Revision 441
Added by bojilova over 23 years ago
DBQuery.java | ||
---|---|---|
35 | 35 |
*/ |
36 | 36 |
public class DBQuery { |
37 | 37 |
|
38 |
static final int ALL = 1; |
|
39 |
static final int WRITE = 2; |
|
40 |
static final int READ = 4; |
|
41 |
|
|
38 | 42 |
private Connection conn = null; |
39 | 43 |
private String parserName = null; |
40 | 44 |
|
... | ... | |
65 | 69 |
DBQuery queryobj = new DBQuery(dbconn, util.getOption("saxparser")); |
66 | 70 |
FileReader xml = new FileReader(new File(xmlfile)); |
67 | 71 |
Hashtable nodelist = null; |
68 |
nodelist = queryobj.findDocuments(xml); |
|
72 |
nodelist = queryobj.findDocuments(xml, null, null);
|
|
69 | 73 |
|
70 | 74 |
// Print the reulting document listing |
71 | 75 |
StringBuffer result = new StringBuffer(); |
... | ... | |
117 | 121 |
* |
118 | 122 |
* @param xmlquery the xml serialization of the query (@see pathquery.dtd) |
119 | 123 |
*/ |
120 |
public Hashtable findDocuments(Reader xmlquery) { |
|
124 |
public Hashtable findDocuments(Reader xmlquery, String user, String group) {
|
|
121 | 125 |
Hashtable docListResult = new Hashtable(); |
122 | 126 |
PreparedStatement pstmt; |
123 | 127 |
String docid = null; |
... | ... | |
143 | 147 |
boolean tableHasRows = rs.next(); |
144 | 148 |
while (tableHasRows) { |
145 | 149 |
docid = rs.getString(1); |
150 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;} |
|
146 | 151 |
docname = rs.getString(2); |
147 | 152 |
doctype = rs.getString(3); |
148 | 153 |
doctitle = rs.getString(4); |
... | ... | |
186 | 191 |
while(tableHasRows) |
187 | 192 |
{ |
188 | 193 |
docid = rs.getString(1); |
194 |
if ( !hasReadPermission(conn, docid, user, group) ) {continue;} |
|
189 | 195 |
fieldname = rs.getString(2); |
190 | 196 |
fielddata = rs.getString(3); |
191 | 197 |
|
... | ... | |
478 | 484 |
public static String createQuery(String value) { |
479 | 485 |
return createQuery(value, "any"); |
480 | 486 |
} |
487 |
|
|
488 |
/** Check for "read" permissions from DB connection */ |
|
489 |
private boolean hasReadPermission(Connection conn, String docid, |
|
490 |
String user, String group) |
|
491 |
throws SQLException { |
|
492 |
// b' of the command line invocation |
|
493 |
if ( (user == null) && (group == null) ) { |
|
494 |
return true; |
|
495 |
} |
|
496 |
|
|
497 |
PreparedStatement pstmt; |
|
498 |
// checking if user is owner of docid or if docid has public access |
|
499 |
try { |
|
500 |
pstmt = conn.prepareStatement( |
|
501 |
"SELECT 'x' FROM xml_documents " + |
|
502 |
"WHERE docid LIKE ? AND user_owner LIKE ? " + |
|
503 |
"UNION " + |
|
504 |
"SELECT 'x' FROM xml_documents " + |
|
505 |
"WHERE docid LIKE ? AND public_access = 1"); |
|
506 |
// Bind the values to the query |
|
507 |
pstmt.setString(1, docid); |
|
508 |
pstmt.setString(2, user); |
|
509 |
pstmt.setString(3, docid); |
|
510 |
|
|
511 |
pstmt.execute(); |
|
512 |
ResultSet rs = pstmt.getResultSet(); |
|
513 |
boolean hasRow = rs.next(); |
|
514 |
pstmt.close(); |
|
515 |
if (hasRow) { |
|
516 |
return true; |
|
517 |
} |
|
518 |
|
|
519 |
} catch (SQLException e) { |
|
520 |
throw new |
|
521 |
SQLException("Error checking document's owner or public access: " |
