceURL = req.getParameter("url");
// build the URL
if (urlParams != null && serviceURL.indexOf("?") == -1) {
serviceURL += "?";
} else if (urlParams != null) {
serviceURL += "&";
}
urlString = serviceURL;
if (urlParams != null) urlString += urlParams;
} else {
writer = res.getWriter();
if (serviceKey == null)
writer.write("XmlHttpProxyServlet Error: id parameter specifying serivce required.");
else
writer.write(
"XmlHttpProxyServlet Error : service for id '" + serviceKey + "' not found.");
writer.flush();
return;
}
} catch (Exception ex) {
getLogger().severe("XmlHttpProxyServlet Error loading service: " + ex);
}
Map paramsMap = new HashMap();
paramsMap.put("format", format);
// do not allow for xdomain unless the context level setting is enabled.
if (callback != null && allowXDomain) {
paramsMap.put("callback", callback);
}
if (countString != null) {
paramsMap.put("count", countString);
}
InputStream xslInputStream = null;
if (urlString == null) {
writer = res.getWriter();
writer.write(
"XmlHttpProxyServlet parameters: id[Required] urlparams[Optional] format[Optional] callback[Optional]");
writer.flush();
return;
}
// default to JSON
res.setContentType(responseContentType);
out = res.getOutputStream();
// get the stream for the xsl stylesheet
if (xslURLString != null) {
// check the web root for the resource
URL xslURL = null;
xslURL = ctx.getResource(resourcesDir + "xsl/" + xslURLString);
// if not in the web root check the classpath
if (xslURL == null) {
xslURL =
XmlHttpProxyServlet.class.getResource(classpathResourcesDir + "xsl/" + xslURLString);
}
if (xslURL != null) {
xslInputStream = xslURL.openStream();
} else {
String message =
"Could not locate the XSL stylesheet provided for service id "
+ serviceKey
+ ". Please check the XMLHttpProxy configuration.";
getLogger().severe(message);
try {
out.write(message.getBytes());
out.flush();
return;
} catch (java.io.IOException iox) {
}
}
}
if (!isPost) {
xhp.doGet(urlString, out, xslInputStream, paramsMap, userName, password);
} else {
if (bodyContent == null)
getLogger()
.info(
"XmlHttpProxyServlet attempting to post to url "
+ urlString
+ " with no body content");
xhp.doPost(
urlString,
out,
xslInputStream,
paramsMap,
bodyContent.toString(),
req.getContentType(),
userName,
password);
}
} catch (Exception iox) {
iox.printStackTrace();
getLogger().severe("XmlHttpProxyServlet: caught " + iox);
try {
writer = res.getWriter();
writer.write(iox.toString());
writer.flush();
} catch (java.io.IOException ix) {
ix.printStackTrace();
}
return;
} finally {
try {
if (out != null) out.close();
if (writer != null) writer.close();
} catch (java.io.IOException iox) {
}
}
}
/**
* Displays a given Research Group page for a HTTP Get, or creates a new Group for a HTTP Post
*
* <p>- Requires a cookie for the session user - Requires a groupId request parameter for a GET -
* Requires a groupName, description, createdByUserId request parameters for a POST
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void researchgroupAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<String, Object>();
viewData.put("title", "Research Group");
if (req.getMethod() == HttpMethod.Get) {
// Load group data into Map
GroupManager gm = new GroupManager();
int groupId = Integer.parseInt(req.getParameter("groupId"));
Group group = gm.get(groupId);
if (group != null) {
// Load Group into map
viewData.put("group", group);
// Load group members into Map
List<String> groupMembers = gm.getGroupMembers(groupId);
viewData.put("groupMembers", groupMembers);
// Load meetings into map
MeetingManager meetMan = new MeetingManager();
List<Meeting> groupMeetings = meetMan.getGroupMeetings(groupId);
viewData.put("groupMeetings", groupMeetings);
// Load Document Data into Map
DocumentManager docMan = new DocumentManager();
List<Document> groupDocuments = docMan.getGroupDocuments(groupId);
viewData.put("groupDocuments", groupDocuments);
// Load discussion threads
DiscussionManager dm = new DiscussionManager();
viewData.put("groupDiscussions", dm.getThreads(groupId));
// Check if the user is a member
boolean isMember = false;
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User user = userSession.getUser();
for (Group g : gm.getAllGroups(user.getId())) {
if (g.getId() == group.getId()) {
isMember = true;
break;
}
}
viewData.put("notMember", !isMember);
// View group page.
