Added parameter validation, bumped to 0.3.2

138ae855 · Ted Trask · 48a8fe99 · 138ae855 · 138ae855 · 138ae855
Commit 138ae855 authored Aug 28, 2009 by Ted Trask
Hide whitespace changes
Inline Side-by-side

Showing with 142 additions and 34 deletions

Makefile Makefile +1 -1

weblog-model.lua weblog-model.lua +133 -31

weblog-viewblocklog-html.lsp weblog-viewblocklog-html.lsp +7 -1

weblog.menu weblog.menu +1 -1

No files found.
--- a/Makefile
+++ b/Makefile
 APP_NAME=weblog
 PACKAGE=acf-$(APP_NAME)
-VERSION=0.3.1
+VERSION=0.3.2

 APP_DIST=\
 	weblog*	\

--- a/weblog-model.lua
+++ b/weblog-model.lua
@@ -487,6 +487,20 @@ local listusagestats = function()
 	return entries
 end

+local testdatabaseentry = function(datatype, value)
+	local success = true
+	local errtxt
+	local sql = "CREATE TEMP TABLE testing ( test "..escape(datatype).." DEFAULT '"..escape(value).."' ) ON COMMIT DROP"
+	local res, err = pcall(function()
+		assert (con:execute(sql))
+	end)
+	if not res then
+		success = false
+		errtxt = string.gsub(err or "", "\n.*", "")
+	end
+	return success, errtxt
+end
+
 local printtableentries = function(tablename)
 	-- retrieve a cursor
 	local count = 0
@@ -898,7 +912,7 @@ function getnewwatchlistentry()
 	return cfe({ type="group", value=watch, label="Watchlist Entry" })
 end

-function createwatchlistentry(watch)
+local function validatewatchlistentry(watch)
 	local success = true
 	for i,name in ipairs({"clientuserid", "expiredatetime"}) do
 		if watch.value[name].value == "" then
@@ -906,28 +920,48 @@ function createwatchlistentry(watch)
 			success = false
 		end
 	end
+	if not watch.value.expiredatetime.errtxt then
+		local res, err = pcall(function()
+			databaseconnect(DatabaseUser)
+			local s
+			s,watch.value.expiredatetime.errtxt = testdatabaseentry("TIMESTAMP", watch.value.expiredatetime.value)
+			databasedisconnect()
+			success = success and s
+		end)
+		if not res and err then
+			watch.value.expiredatetime.errtxt = err
+			success = false
+		end
+	end
+	return success
+end
+
+function createwatchlistentry(watch)
 	watch.value.clientuserid.value = watch.value.clientuserid.value:lower()
 	watch.errtxt = "Failed to create watchlist entry"
-	local res, err = pcall(function()
-		databaseconnect(DatabaseUser)
-		local watchlist = listwatchlistentries() or {}
-		for i,w in ipairs(watchlist) do
-			if w.clientuserid == watch.value.clientuserid.value then
-				watch.value.clientuserid.errtxt = "User ID already exists"
-				success = false
-				break
+	local success = validatewatchlistentry(watch)
+	if success then
+		local res, err = pcall(function()
+			databaseconnect(DatabaseUser)
+			local watchlist = listwatchlistentries() or {}
+			for i,w in ipairs(watchlist) do
+				if w.clientuserid == watch.value.clientuserid.value then
+					watch.value.clientuserid.errtxt = "User ID already exists"
+					success = false
+					break
+				end
 			end
-		end
-		if success then
-			local count = importwatchlistentry(watch.value.clientuserid.value, watch.value.expiredatetime.value)
-			if count > 0 then
-				watch.errtxt = nil
+			if success then
+				local count = importwatchlistentry(watch.value.clientuserid.value, watch.value.expiredatetime.value)
+				if count > 0 then
+					watch.errtxt = nil
+				end
 			end
+			databasedisconnect()
+		end)
+		if not res and err then
+			watch.errtxt = watch.errtxt .. "\n" .. err
 		end
-		databasedisconnect()
-	end)
-	if not res and err then
-		watch.errtxt = watch.errtxt .. "\n" .. err
 	end

 	return watch
@@ -951,6 +985,42 @@ function deletewatchlistent(clientuserid)
 	return result
 end

