Commit 138ae855 authored by Ted Trask's avatar Ted Trask

Added parameter validation, bumped to 0.3.2

parent 48a8fe99
APP_NAME=weblog
PACKAGE=acf-$(APP_NAME)
VERSION=0.3.1
VERSION=0.3.2
APP_DIST=\
weblog* \
......
......@@ -487,6 +487,20 @@ local listusagestats = function()
return entries
end
local testdatabaseentry = function(datatype, value)
local success = true
local errtxt
local sql = "CREATE TEMP TABLE testing ( test "..escape(datatype).." DEFAULT '"..escape(value).."' ) ON COMMIT DROP"
local res, err = pcall(function()
assert (con:execute(sql))
end)
if not res then
success = false
errtxt = string.gsub(err or "", "\n.*", "")
end
return success, errtxt
end
local printtableentries = function(tablename)
-- retrieve a cursor
local count = 0
......@@ -898,7 +912,7 @@ function getnewwatchlistentry()
return cfe({ type="group", value=watch, label="Watchlist Entry" })
end
function createwatchlistentry(watch)
local function validatewatchlistentry(watch)
local success = true
for i,name in ipairs({"clientuserid", "expiredatetime"}) do
if watch.value[name].value == "" then
......@@ -906,28 +920,48 @@ function createwatchlistentry(watch)
success = false
end
end
if not watch.value.expiredatetime.errtxt then
local res, err = pcall(function()
databaseconnect(DatabaseUser)
local s
s,watch.value.expiredatetime.errtxt = testdatabaseentry("TIMESTAMP", watch.value.expiredatetime.value)
databasedisconnect()
success = success and s
end)
if not res and err then
watch.value.expiredatetime.errtxt = err
success = false
end
end
return success
end
function createwatchlistentry(watch)
watch.value.clientuserid.value = watch.value.clientuserid.value:lower()
watch.errtxt = "Failed to create watchlist entry"
local res, err = pcall(function()
databaseconnect(DatabaseUser)
local watchlist = listwatchlistentries() or {}
for i,w in ipairs(watchlist) do
if w.clientuserid == watch.value.clientuserid.value then
watch.value.clientuserid.errtxt = "User ID already exists"
success = false
break
local success = validatewatchlistentry(watch)
if success then
local res, err = pcall(function()
databaseconnect(DatabaseUser)
local watchlist = listwatchlistentries() or {}
for i,w in ipairs(watchlist) do
if w.clientuserid == watch.value.clientuserid.value then
watch.value.clientuserid.errtxt = "User ID already exists"
success = false
break
end
end
end
if success then
local count = importwatchlistentry(watch.value.clientuserid.value, watch.value.expiredatetime.value)
if count > 0 then
watch.errtxt = nil
if success then
local count = importwatchlistentry(watch.value.clientuserid.value, watch.value.expiredatetime.value)
if count > 0 then
watch.errtxt = nil
end
end
databasedisconnect()
end)
if not res and err then
watch.errtxt = watch.errtxt .. "\n" .. err
end
databasedisconnect()
end)
if not res and err then
watch.errtxt = watch.errtxt .. "\n" .. err
end
return watch
......@@ -951,6 +985,42 @@ function deletewatchlistent(clientuserid)
return result
end
local validateparameters = function(params)
local success = true
if params.clientip.value ~= "" and string.find(params.clientip.value, "[^%d%.]") then
params.clientip.errtxt = "Invalid IP Address"
success = false
end
if params.window.value ~= "" and not validator.is_integer(params.window.value) then
params.window.errtxt = "Must be an integer"
success = false
end
local res, err = pcall(function()
databaseconnect(DatabaseUser)
local s
if params.starttime.value ~= "" then
s,params.starttime.errtxt = testdatabaseentry("TIMESTAMP", params.starttime.value)
success = success and s
end
if params.endtime.value ~= "" then
s,params.endtime.errtxt = testdatabaseentry("TIMESTAMP", params.endtime.value)
success = success and s
end
if params.focus.value ~= "" then
s,params.focus.errtxt = testdatabaseentry("TIMESTAMP", params.focus.value)
success = success and s
end
databasedisconnect()
end)
if not res and err then
params.starttime.errtxt = err
params.endtime.errtxt = err
params.focus.errtxt = err
success = false
end
return success
end
local handleparameters = function(clientuserid, starttime, endtime, clientip, focus)
local result = {}
result.clientuserid = cfe({ value=clientuserid or "", label="User ID" })
......@@ -958,7 +1028,7 @@ local handleparameters = function(clientuserid, starttime, endtime, clientip, fo
result.endtime = cfe({ value=endtime or "", label="End Time" })
result.clientip = cfe({ value=clientip or "", label="Client IP" })
result.window = cfe({ value=config.window or "5", label="Time Window" })
result.focus = cfe({ value=focus or "", label="Time Window" })
result.focus = cfe({ value=focus or "", label="Focus Time" })
return result
end
......@@ -969,11 +1039,16 @@ function getweblog(clientuserid, starttime, endtime, clientip, focus)
end
local result = handleparameters(clientuserid, starttime, endtime, clientip, focus)
result.log = cfe({ type="list", value={}, label="Weblog Access Log" })
local res, err = pcall(function()
databaseconnect(DatabaseUser)
