I have a function in which I would like to check if a user can set a lock on document. If so I know the user can edit the document.
public boolean canWriteDocument(String docId, String userName) {
boolean canWrite = false;
Session session = null;
session = getCurrentSession();
try {
Database db = session.getDatabase("", this.activeDb);
if (db.isDocumentLockingEnabled()) {
//Document locking is enabled
Document doc = db.getDocumentByUNID(docId);
if (doc.lock(userName)) {
canWrite = true;
System.out.println("document can be locked by user");
doc.unlock();
} else {
System.out.println("document can NOT be locked by user");
}
} else {
//Document locking is NOT enabled
}
} catch (NotesException e) {
// fail silently
System.out.println("failure docLock");
//e.printStackTrace();
}
return canWrite;
}
I call the function as followed:
canWriteDocument("99DE330A432849AFC125803400313C73", "CN=John Doe/O=quintessens")
However there must be something wrong because when the user (with ACL Author access level) is not listed in the field of type Authors it returns true.
When I lower the ACL access level to Reader the returned value is still true.
Anyone can explain why this is happening?
It may be that the database access level is cached within the server. Try rebooting the server (if it's a development environment) or testing with a brand new user that has never been in the ACL before.
If Database.queryAccess() is also not correct, that would confirm caching is the issue.
(It's possible that the two ways of checking access work differently under the hood, so if queryAccess() returns the correct value, it may not categorically mean the database locking option should.)
Related
I am getting a high severity issue in this method:
public void recordBadLogin(final String uid, final String reason, final String ip) throws DataAccessException {
if (Utils.isEmpty(uid)) {
throw new DataAccessException("User information needed to update , Empty user information passed");
}
try {
String sql = (String) this.queries.get(IUtilDAO.queryKeyPrefix + UtilDAO.RECORD_FAILED_LOGIN);
Map<String, Object> paramMap = new HashMap<String, Object>();
paramMap.put("uid", uid.trim());
paramMap.put("reason", (reason != null ? reason.trim() : "Invalid userid/password"));
paramMap.put("ip", ip);
this.namedJdbcTemplate.update(sql, paramMap);
} catch (Exception e) {
throw new DataAccessException("Failed to record bad login for user " + uid, e);
}
}
This line of code is causing the issue:
String sql = (String) this.queries.get(IUtilDAO.queryKeyPrefix + UtilDAO.RECORD_FAILED_LOGIN);
queries is a properties object and the prepared statement is being retrieved given IUtilDAO.queryKeyPrefix + UtilDAO.RECORD_FAILED_LOGIN. And those 2 arguments are constants. Logically I don't see how this can cause an SQL injection issue as the prepared statement is being retrieved from a dictionary. Does anyone have an idea if this is a false positive or if there is an actual vulnerability present?
It's hard to tell from the example given, but I'd guess that the properties object was tainted by untrusted data. Most code flow analysis tools will taint the entire data structure if any untrusted data is placed in it.
Technically this is a "false positive". But architecturally it's something that should be fixed - it's generally a bad idea to mix trusted and untrusted data together in the same data structure. It makes it easy for future developers to misunderstand the status of a particular element, and makes it harder for both humans and tools to code review for security issues.
I am using UnboundID-LDAPSDK (2.3.8) to change the user's photo in our Microsoft Active Directory.
LDAPConnection ldap = null;
try {
ldap = new LDAPConnection("domain-srv", 389, "CN=admin,OU=Users,OU=ADM,DC=domain,DC=local", "password");
SearchResult sr = ldap.search("DC=domain,DC=local", SearchScope.SUB, "(sAMAccountName=" + getUser().getUsername() + ")");
if (sr.getEntryCount() == 1) {
SearchResultEntry entry = sr.getSearchEntries().get(0);
entry.setAttribute("thumbnailPhoto", getUser().getPhotoAsByteArray());
ldap.close();
return true;
} else
return false;
} catch (LDAPException e) {
e.printStackTrace();
}
But I get a java.lang.UnsupportedOperationException.
The documentation for setAttribute states:
Throws an UnsupportedOperationException to indicate that this is a
read-only entry.
I also tried to change the postalCode but I get the same exception.
Changing those attributes should be possible, because I can change them with jXplorer.
Do I have to enable a write-mode somehow?
Thank you
The SearchResultEntry object extends ReadOnlyEntry and is therefore immutable. But even if it weren't, merely calling entry.setAttribute would have no effect on the data in the server. You have to use a modify operation for that.
