Project

General

Profile

« Previous | Next » 

Revision 661

Added by berkley almost 24 years ago

fixed bug in data file permission checking. (commited wrong file last time)

View differences:

src/edu/ucsb/nceas/metacat/MetaCatServlet.java
286 286
    else if (action.equals("read")) {
287 287
      //PrintWriter out = response.getWriter();
288 288
      try {
289
        handleReadAction(/*out,*/ params, response);
289
        handleReadAction(/*out,*/ params, response, username);
290 290
      } catch (ClassNotFoundException e) {
291 291
        System.out.println(e.getMessage());
292 292
      } catch (SQLException se) {
......
943 943
   * possibly transformed from XML into HTML
944 944
   */
945 945
  private void handleReadAction(/*PrintWriter out,*/ Hashtable params, 
946
               HttpServletResponse response) 
946
               HttpServletResponse response, String username) 
947 947
               throws ClassNotFoundException, IOException, SQLException 
948 948
  {
949 949
     PrintWriter out;
......
952 952
      if(params.containsKey(new String("qformat")) && 
953 953
         ((String[])params.get("qformat"))[0].equals("bin"))
954 954
      {
955
        handleGetData(params, response);
955
        handleGetData(params, response, username);
956 956
      }
957 957
      else
958 958
      {
......
971 971
   * Handle the read of a data file.
972 972
   */
973 973
  private void handleGetData(Hashtable params, 
974
                             HttpServletResponse response)
974
                             HttpServletResponse response, String username)
975 975
  {
976 976
    String docid = null;
977 977
    try
......
994 994
    
995 995
    try
996 996
    {
997
      ServletOutputStream sosout = response.getOutputStream();
998
      response.setContentType("application/octet-stream");
999 997
      StringBuffer sql = new StringBuffer();
1000 998
      sql.append("select docname from xml_documents where docid like '");
1001 999
      sql.append(docid).append("'");
1002 1000
      conn = util.openDBConnection();
1001
      
1002
      AccessControlList aclobj = new AccessControlList(conn);
1003
      boolean hasPermission = aclobj.hasPermission("READ",username,docid);
1004
      
1005
      if(!hasPermission)
1006
      {
1007
        response.setContentType("text/html");
1008
        PrintWriter out = response.getWriter();
1009
        out.println("Error: you do not have permission to view this document");
1010
        return;
1011
      }
1012
      response.setContentType("application/octet-stream");
1013
      ServletOutputStream sosout = response.getOutputStream(); 
1003 1014
      PreparedStatement pstmt = conn.prepareStatement(sql.toString());
1004 1015
      pstmt.execute();
1005 1016
      ResultSet rs = pstmt.getResultSet();
......
1014 1025
        }
1015 1026
        f = new File(filepath + rs.getString(1)); 
1016 1027
        fin = new FileInputStream(f);
1028
        
1017 1029
        int b = fin.read();
1018 1030
        while(b != -1)
1019 1031
        {

Also available in: Unified diff