|
522 |
+ e.getMessage()); |
|
523 |
} |
|
524 |
|
|
525 |
// checking if docid has public access at this time |
|
526 |
try { |
|
527 |
pstmt = conn.prepareStatement( |
|
528 |
"SELECT 'x' FROM xml_access " + |
|
529 |
"WHERE docid LIKE ? " + |
|
530 |
"AND principal_name = 'public' " + |
|
531 |
"AND principal_type = 'user' " + |
|
532 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
533 |
"AND nvl(end_time,sysdate)"); |
|
534 |
// Bind the values to the query |
|
535 |
pstmt.setString(1, docid); |
|
536 |
|
|
537 |
pstmt.execute(); |
|
538 |
ResultSet rs = pstmt.getResultSet(); |
|
539 |
boolean hasRow = rs.next(); |
|
540 |
pstmt.close(); |
|
541 |
if (hasRow) { |
|
542 |
return true; |
|
543 |
} |
|
544 |
|
|
545 |
} catch (SQLException e) { |
|
546 |
throw new |
|
547 |
SQLException("Error checking doc's public access: " + e.getMessage()); |
|
548 |
} |
|
549 |
|
|
550 |
// checking access type from xml_access table |
|
551 |
int accesstype = 0; |
|
552 |
try { |
|
553 |
pstmt = conn.prepareStatement( |
|
554 |
"SELECT access_type FROM xml_access " + |
|
555 |
"WHERE docid LIKE ? " + |
|
556 |
"AND principal_name LIKE ? " + |
|
557 |
"AND principal_type = 'user' " + |
|
558 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
559 |
"AND nvl(end_time,sysdate) " + |
|
560 |
"UNION " + |
|
561 |
"SELECT access_type FROM xml_access " + |
|
562 |
"WHERE docid LIKE ? " + |
|
563 |
"AND principal_name LIKE ? " + |
|
564 |
"AND principal_type = 'group' " + |
|
565 |
"AND sysdate BETWEEN nvl(begin_time,sysdate) " + |
|
566 |
"AND nvl(end_time,sysdate)"); |
|
567 |
// Bind the values to the query |
|
568 |
pstmt.setString(1, docid); |
|
569 |
pstmt.setString(2, user); |
|
570 |
pstmt.setString(3, docid); |
|
571 |
pstmt.setString(2, group); |
|
572 |
|
|
573 |
pstmt.execute(); |
|
574 |
ResultSet rs = pstmt.getResultSet(); |
|
575 |
boolean hasRows = rs.next(); |
|
576 |
while ( hasRows ) { |
|
577 |
accesstype = rs.getInt(1); |
|
578 |
if ( (accesstype & READ) == READ ) { |
|
579 |
pstmt.close(); |
|
580 |
return true; |
|
581 |
} |
|
582 |
hasRows = rs.next(); |
|
583 |
} |
|
584 |
|
|
585 |
pstmt.close(); |
|
586 |
return false; |
|
587 |
|
|
588 |
} catch (SQLException e) { |
|
589 |
throw new |
|
590 |
SQLException("Error getting document's permissions: " + e.getMessage()); |
|
591 |
} |
|
592 |
} |
|
593 |
|
|
481 | 594 |
} |
482 | 595 |
|
483 | 596 |
/** |
484 | 597 |
* '$Log$ |
598 |
* 'Revision 1.18 2000/09/05 20:50:56 berkley |
|
599 |
* 'Added a method called getNodeContent which retrieves the content of a node in a document. If there are more than one nodes with the same name returned, it returns an array with all of the data. |
|
600 |
* ' |
|
485 | 601 |
* 'Revision 1.17 2000/08/31 21:20:39 berkley |
486 | 602 |
* 'changed xslf for new returnfield scheme. the returnfields are now returned as <param name="<returnfield>"> tags. |
487 | 603 |
* 'hThe sql for the returnfield query was redone to fix a previous problem with slow queries |
Also available in: Unified diff
added check from "read" permission on "query" and "squery" actions
for connected user or for "public" connection