To do that, you'd need something like:
ModifyRequest modifyRequest = new ModifyRequest(entry.getDN(),
new Modification(ModificationType.REPLACE,
"thumbnailPhoto", getUser().getPhotoAsByteArray());
ldap.modify(modifyRequest);
Also, you should put the call to ldap.close() in a finally block because as the code is written now, you're only closing the connection if the search is successful and returns exactly one entry, but not if the search fails, doesn't match any entries, or the attempt to perform the modify fails.
I have a problem, I have this structure in parse.com in "VerificationCode" db:
When someone inserts a code in my app, it automatically adds in the "attachedUser" column the id of the user who is stored locally and I call it "ParseInstallObject.codigo2" and I get the id of the user for example to see it in a textview, etc.
The problem is that I want to check if the user id exists in parse or not; and if it exists do something or if not exist do another thing.
I used a code that I see in the documentation of parse.com but it always shows that the code exists. This is my code:
ParseQuery<ParseObject> query2 = ParseQuery.getQuery("VerificationCode");
query2.whereEqualTo("attachedUser", ParseInstallObject.codigo2);
query2.findInBackground(new FindCallback<ParseObject>() {
public void done(List<ParseObject> scoreList, ParseException e) {
if (e == null) {
comprobar.setText("exist");
comprobar2.setText("exist");
} else {
comprobar.setText("no exist");
comprobar2.setText("no exist");
}
}
});
How can I see if the user has a valid code or not?
e==null means that the call was successfully completed by the server. It does not imply that the user exists or not.
if(e==null){
if(scoreList == null || scoreList.isEmpty()){
// The user does not exist.
}else{
// the user exists.
}
}else {
// You have an exception (like HTTPTimeout, etc). Handle it as per requirement.
}
When I delete my neo4j database after my tests like this
public static final DatabaseOperation clearDatabaseOperation = new DatabaseOperation() {
#Override public void performOperation(GraphDatabaseService db) {
//This is deprecated on the GraphDatabaseService interface,
// but the alternative is not supported by implementation (RestGraphDatabase)
for (Node node : db.getAllNodes()) {
for (Relationship relationship : node.getRelationships()) {
relationship.delete();
}
boolean notTheRootNode = node.getId() != 0;
if (notTheRootNode) {
node.delete();
}
}
When querying the database through an ajax search (i.e searching on an empty database it returns an internal 500 error)
localhost:9000/search-results?keywords=t 500 Internal Server Error
197ms
However if I delete the database manually like this
start r=relationship(*) delete r;
start n=node(*) delete n;
No exception is thrown
Its most likely an issue with my code at a lower level in the call and return.
Just wandering why the error only works on one of the scenarios above and not both
Use cypher,
you should probably state more obviously that you use the rest-graph-database.
Are you querying after the deletion or during it?
Please check your logs in data/graph.db/messages.log and data/log/console.log to find the error cause.
Perhaps you can also look at the response body of the http-500 request
As per your error I guess your data is getting corrupted after deletion.
I have used same code like yours and deleted the nodes, except I put the Iterator in transaction and shut down the database after opetation.
e.g.
Transaction _tx = _db.beginTx();
try {
for ( your conditions){
Your code
}
_tx.success();
} catch (Exception e) {
_logger.error(e.getMessage());
}finally{
_tx.finish();
_db.shutdown();
graphDbFactory.cleanUp();
}
Hope it will work for you.
The requirement is this: When a user session is expired, call expired.htm page, but on the first connection to the web site, show login.htm.
I tried using a filter but it doesn't work, I'm not able to tell to filter how to understand if it's a new request or an old request expired. This is the code I used:
if (session.getAttribute("userProfile") == null) {
logger.debug("Session: " + ( session.isNew() ? "true" : "false"));
logger.debug(request.getSession().isNew());
if ( request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid() ) {
return new ModelAndView("redirect:expired.htm");
} else {
return new ModelAndView("redirect:login.htm");
}
}
I tried different solutions proposed here on Stack Overflow and on the general internet, but nothing has worked and every request goes to expired.htm.
How do you get the session object? Before doing that, use
if (request.getSession(false)==null) {
// no session present (expired or new visitor)
[... do something ...]
} else {
// active session present
}
You need to use the validation above before use any attribute in the session. Because if the session don't exists you can't get an attribute of it.
You need to put false inside parentesis.
if(request.getSession(false) == null) { //Session don't exists
...
}
Java explain:
public HttpSession getSession(boolean create)
Returns the current HttpSession associated with this request or, if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.
To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.
Parameters:
create - true to create a new session for this request if necessary; false to return null if there's no current session
Returns:
the HttpSession associated with this request or null if create is false and the request has no valid session