view(req, res, "/views/group/ResearchGroup.jsp", viewData);
} else {
httpNotFound(req, res);
}
} else if (req.getMethod() == HttpMethod.Post) {
// Create Group
// Get data from parameters
String groupName = req.getParameter("groupName");
String description = req.getParameter("description");
int adminId = Integer.parseInt(req.getParameter("createdByUserId"));
// Create the Group
GroupManager groupMan = new GroupManager();
Group group = new Group();
group.setGroupName(groupName);
group.setDescription(description);
group.setCoordinatorId(adminId);
// Create the mapping
groupMan.createGroup(group);
int groupId = groupMan.getIdFor(group);
groupMan.createMapping(groupId, adminId);
group.setId(groupId);
// Update the User Session to show new group
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User admin = userSession.getUser();
admin.getGroups().add(group);
// Show the Group Page
viewData.put("groupName", group.getGroupName());
List<String> groupMembers = groupMan.getGroupMembers(groupId);
viewData.put("groupMembers", groupMembers);
view(req, res, "/views/group/ResearchGroup.jsp", viewData);
}
}
/**
* Displays the Create Discussion page for a HTTP Get, or creates a Discussion Thread for a HTTP
* Post
*
* <p>- Requires a cookie for the session user - Requires a groupId request parameter for a GET -
* Requires a groupId and threadName request parameter for a POST - Requires a document request
* part for a POST
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void createDiscussionAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<>();
if (req.getMethod() == HttpMethod.Get) {
viewData.put("title", "Create Discussion");
viewData.put("groupId", req.getParameter("groupId"));
view(req, res, "/views/group/CreateDiscussion.jsp", viewData);
return;
} else if (req.getMethod() == HttpMethod.Post) {
// save discussion
GroupManager groupMan = new GroupManager();
DiscussionThread thread = new DiscussionThread();
int groupId = Integer.parseInt(req.getParameter("groupId"));
thread.setGroupId(groupId);
thread.setGroup(groupMan.get(groupId));
thread.setThreadName(req.getParameter("threadName"));
DiscussionManager dm = new DiscussionManager();
dm.createDiscussion(thread);
try {
Part documentPart = req.getPart("document");
// if we have a document to upload
if (documentPart.getSize() > 0) {
String uuid = DocumentController.saveDocument(this.getServletContext(), documentPart);
Document doc = new Document();
doc.setDocumentName(getFileName(documentPart));
doc.setDocumentPath(uuid);
doc.setVersionNumber(1);
doc.setThreadId(thread.getId());
doc.setGroupId(thread.getGroupId());
DocumentManager docMan = new DocumentManager();
docMan.createDocument(doc);
// Get uploading User
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User uploader = userSession.getUser();
// Create a notification to all in the group
NotificationManager notificationMan = new NotificationManager();
groupMan = new GroupManager();
List<User> groupUsers = groupMan.getGroupUsers(groupId);
for (User u : groupUsers) {
Notification notification =
new Notification(
u.getId(),
u,
groupId,
null,
"User " + uploader.getFullName() + " has uploaded a document",
"/document/document?documentId=" + doc.getId());
notificationMan.createNotification(notification);
}
}
} catch (Exception e) {
logger.log(Level.SEVERE, "Document save error", e);
}
redirectToLocal(req, res, "/group/discussion/?threadId=" + thread.getId());
return;
}
httpNotFound(req, res);
}
/**
* Displays a given Meeting page for a HTTP Get, or creates a new Meeting for a HTTP Post
*
* <p>- Requires a cookie for the session user - Requires a meetingId request parameter for a GET
* - Requires description, createdByUserId, datepicker, meetingTime, groupId request parameters
* for a POST
*
* @param req The HTTP Request
* @param res The HTTP Response
*/
public void meetingAction(HttpServletRequest req, HttpServletResponse res) {
// Ensure there is a cookie for the session user
if (AccountController.redirectIfNoCookie(req, res)) return;
Map<String, Object> viewData = new HashMap<String, Object>();
viewData.put("title", "Meeting");
// Initialise Manager connections
MeetingManager meetingMan = new MeetingManager();
GroupManager groupMan = new GroupManager();
if (req.getMethod() == HttpMethod.Get) {
// Get request parameter
int meetingId = Integer.parseInt(req.getParameter("meetingId"));
Meeting meeting = meetingMan.get(meetingId);
if (meeting != null) {
List<User> meetingUsers = groupMan.getGroupUsers(meeting.getGroupId());
viewData.put("meetingUsers", meetingUsers);
viewData.put("meeting", meeting);
view(req, res, "/views/group/Meeting.jsp", viewData);
} else {
httpNotFound(req, res);
}
} else if (req.getMethod() == HttpMethod.Post) {
// Get details from request
String description = req.getParameter("description");
int createdByUserId = Integer.parseInt(req.getParameter("createdByUserId"));
Date dateCreated = new Date();
String meetingDate = req.getParameter("datepicker");
String meetingTime = req.getParameter("meetingTime");
// Parse meeting date time details
DateFormat format = new SimpleDateFormat("MM/dd/yyyy HH:mm");
Date dateDue = new Date();
try {
dateDue = format.parse(meetingDate + " " + meetingTime);
} catch (ParseException e) {
// Unable to parse date. This shouldn't happen since we are
// performing javascript validation.
}
int groupId = Integer.parseInt(req.getParameter("groupId"));
// Create a Meeting
Meeting meeting = new Meeting();
meeting.setDescription(description);
meeting.setCreatedByUserId(createdByUserId);
meeting.setDateCreated(dateCreated);
meeting.setDateDue(dateDue);
meeting.setGroupId(groupId);
meetingMan.createMeeting(meeting);
int meetingId = meetingMan.getIdFor(meeting);
meeting.setId(meetingId);
UserManager userMan = new UserManager();
User createdByUser = userMan.get(createdByUserId);
// Create a notification for all users in group
NotificationManager notificationMan = new NotificationManager();
List<User> users = groupMan.getGroupUsers(groupId);
for (User u : users) {
Notification notification =
new Notification(
u.getId(),
u,
groupId,
null,
"Meeting " + description + " was created by " + createdByUser.getFullName(),
"/group/meeting?meetingId=" + meetingId);
notificationMan.createNotification(notification);
}
// Update the User Session to show new meeting
HttpSession session = req.getSession();
Session userSession = (Session) session.getAttribute("userSession");
User admin = userSession.getUser();
admin.getMeetings().add(meeting);
// Show meeting page
viewData.put("meetingUsers", users);
viewData.put("meeting", meeting);
view(req, res, "/views/group/Meeting.jsp", viewData);
}
}