+local validateparameters = function(params)
+	local success = true
+	if params.clientip.value ~= "" and string.find(params.clientip.value, "[^%d%.]") then
+		params.clientip.errtxt = "Invalid IP Address"
+		success = false
+	end
+	if params.window.value ~= "" and not validator.is_integer(params.window.value) then
+		params.window.errtxt = "Must be an integer"
+		success = false
+	end
+	local res, err = pcall(function()
+		databaseconnect(DatabaseUser)
+		local s
+		if params.starttime.value ~= "" then
+			s,params.starttime.errtxt = testdatabaseentry("TIMESTAMP", params.starttime.value)
+			success = success and s
+		end
+		if params.endtime.value ~= "" then
+			s,params.endtime.errtxt = testdatabaseentry("TIMESTAMP", params.endtime.value)
+			success = success and s
+		end
+		if params.focus.value ~= "" then
+			s,params.focus.errtxt = testdatabaseentry("TIMESTAMP", params.focus.value)
+			success = success and s
+		end
+		databasedisconnect()
+	end)
+	if not res and err then
+		params.starttime.errtxt = err
+		params.endtime.errtxt = err
+		params.focus.errtxt = err
+		success = false
+	end
+	return success
+end
+
 local handleparameters = function(clientuserid, starttime, endtime, clientip, focus)
 	local result = {}
 	result.clientuserid = cfe({ value=clientuserid or "", label="User ID" })
@@ -958,7 +1028,7 @@ local handleparameters = function(clientuserid, starttime, endtime, clientip, fo
 	result.endtime = cfe({ value=endtime or "", label="End Time" })
 	result.clientip = cfe({ value=clientip or "", label="Client IP" })
 	result.window = cfe({ value=config.window or "5", label="Time Window" })
-	result.focus = cfe({ value=focus or "", label="Time Window" })
+	result.focus = cfe({ value=focus or "", label="Focus Time" })
 	return result
 end

@@ -969,11 +1039,16 @@ function getweblog(clientuserid, starttime, endtime, clientip, focus)
 	end
 	local result = handleparameters(clientuserid, starttime, endtime, clientip, focus)
 	result.log = cfe({ type="list", value={}, label="Weblog Access Log" })
-	local res, err = pcall(function()
-		databaseconnect(DatabaseUser)
-		result.log.value = listpubweblogentries(clientuserid, starttime, endtime, clientip) or {}
-		databasedisconnect()
-	end)
+	local success = validateparameters(result)
+	if success then
+		local res, err = pcall(function()
+			databaseconnect(DatabaseUser)
+			result.log.value = listpubweblogentries(clientuserid, starttime, endtime, clientip) or {}
+			databasedisconnect()
+		end)
+	else
+		err = "Invalid search parameters"
+	end
 	return cfe({ type="group", value=result, errtxt=err, label="Weblog Access Log" })
 end

@@ -984,11 +1059,16 @@ function getblocklog(clientuserid, starttime, endtime, clientip, focus)
 	end
 	local result = handleparameters(clientuserid, starttime, endtime, clientip, focus)
 	result.log = cfe({ type="list", value={}, label="Weblog Block Log" })
-	local res, err = pcall(function()
-		databaseconnect(DatabaseUser)
-		result.log.value = listpubblocklogentries(clientuserid, starttime, endtime, clientip) or {}
-		databasedisconnect()
-	end)
+	local success = validateparameters(result)
+	if success then
+		local res, err = pcall(function()
+			databaseconnect(DatabaseUser)
+			result.log.value = listpubblocklogentries(clientuserid, starttime, endtime, clientip) or {}
+			databasedisconnect()
+		end)
+	else
+		err = "Invalid search parameters"
+	end
 	return cfe({ type="group", value=result, errtxt=err, label="Weblog Block Log" })
 end

@@ -1048,9 +1128,8 @@ function getconfig()
 	return cfe({ type="group", value=result, label="Weblog Config" })
 end

-function updateconfig(newconfig)
+local function validateconfig(newconfig)
 	local success = modelfunctions.validateselect(newconfig.value.groupby)
-	-- Validating a timestamp is going to be tricky, how about using postgres?
 	if newconfig.value.window.value == "" then
 		newconfig.value.window.errtxt = "Cannot be blank"
 		success = false
@@ -1070,6 +1149,29 @@ function updateconfig(newconfig)
 		newconfig.value.historydays.errtxt = "Must be a number"
 		success = false
 	end 
+	local res, err = pcall(function()
+		databaseconnect(DatabaseUser)
+		local s
+		if newconfig.value.auditstart.value ~= "" then
+			s,newconfig.value.auditstart.errtxt = testdatabaseentry("TIMESTAMP", newconfig.value.auditstart.value)
+			success = success and s
+		end
+		if newconfig.value.auditend.value ~= "" then
+			s,newconfig.value.auditend.errtxt = testdatabaseentry("TIMESTAMP", newconfig.value.auditend.value)
+			success = success and s
+		end
+		databasedisconnect()
+	end)
+	if not res and err then
+		newconfig.value.auditstart.errtxt = err
+		newconfig.value.auditend.errtxt = err
+		success = false
+	end
+	return newconfig
+end
+
+function updateconfig(newconfig)
+	local success = validateconfig(newconfig)
 	if success then
 		configcontent = format.update_ini_file(configcontent, "", "auditstart", newconfig.value.auditstart.value)
 		configcontent = format.update_ini_file(configcontent, "", "auditend", newconfig.value.auditend.value)

--- a/weblog-viewblocklog-html.lsp
+++ b/weblog-viewblocklog-html.lsp
@@ -13,23 +13,29 @@
 <% end %>

 <H1>Search Parameters</H1>
+<% if data.errtxt then %><p class="error"><%= html.html_escape(data.errtxt) %></p><% end %>
 <form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST">
 <DL>
 <DT>Start Time</DT>
 <DD><%= html.html_escape(data.value.starttime.value) %>
 <input class="text" type="text" name="starttime" value="<%= html.html_escape(data.value.starttime.value) %>" >
+<% if data.value.starttime.errtxt then %><p class="error"><%= html.html_escape(data.value.starttime.errtxt) %></p><% end %>
 </DD>
 <DT>User ID</DT>
 <DD><%= html.html_escape(data.value.clientuserid.value) %>
 <input class="text" type="text"  name="clientuserid"  value="<%= html.html_escape(data.value.clientuserid.value) %>" >
+<% if data.value.clientuserid.errtxt then %><p class="error"><%= html.html_escape(data.value.clientuserid.errtxt) %></p><% end %>
 </DD>
 <DT>Client IP</DT>
 <DD><%= html.html_escape(data.value.clientip.value) %>
 <input class="text" type="text"  name="clientip"  value="<%= html.html_escape(data.value.clientip.value) %>" >
+<% if data.value.clientip.errtxt then %><p class="error"><%= html.html_escape(data.value.clientip.errtxt) %></p><% end %>
 </DD>
 <DT>End Time</DT>
-<DD><%= html.html_escape(data.value.endtime.value) %>
+<DD><%= html.html_escape(data.value.endtime
+.value) %>
 <input class="text" type="text"  name="endtime"  value="<%= html.html_escape(data.value.endtime.value) %>" >
+<% if data.value.endtime.errtxt then %><p class="error"><%= html.html_escape(data.value.endtime.errtxt) %></p><% end %>
 </DD>
 <DT></DT><DD><input class="submit" type="submit" name="Update" value="Update"></DD>
 </DL>

--- a/weblog.menu
+++ b/weblog.menu
 #CAT  		GROUP/DESC		TAB		ACTION
+Applications 	41Weblog		Status		status
 Applications 	41Weblog		Audit		viewauditstats
 Applications 	41Weblog		Config		config
 Applications 	41Weblog		Watch_List	viewwatchlist
@@ -6,4 +7,3 @@ Applications 	41Weblog		Sources		listsources
 Applications 	41Weblog		Usage		viewusagestats
 Applications 	41Weblog		History		viewactivitylog
 Applications 	41Weblog		Ad-Hoc_Query	adhocquery
-Applications 	41Weblog		Status		status