result.log.value = listpubweblogentries(clientuserid, starttime, endtime, clientip) or {}
databasedisconnect()
end)
local success = validateparameters(result)
if success then
local res, err = pcall(function()
databaseconnect(DatabaseUser)
result.log.value = listpubweblogentries(clientuserid, starttime, endtime, clientip) or {}
databasedisconnect()
end)
else
err = "Invalid search parameters"
end
return cfe({ type="group", value=result, errtxt=err, label="Weblog Access Log" })
end
......@@ -984,11 +1059,16 @@ function getblocklog(clientuserid, starttime, endtime, clientip, focus)
end
local result = handleparameters(clientuserid, starttime, endtime, clientip, focus)
result.log = cfe({ type="list", value={}, label="Weblog Block Log" })
local res, err = pcall(function()
databaseconnect(DatabaseUser)
result.log.value = listpubblocklogentries(clientuserid, starttime, endtime, clientip) or {}
databasedisconnect()
end)
local success = validateparameters(result)
if success then
local res, err = pcall(function()
databaseconnect(DatabaseUser)
result.log.value = listpubblocklogentries(clientuserid, starttime, endtime, clientip) or {}
databasedisconnect()
end)
else
err = "Invalid search parameters"
end
return cfe({ type="group", value=result, errtxt=err, label="Weblog Block Log" })
end
......@@ -1048,9 +1128,8 @@ function getconfig()
return cfe({ type="group", value=result, label="Weblog Config" })
end
function updateconfig(newconfig)
local function validateconfig(newconfig)
local success = modelfunctions.validateselect(newconfig.value.groupby)
-- Validating a timestamp is going to be tricky, how about using postgres?
if newconfig.value.window.value == "" then
newconfig.value.window.errtxt = "Cannot be blank"
success = false
......@@ -1070,6 +1149,29 @@ function updateconfig(newconfig)
newconfig.value.historydays.errtxt = "Must be a number"
success = false
end
local res, err = pcall(function()
databaseconnect(DatabaseUser)
local s
if newconfig.value.auditstart.value ~= "" then
s,newconfig.value.auditstart.errtxt = testdatabaseentry("TIMESTAMP", newconfig.value.auditstart.value)
success = success and s
end
if newconfig.value.auditend.value ~= "" then
s,newconfig.value.auditend.errtxt = testdatabaseentry("TIMESTAMP", newconfig.value.auditend.value)
success = success and s
end
databasedisconnect()
end)
if not res and err then
newconfig.value.auditstart.errtxt = err
newconfig.value.auditend.errtxt = err
success = false
end
return newconfig
end
function updateconfig(newconfig)
local success = validateconfig(newconfig)
if success then
configcontent = format.update_ini_file(configcontent, "", "auditstart", newconfig.value.auditstart.value)
configcontent = format.update_ini_file(configcontent, "", "auditend", newconfig.value.auditend.value)
......
......@@ -13,23 +13,29 @@
<% end %>
<H1>Search Parameters</H1>
<% if data.errtxt then %><p class="error"><%= html.html_escape(data.errtxt) %></p><% end %>
<form action="<%= html.html_escape(page_info.script .. page_info.prefix .. page_info.controller .. "/" .. page_info.action) %>" method="POST">
<DL>
<DT>Start Time</DT>
<DD><%= html.html_escape(data.value.starttime.value) %>
<input class="text" type="text" name="starttime" value="<%= html.html_escape(data.value.starttime.value) %>" >
<% if data.value.starttime.errtxt then %><p class="error"><%= html.html_escape(data.value.starttime.errtxt) %></p><% end %>
</DD>
<DT>User ID</DT>
<DD><%= html.html_escape(data.value.clientuserid.value) %>
<input class="text" type="text" name="clientuserid" value="<%= html.html_escape(data.value.clientuserid.value) %>" >
<% if data.value.clientuserid.errtxt then %><p class="error"><%= html.html_escape(data.value.clientuserid.errtxt) %></p><% end %>
</DD>
<DT>Client IP</DT>
<DD><%= html.html_escape(data.value.clientip.value) %>
<input class="text" type="text" name="clientip" value="<%= html.html_escape(data.value.clientip.value) %>" >
<% if data.value.clientip.errtxt then %><p class="error"><%= html.html_escape(data.value.clientip.errtxt) %></p><% end %>
</DD>
<DT>End Time</DT>
<DD><%= html.html_escape(data.value.endtime.value) %>
<DD><%= html.html_escape(data.value.endtime
.value) %>
<input class="text" type="text" name="endtime" value="<%= html.html_escape(data.value.endtime.value) %>" >
<% if data.value.endtime.errtxt then %><p class="error"><%= html.html_escape(data.value.endtime.errtxt) %></p><% end %>
</DD>
<DT></DT><DD><input class="submit" type="submit" name="Update" value="Update"></DD>
</DL>
......
#CAT GROUP/DESC TAB ACTION
Applications 41Weblog Status status
Applications 41Weblog Audit viewauditstats
Applications 41Weblog Config config
Applications 41Weblog Watch_List viewwatchlist
......@@ -6,4 +7,3 @@ Applications 41Weblog Sources listsources
Applications 41Weblog Usage viewusagestats
Applications 41Weblog History viewactivitylog
Applications 41Weblog Ad-Hoc_Query adhocquery
Applications 41Weblog Status status
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment