diff --git a/init_database2.sql b/init_database2.sql index 20f8d5d..b5b6e9d 100644 --- a/init_database2.sql +++ b/init_database2.sql @@ -10,6 +10,7 @@ -- Clean up old tablequestionquestion DROP TABLE IF EXISTS deans; DROP TABLE IF EXISTS program_coordinator; +DROP TABLE IF EXISTS s_admin; DROP TABLE IF EXISTS questionaire; DROP TABLE IF EXISTS teaching; DROP TABLE IF EXISTS class; @@ -43,7 +44,8 @@ CREATE TABLE module ( CREATE TABLE academic_year ( aca_code INT AUTO_INCREMENT PRIMARY KEY, - aca_name VARCHAR(10) NOT NULL + aca_name VARCHAR(10) UNIQUE NOT NULL, + CHECK (aca_name LIKE "____-____" AND LEFT(aca_name,4)= start_date AND NEW.start_date < end_date) OR + (NEW.end_date > start_date AND NEW.end_date <= end_date) OR + (NEW.start_date <= start_date AND NEW.end_date >= end_date))) > 0 +THEN + SET NEW.faculty_code = NULL; +END IF; +END// +DELIMITER ; + +-- unique program coordinator +DROP TRIGGER IF EXISTS unique_proco; +DELIMITER // +CREATE TRIGGER unique_proco BEFORE INSERT ON program_coordinator +FOR EACH ROW BEGIN +IF + (SELECT count(*) FROM program_coordinator + WHERE NEW.program_code=program_code AND + ((NEW.start_date >= start_date AND NEW.start_date < end_date) OR + (NEW.end_date > start_date AND NEW.end_date <= end_date) OR + (NEW.start_date <= start_date AND NEW.end_date >= end_date))) > 0 +THEN + SET NEW.program_code = NULL; +END IF; +END// +DELIMITER ; + -- ======================Insert Data====================== -- Falcuty @@ -619,6 +659,7 @@ insert into login (username, pass) values ('mmatussevichp', '0jwt0RHGcZbd'); insert into login (username, pass) values ('kgrenshieldsq', 'V1N7EL'); insert into login (username, pass) values ('yhinksenr', '4jPejEhQo'); insert into login (username, pass) values ('ojedrzejewskys', 'WJWmXbac2sk'); +insert into login (username, pass) values ('super', 'admin'); -- Lecturer INSERT INTO lecturer (lec_code, name, username) VALUES ('1', 'Jo Urvoy', 'nlacelett0'); @@ -1229,4 +1270,7 @@ insert into deans (username, start_date, end_date, faculty_code) values ('pgaito insert into deans (username, start_date, end_date, faculty_code) values ('gfairburnh', '2020-08-19','2021-08-19', 'FLAW'); -- FMUS -insert into deans (username, start_date, end_date, faculty_code) values ('mcurmank', '2020-08-19','2021-08-19', 'FMUS'); \ No newline at end of file +insert into deans (username, start_date, end_date, faculty_code) values ('mcurmank', '2020-08-19','2021-08-19', 'FMUS'); + +-- SUPER ADMIN +insert into s_admin(username) VALUE ("super"); \ No newline at end of file diff --git a/init_procedure.sql b/init_procedure.sql index 7258309..15a3ad4 100644 --- a/init_procedure.sql +++ b/init_procedure.sql @@ -145,7 +145,7 @@ BEGIN WHEN action="dump" THEN BEGIN SET @arr_key = key_array; - SET @a = CONCAT('SELECT * FROM year_faculty ORDER BY id_1;'); + SET @a = CONCAT('SELECT * FROM year_faculty WHERE (id_1 IN (',@arr_key,')) ORDER BY id_1;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -176,6 +176,7 @@ BEGIN JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) JOIN faculty f ON (f.fa_code = yf.faculty_code) JOIN academic_year a ON (a.aca_code = yf.academic_code) + WHERE (id_2 IN (',@arr_key,')) ORDER BY id_2;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; @@ -210,6 +211,7 @@ BEGIN JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) JOIN faculty f ON (f.fa_code = yf.faculty_code) JOIN academic_year a ON (a.aca_code = yf.academic_code) + WHERE (id_3 IN (',@arr_key,')) ORDER BY id_3;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; @@ -237,7 +239,7 @@ BEGIN BEGIN SET @arr_key = key_array; SET @a = CONCAT('SELECT t.id, t.class_code, CONCAT(t.lecturer_code, " - ", l.name) AS lecturer_code FROM teaching t - JOIN lecturer l ON l.lec_code = t.lecturer_code ORDER BY t.id;'); + JOIN lecturer l ON l.lec_code = t.lecturer_code WHERE (id IN (',@arr_key,')) ORDER BY t.id;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -263,7 +265,7 @@ BEGIN WHEN action = "dump" THEN BEGIN SET @arr_key = key_array; - SET @a = CONCAT('SELECT * FROM faculty ORDER BY fa_code;'); + SET @a = CONCAT('SELECT * FROM faculty WHERE (fa_code IN (',@arr_key,')) ORDER BY fa_code;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -289,7 +291,7 @@ BEGIN WHEN action = "dump" THEN BEGIN SET @arr_key = key_array; - SET @a = CONCAT('SELECT * FROM program ORDER BY pro_code;'); + SET @a = CONCAT('SELECT * FROM program WHERE (pro_code IN (',@arr_key,')) ORDER BY pro_code;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -315,7 +317,7 @@ BEGIN WHEN action = "dump" THEN BEGIN SET @arr_key = key_array; - SET @a = CONCAT('SELECT * FROM module ORDER BY mo_code;'); + SET @a = CONCAT('SELECT * FROM module WHERE (mo_code IN (',@arr_key,')) ORDER BY mo_code;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -381,7 +383,7 @@ BEGIN WHEN action = "dump" THEN BEGIN SET @arr_key = key_array; - SET @a = CONCAT('SELECT * FROM lecturer ORDER BY lec_code;'); + SET @a = CONCAT('SELECT * FROM lecturer WHERE (lec_code IN (',@arr_key,')) ORDER BY lec_code;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; DEALLOCATE PREPARE stmt1; @@ -401,7 +403,7 @@ DELIMITER ; -- Interact with class DROP PROCEDURE IF EXISTS java_app.classInteract; DELIMITER // -CREATE PROCEDURE classInteract(action VARCHAR(10),old_key INT,csize INT,code VARCHAR(10),id INT, key_array VARCHAR(500)) +CREATE PROCEDURE classInteract(action VARCHAR(10),old_key INT,csize INT,code VARCHAR(10),id INT, key_array VARCHAR(1000)) BEGIN CASE WHEN action = "dump" THEN @@ -418,6 +420,7 @@ BEGIN JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) JOIN faculty f ON (f.fa_code = yf.faculty_code) JOIN academic_year a ON (a.aca_code = yf.academic_code) + WHERE (class_code IN (',@arr_key,')) ORDER BY class_code;'); PREPARE stmt1 FROM @a; EXECUTE stmt1; @@ -486,27 +489,49 @@ BEGIN SET @faculty_arr = arr_faculty; SET @program_arr = arr_program; SET @lecturer_arr = arr_lecturer; - SET @a=CONCAT('SELECT + SET @a=CONCAT(' + SELECT a.aca_code AS aca_year, a.aca_name, s.sem_code AS semester, f.fa_code AS faculty, f.name AS fa_name, p.pro_code AS program, p.name AS pro_name, m.mo_code AS module, m.name AS mo_name, c.class_code AS class, l.lec_code AS lecturer, l.name AS lec_name, t.id AS teaching, yf.id_1 AS year_faculty, yfp.id_2 AS year_fac_pro, yfpm.id_3 AS year_fac_pro_mo FROM class c - JOIN teaching t ON c.class_code = t.class_code - JOIN lecturer l ON t.lecturer_code = l.lec_code - JOIN semester s ON (s.sem_code = c.semester_code) - JOIN academic_year a ON (a.aca_code = s.academic_code) - JOIN year_fac_pro_mo yfpm ON (yfpm.id_3 = c.id_3) - JOIN module m ON (yfpm.module_code = m.mo_code) - JOIN year_fac_pro yfp ON (yfp.id_2 = yfpm.id_2 ) - JOIN program p ON (p.pro_code = yfp.program_code) - JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) - JOIN faculty f ON (f.fa_code = yf.faculty_code) + LEFT OUTER JOIN teaching t ON c.class_code = t.class_code + LEFT OUTER JOIN lecturer l ON t.lecturer_code = l.lec_code + LEFT OUTER JOIN semester s ON (s.sem_code = c.semester_code) + LEFT OUTER JOIN academic_year a ON (a.aca_code = s.academic_code) + LEFT OUTER JOIN year_fac_pro_mo yfpm ON (yfpm.id_3 = c.id_3) + LEFT OUTER JOIN module m ON (yfpm.module_code = m.mo_code) + LEFT OUTER JOIN year_fac_pro yfp ON (yfp.id_2 = yfpm.id_2 ) + LEFT OUTER JOIN program p ON (p.pro_code = yfp.program_code) + LEFT OUTER JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) + LEFT OUTER JOIN faculty f ON (f.fa_code = yf.faculty_code) + WHERE + (f.fa_code IN (',@faculty_arr,')) OR + (p.pro_code IN (',@program_arr,')) OR + (l.lec_code IN ( ',@lecturer_arr,')) +UNION +SELECT + a.aca_code AS aca_year, a.aca_name, s.sem_code AS semester, f.fa_code AS faculty, f.name AS fa_name, + p.pro_code AS program, p.name AS pro_name, m.mo_code AS module, m.name AS mo_name, + c.class_code AS class, l.lec_code AS lecturer, l.name AS lec_name, t.id AS teaching, + yf.id_1 AS year_faculty, yfp.id_2 AS year_fac_pro, yfpm.id_3 AS year_fac_pro_mo + FROM class c + RIGHT OUTER JOIN teaching t ON c.class_code = t.class_code + RIGHT OUTER JOIN lecturer l ON t.lecturer_code = l.lec_code + RIGHT OUTER JOIN semester s ON (s.sem_code = c.semester_code) + RIGHT OUTER JOIN academic_year a ON (a.aca_code = s.academic_code) + RIGHT OUTER JOIN year_fac_pro_mo yfpm ON (yfpm.id_3 = c.id_3) + RIGHT OUTER JOIN module m ON (yfpm.module_code = m.mo_code) + RIGHT OUTER JOIN year_fac_pro yfp ON (yfp.id_2 = yfpm.id_2 ) + RIGHT OUTER JOIN program p ON (p.pro_code = yfp.program_code) + RIGHT OUTER JOIN year_faculty yf ON (yf.id_1 = yfp.id_1) + RIGHT OUTER JOIN faculty f ON (f.fa_code = yf.faculty_code) WHERE (f.fa_code IN (',@faculty_arr,')) OR (p.pro_code IN (',@program_arr,')) OR (l.lec_code IN ( ',@lecturer_arr,')) - ORDER BY a.aca_code, s.sem_code, f.fa_code, p.pro_code, m.mo_code, c.class_code, l.lec_code, t.id;'); + '); PREPARE stmt2 FROM @a; EXECUTE stmt2; DEALLOCATE PREPARE stmt2; @@ -518,22 +543,26 @@ DROP PROCEDURE IF EXISTS java_app.controllAccess; DELIMITER // CREATE PROCEDURE controllAccess(user VARCHAR(20)) BEGIN - SET @faculty_arr = IFNULL(CONCAT("'",(SELECT group_concat(concat_ws(",", d.faculty_code) separator "', '") AS faculty + SET @faculty_arr1 = IFNULL(CONCAT("'",(SELECT group_concat(concat_ws(",", d.faculty_code) separator "', '") AS faculty FROM deans d JOIN login lo ON lo.username=d.username - WHERE (lo.username = user and now() < d.end_date and now() > d.start_date)),"'"),"'null'"); + WHERE (lo.username = user and now() <= d.end_date and now() >= d.start_date)),"'"),"'null'"); SET @program_arr = IFNULL(CONCAT("'",(SELECT group_concat(concat_ws(",", pc.program_code) separator "', '") AS program FROM program_coordinator pc JOIN login lo ON lo.username=pc.username - WHERE (lo.username = user and now() < pc.end_date and now() > pc.start_date)),"'"),"'null'"); + WHERE (lo.username = user and now() <= pc.end_date and now() >= pc.start_date)),"'"),"'null'"); SET @lecturer_arr = IFNULL((SELECT group_concat(concat_ws("',", l.lec_code) separator ", ") AS lecturer FROM lecturer l JOIN login lo ON lo.username=l.username WHERE lo.username = user),"null"); - CALL validateAccessControl(@faculty_arr,@program_arr,@lecturer_arr); + SET @faculty_arr2 = IFNULL(CONCAT("'",(SELECT group_concat(concat_ws(",", f.fa_code) separator "', '") AS faculty + FROM faculty f + WHERE ((SELECT username FROM s_admin) = user )),"'"),"'null'"); + + CALL validateAccessControl(IF(@faculty_arr2 = "'NULL'",@faculty_arr1,@faculty_arr2),@program_arr,@lecturer_arr); END // DELIMITER ; @@ -546,35 +575,43 @@ BEGIN from login where username = user and username in (select l.username from login l join deans d on (d.username = l.username) - where now() < d.end_date and now() > d.start_date)); + where now() <= d.end_date and now() >= d.start_date)); set @a2 = (select username from login where username = user and username in (select l.username from login l join program_coordinator pc on (pc.username = l.username) - where now() < pc.end_date and now() > pc.start_date)); + where now() <= pc.end_date and now() >= pc.start_date)); set @a3 = (select le.username from login lo join lecturer le on (lo.username = le.username) where le.username = user); - SELECT username + set @a4 = (select username + from s_admin + where username = user); + SELECT username , IF(user = @a4,"Admin",IF(user = @a1,"Deans",IF(user = @a2,"Proco",IF(user = @a3,"Lecturer","None")))) as isAdmin FROM login l - WHERE (username = user AND pass = password) AND (username = @a1 OR username = @a2 OR username = @a3); + WHERE (username = user AND pass = password) AND (username = @a1 OR username = @a2 OR username = @a3 OR username = @a4); END // DELIMITER ; -- procedure idDropdown DROP PROCEDURE IF EXISTS java_app.idDropdown; DELIMITER // -CREATE PROCEDURE idDropdown(id_type VARCHAR(10)) +CREATE PROCEDURE idDropdown(id_type VARCHAR(10), key_array VARCHAR(500)) BEGIN + SET @arr_key = key_array; CASE WHEN id_type = "id_1" THEN + SET @a = CONCAT(' SELECT yf.id_1, CONCAT(a.aca_code , " - " , a.aca_name, " - " , f.fa_code , " - " , f.name) AS id_name FROM year_faculty yf JOIN faculty f ON yf.faculty_code = f.fa_code JOIN academic_year a ON yf.academic_code = a.aca_code + ', 'WHERE yf.id_1 IN (', @arr_key, ')',' ORDER BY a.aca_code; + '); WHEN id_type = "id_2" THEN + SET @a = CONCAT(' SELECT yfp.id_2, yf.id_1, CONCAT(a.aca_code , " - " , a.aca_name, " - " , f.fa_code , " - " , f.name , " - " , p.pro_code , " - " , p.name) AS id_name FROM year_fac_pro yfp @@ -582,8 +619,11 @@ BEGIN JOIN faculty f ON yf.faculty_code = f.fa_code JOIN academic_year a ON yf.academic_code = a.aca_code JOIN program p ON yfp.program_code = p.pro_code + ', 'WHERE yfp.id_2 IN (', @arr_key, ')',' ORDER BY a.aca_code; + '); WHEN id_type = "id_3" THEN + SET @a = CONCAT(' SELECT yfpm.id_3, yfp.id_2, yf.id_1, CONCAT(a.aca_code , " - " , a.aca_name, " - " , s.sem_code, " - ", f.fa_code , " - " , f.name , " - " , p.pro_code , " - " , p.name, " - ", m.mo_code, " - ", m.name) AS id_name, s.sem_code, m.mo_code @@ -595,8 +635,13 @@ BEGIN JOIN semester s ON s.academic_code = a.aca_code JOIN program p ON yfp.program_code = p.pro_code JOIN module m ON yfpm.module_code = m.mo_code + ', 'WHERE yfpm.id_3 IN (', @arr_key, ')',' ORDER BY a.aca_code; + '); END CASE; + PREPARE stmt1 FROM @a; + EXECUTE stmt1; + DEALLOCATE PREPARE stmt1; END // DELIMITER ; @@ -610,4 +655,43 @@ BEGIN END // DELIMITER ; +DROP PROCEDURE IF EXISTS java_app.accessControlAddProgram; +DELIMITER // +CREATE PROCEDURE accessControlAddProgram(user VARCHAR(20),program_code VARCHAR(10),program_name VARCHAR(50)) +BEGIN + INSERT INTO program(pro_code,name) VALUES(program_code,program_name); + SET @f = (SELECT MAX(faculty_code) FROM deans WHERE username = user and now() <= end_date and now() >= start_date); + SET @a = (SELECT id_1 FROM year_faculty + WHERE academic_code = (SELECT MAX(academic_code) FROM year_faculty where faculty_code = @f) + AND faculty_code = @f); + INSERT INTO year_fac_pro(id_1, program_code) VALUES(@a,program_code); +END // +DELIMITER ; + +DROP PROCEDURE IF EXISTS java_app.accessControlAddModule; +DELIMITER // +CREATE PROCEDURE accessControlAddModule(user VARCHAR(20),mo_code VARCHAR(10),mo_name VARCHAR(50)) +BEGIN + INSERT INTO module(mo_code,name) VALUES(mo_code,mo_name); + SET @f = (SELECT MAX(faculty_code) FROM deans WHERE username = user and now() <= end_date and now() >= start_date); + SET @p = (SELECT MAX(program_code) FROM program_coordinator WHERE username = user and now() <= end_date and now() >= start_date); + SET @a = (SELECT MAX(id_2) FROM year_fac_pro yfp JOIN year_faculty yf ON yf.id_1=yfp.id_1 + WHERE yf.academic_code = (SELECT MAX(academic_code) FROM year_faculty yf where @f = yf.faculty_code) + AND yf.faculty_code = @f); + SET @b = (SELECT id_2 FROM year_fac_pro yfp JOIN year_faculty yf ON yf.id_1=yfp.id_1 + WHERE yf.academic_code = (SELECT MAX(academic_code) FROM year_faculty yf JOIN year_fac_pro yfp ON yf.id_1=yfp.id_1 where @p = yfp.program_code) + AND yfp.program_code = @p); + INSERT INTO year_fac_pro_mo(id_2, module_code) VALUES(IF(ISNULL(@f),@b,@a),mo_code); +END // +DELIMITER ; +DROP PROCEDURE IF EXISTS java_app.accessControlAddTeachingForLec; +DELIMITER // +CREATE PROCEDURE accessControlAddTeachingForLec(user VARCHAR(20),size INT, sem_code VARCHAR(10),id_3 INT) +BEGIN + INSERT INTO class(size, semester_code, id_3) VALUES(size, sem_code, id_3); + SET @l = (SELECT lec_code FROM lecturer WHERE username = user); + SET @c = (SELECT LAST_INSERT_ID()); + INSERT INTO teaching(class_code, lecturer_code) VALUES(@c,@l); +END // +DELIMITER ; diff --git a/webserver/src/main/java/api/ControlAccessServlet.java b/webserver/src/main/java/api/ControlAccessServlet.java deleted file mode 100644 index 6384b6d..0000000 --- a/webserver/src/main/java/api/ControlAccessServlet.java +++ /dev/null @@ -1,56 +0,0 @@ -package api; - -import java.io.IOException; -import java.sql.ResultSet; -import java.util.List; -import java.util.Map; - -import javax.servlet.ServletException; -import javax.servlet.http.Cookie; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import com.fasterxml.jackson.databind.ObjectMapper; - -import javax.servlet.annotation.WebServlet; - -// Others -import util.DatabaseConnect; -import util.JwtGenerate; - -/** - * Class for testing purpose only - * @author Long Phan - */ -@WebServlet(urlPatterns = "/controlAccess") -public class ControlAccessServlet extends HttpServlet { - private static final long serialVersionUID = 1L; - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - Cookie cookie = req.getCookies()[0]; - String username = (new JwtGenerate()).parseJWT(cookie.getValue()); - System.out.println(username); - - String query = "CALL controllAccess('" + username + "')"; - System.out.println(query); - - try { - DatabaseConnect DB = new DatabaseConnect(); - DB.getConnection(); - ResultSet res = DB.doQuery(query); - List> json_resp = DB.ResultSetToJSON(res); - - resp.setContentType("application/json"); - resp.setCharacterEncoding("UTF-8"); - resp.addHeader("Access-Control-Allow-Origin", "*"); // remove CORS policy - ObjectMapper objectMapper = new ObjectMapper(); - objectMapper.writeValue(resp.getOutputStream(), json_resp); - - DB.closeConnect(); - } catch (Exception ex) { - ex.printStackTrace(); - } - } -} \ No newline at end of file diff --git a/webserver/src/main/java/api/Login.java b/webserver/src/main/java/api/Login.java index 42a4c17..2cf3907 100644 --- a/webserver/src/main/java/api/Login.java +++ b/webserver/src/main/java/api/Login.java @@ -50,7 +50,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S else { do { String username = res.getString("username"); - Cookie cookie = new Cookie("session_key", (new JwtGenerate()).issueToken(username)); + String role = res.getString("isAdmin"); + Cookie cookie = new Cookie("session_key", (new JwtGenerate()).issueToken(username, role)); resp.addCookie(cookie); } while (res.next()); diff --git a/webserver/src/main/java/api/chart/checkChartValidate.java b/webserver/src/main/java/api/chart/checkChartValidate.java index e3c3def..034c2df 100644 --- a/webserver/src/main/java/api/chart/checkChartValidate.java +++ b/webserver/src/main/java/api/chart/checkChartValidate.java @@ -6,10 +6,13 @@ import java.sql.ResultSet; import java.sql.SQLException; import java.sql.SQLSyntaxErrorException; +import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Map; import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -21,6 +24,7 @@ // Others import util.DatabaseConnect; +import util.JwtGenerate; /** * Used for check Chart's Validation from database @@ -31,14 +35,40 @@ public class checkChartValidate extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - String query = "CALL Validate(?, ?, ?, ?, ?, ?, ?);"; + Cookie cookie = req.getCookies()[0]; + String username = (new JwtGenerate()).parseJWT(cookie.getValue())[0]; + System.out.println(username); + + String query = "CALL controllAccess('" + username + "')"; try { DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); - PreparedStatement st = conn.prepareStatement(query); + ResultSet resAccessCotrol = DB.doQuery(query); + + List fa_arr = new ArrayList<>(); + List pro_arr = new ArrayList<>(); + List lec_arr = new ArrayList<>(); + while (resAccessCotrol.next()) { + fa_arr.add(resAccessCotrol.getString("faculty")); + pro_arr.add(resAccessCotrol.getString("program")); + lec_arr.add(resAccessCotrol.getString("lecturer")); + } + + PreparedStatement st = conn.prepareStatement("CALL Validate(?, ?, ?, ?, ?, ?, ?);"); + Map> map = Map.of("fa_code", fa_arr, "pro_code", pro_arr, "lec_code", lec_arr); String[] params = { "aca_code", "sem_code", "fa_code", "pro_code", "mo_code", "lec_code", "class_code" }; for (int i = 1; i < 8; i++) { + String param = params[i - 1]; + if (param.equals("fa_code") || param.equals("pro_code") || param.equals("lec_code")) { + if (!req.getParameter(param).equals("null") && !map.get(param).contains(req.getParameter(param))) + throw new Exception("You dont have the right to access this data"); + st.setString(i, + req.getParameter(param).equals("null") + ? "'" + String.join("','", new ArrayList<>(new HashSet<>(map.get(param)))) + "'" + : "'" + req.getParameter(params[i - 1]) + "'"); + } + else st.setString(i, req.getParameter(params[i - 1]).equals("null") ? "null": req.getParameter(params[i - 1])); } @@ -70,7 +100,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se } catch (Exception ex) { resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); - resp.getWriter().println("The Request is invalid"); + resp.getWriter().println(ex.getMessage()); ex.printStackTrace(); } } diff --git a/webserver/src/main/java/api/database/idDropdownServlet.java b/webserver/src/main/java/api/database/idDropdownServlet.java index 9213f2c..f5c95c7 100644 --- a/webserver/src/main/java/api/database/idDropdownServlet.java +++ b/webserver/src/main/java/api/database/idDropdownServlet.java @@ -5,10 +5,13 @@ import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; +import java.util.ArrayList; +import java.util.HashSet; import java.util.List; import java.util.Map; import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -19,6 +22,7 @@ import javax.servlet.annotation.WebServlet; import util.DatabaseConnect; +import util.JwtGenerate; /** * Use for dropdown list when select linking table in database page @@ -30,15 +34,28 @@ public class idDropdownServlet extends HttpServlet{ @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - - String query = "CALL idDropdown(?);"; + Cookie cookie = req.getCookies()[0]; + String username = (new JwtGenerate()).parseJWT(cookie.getValue())[0]; + System.out.println(username); + + String query = "CALL controllAccess('" + username + "')"; try { DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); - PreparedStatement st = conn.prepareStatement(query); + ResultSet resAccessCotrol = DB.doQuery(query); + + List arr = new ArrayList<>(); + Map map = Map.of("id_1", "year_faculty", "id_2", "year_fac_pro", "id_3", "year_fac_pro_mo"); + while (resAccessCotrol.next()) + arr.add(resAccessCotrol.getString(map.get(req.getParameter("id_type")))); + String listOfPermission = "'" + String.join("','", new ArrayList<>(new HashSet<>(arr))) + "'"; // remove duplicate add joining + + + PreparedStatement st = conn.prepareStatement("CALL idDropdown(?, ?);"); st.setString(1, req.getParameter("id_type")); + st.setString(2, listOfPermission); System.out.println(st); diff --git a/webserver/src/main/java/api/database/interactTableServlet.java b/webserver/src/main/java/api/database/interactTableServlet.java index acc4fcc..e9ee4f4 100644 --- a/webserver/src/main/java/api/database/interactTableServlet.java +++ b/webserver/src/main/java/api/database/interactTableServlet.java @@ -33,8 +33,15 @@ @WebServlet(urlPatterns = "/database/interactTable") public class interactTableServlet extends HttpServlet { private static final long serialVersionUID = 1L; + private String[][] permissionTableForRole = { + {"class"}, // for lecturer + {"year_fac_pro_mo", "class", "teaching", "lecturer", "module"}, // for program coor + {"year_fac_pro", "year_fac_pro_mo", "class", "teaching", "lecturer", "module", "program"} // for deans + }; + private String username; - private PreparedStatement createStatement(HttpServletRequest req, String action, Connection conn, String permissionList) throws Exception { + private PreparedStatement createStatement(HttpServletRequest req, String action, Connection conn, + String permissionList) throws Exception { String[] params = null; String query = ""; int i; @@ -42,7 +49,7 @@ private PreparedStatement createStatement(HttpServletRequest req, String action, "teaching", "semester", "aca_year", "lecturer", "module", "program", "faculty"); String tableName = req.getParameter("table_name"); - if (!tableNameList.contains(tableName)) + if (!tableNameList.contains(tableName)) throw new Exception("Invalid Table Name"); if (tableName.equals("year_faculty")) { @@ -55,8 +62,14 @@ private PreparedStatement createStatement(HttpServletRequest req, String action, query = "CALL " + tableName + "Interact(\"" + action + "\", ?, ?, ?, ?);"; params = new String[] { "old_key", "id", "code" }; } else if (tableName.equals("class")) { - query = "CALL " + tableName + "Interact(\"" + action + "\", ?, ?, ?, ?, ?);"; - params = new String[] { "old_key", "size", "code", "id" }; + if (action.equals("create")) { + query = "Call accessControlAddTeachingForLec('" + username + "', ?, ?, ?);"; + params = new String[] {"size", "code", "id" }; + } + else { + query = "CALL " + tableName + "Interact(\"" + action + "\", ?, ?, ?, ?, ?);"; + params = new String[] { "old_key", "size", "code", "id" }; + } } else if (tableName.equals("teaching")) { query = "CALL " + tableName + "Interact(\"" + action + "\", ?, ?, ?, ?);"; params = new String[] { "old_key", "c_code", "lec_code" }; @@ -71,6 +84,12 @@ private PreparedStatement createStatement(HttpServletRequest req, String action, params = new String[] { "old_key", "name" }; } else if (tableName.equals("module") || tableName.equals("program") || tableName.equals("faculty")) { query = "CALL " + tableName + "Interact(\"" + action + "\", ?, ?, ?);"; + if (action.equals("create")) { + if (tableName.equals("program")) + query = "CALL accessControlAddProgram('" + username + "', ?, ?);"; + else if (tableName.equals("module")) + query = "CALL accessControlAddModule('" + username + "', ?, ?);"; + } params = new String[] { "old_key", "name" }; } @@ -81,32 +100,87 @@ private PreparedStatement createStatement(HttpServletRequest req, String action, !req.getParameterMap().containsKey(params[i - 1]) || req.getParameter(params[i - 1]).equals("null") ? null : req.getParameter(params[i - 1])); - if (!(tableName.equals("aca_year") || tableName.equals("semester"))) + if (!(tableName.equals("aca_year") || tableName.equals("semester") + || (tableName.equals("class") && action.equals("create")) + || (tableName.equals("program") && action.equals("create")) + || (tableName.equals("module") && action.equals("create")))) st.setString(i, permissionList); System.out.println(st); return st; } + + private void checkAccessControl(HttpServletRequest req, DatabaseConnect DB, String action) throws Exception { + Cookie cookie = req.getCookies()[0]; + username = (new JwtGenerate()).parseJWT(cookie.getValue())[0]; + String role = (new JwtGenerate()).parseJWT(cookie.getValue())[1]; + String query = "CALL controllAccess('" + username + "')"; + String permissionTable[] = null; + String table_name = req.getParameter("table_name"); + Map map = Map.of("class", "year_fac_pro_mo", "year_fac_pro", "year_faculty", + "year_fac_pro_mo", "year_fac_pro", "teaching", "class"); + + if (role.equals("Lecturer")) + permissionTable = permissionTableForRole[0]; + else if (role.equals("Proco")) + permissionTable = permissionTableForRole[1]; + else if (role.equals("Deans")) + permissionTable = permissionTableForRole[2]; + else if (role.equals("Admin")) + return; + + if (permissionTable == null || !Arrays.asList(permissionTable).contains(req.getParameter("table_name"))) + throw new Exception("You dont have right to interact with this table"); + + ResultSet resAccessCotrol = DB.doQuery(query); + boolean isAllow = false, isAllowModify = false; + while (resAccessCotrol.next()) { + if ((Arrays.asList("class", "year_fac_pro", "year_fac_pro_mo")).contains(table_name)) { + String compareData = resAccessCotrol.getString(map.get(table_name)) == null ? "null": resAccessCotrol.getString(map.get(table_name)); + System.out.println(req.getParameter("id")); + if (compareData.equals(req.getParameter("id"))) + isAllowModify = true; + } + else if (table_name.equals("teaching")) { + String compareData = resAccessCotrol.getString(map.get(table_name)) == null ? "null": resAccessCotrol.getString(map.get(table_name)); + if (compareData.equals(req.getParameter("c_code"))) + isAllowModify = true; + } else { + isAllowModify = true; + } + String compareData = resAccessCotrol.getString(table_name) == null ? "null": resAccessCotrol.getString(table_name); + if (compareData.equals(req.getParameter("old_key"))) + isAllow = true; + } + System.out.println(isAllowModify); + System.out.println(isAllow); + if (action.equals("create")) + isAllow = true; + if (action.equals("delete")) + isAllowModify = true; + if (!(isAllow && isAllowModify)) + throw new Exception("You dont have right to interact with this data"); + } @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - // Cookie cookie = req.getCookies()[0]; - // String username = (new JwtGenerate()).parseJWT(cookie.getValue()); - // System.out.println(username); + Cookie cookie = req.getCookies()[0]; + String username = (new JwtGenerate()).parseJWT(cookie.getValue())[0]; + System.out.println(username); - // String query = "CALL controllAccess('" + username + "')"; + String query = "CALL controllAccess('" + username + "')"; try { // Get list of permission from cookie DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); - // ResultSet resAccessCotrol = DB.doQuery(query); + ResultSet resAccessCotrol = DB.doQuery(query); - // List arr = new ArrayList<>(); - // while (resAccessCotrol.next()) - // arr.add(resAccessCotrol.getString(req.getParameter("table_name"))); - // String listOfPermission = "'" + String.join("','", new ArrayList<>(new HashSet<>(arr))) + "'"; // remove duplicate add joining + List arr = new ArrayList<>(); + while (resAccessCotrol.next()) + arr.add(resAccessCotrol.getString(req.getParameter("table_name"))); + String listOfPermission = "'" + String.join("','", new ArrayList<>(new HashSet<>(arr))) + "'"; // remove duplicate add joining // Get return data - PreparedStatement st = createStatement(req, "dump", conn, ""); // add listOfPermission when turn on access control + PreparedStatement st = createStatement(req, "dump", conn, listOfPermission); // add listOfPermission when turn on access control ResultSet res = st.executeQuery(); List> json_resp = DB.ResultSetToJSON(res); @@ -122,7 +196,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws Se resp.getWriter().println("Data is too long"); } catch (Exception e) { resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); - resp.getWriter().println("The Table Name is invalid"); + resp.getWriter().println(e.getMessage()); e.printStackTrace(); } @@ -133,6 +207,8 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se try { DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); + checkAccessControl(req, DB, "update"); + PreparedStatement st = createStatement(req, "update", conn, ""); st.executeUpdate(); @@ -147,7 +223,7 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se e.printStackTrace(); } catch (Exception e) { resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); - resp.getWriter().println("The Table Name is invalid"); + resp.getWriter().println(e.getMessage()); e.printStackTrace(); } } @@ -157,6 +233,8 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S System.out.println("doPost"); DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); + checkAccessControl(req, DB, "create"); + PreparedStatement st = createStatement(req, "create", conn, ""); System.out.println(st); @@ -175,7 +253,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws S e.printStackTrace(); } catch (Exception e) { resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); - resp.getWriter().println("The Table Name is invalid or The Input cannot be NULL"); + resp.getWriter().println(e.getMessage()); e.printStackTrace(); } } @@ -185,6 +263,8 @@ protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws try { DatabaseConnect DB = new DatabaseConnect(); Connection conn = DB.getConnection(); + checkAccessControl(req, DB, "delete"); + PreparedStatement st = createStatement(req, "delete", conn, ""); System.out.println(st); @@ -208,7 +288,7 @@ protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws } catch (Exception ex) { resp.setStatus(HttpServletResponse.SC_BAD_REQUEST); - resp.getWriter().println("Wrong table name"); + resp.getWriter().println(ex.getMessage()); ex.printStackTrace(); } } diff --git a/webserver/src/main/java/util/JwtGenerate.java b/webserver/src/main/java/util/JwtGenerate.java index aa5a98d..765ade0 100644 --- a/webserver/src/main/java/util/JwtGenerate.java +++ b/webserver/src/main/java/util/JwtGenerate.java @@ -1,5 +1,6 @@ package util; +import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; @@ -10,17 +11,20 @@ public JwtGenerate() { } @SuppressWarnings("deprecation") - public String issueToken(String username) throws Exception { + public String issueToken(String username, String role) throws Exception { // Issue a JWT token // Signing key - String authToken = Jwts.builder().claim("username", username) + String authToken = Jwts.builder().claim("username", username).claim("role", role) .signWith(SignatureAlgorithm.HS512, SECRET_KEY.getBytes("UTF-8")).compact(); System.out.println(authToken); return authToken; } - public String parseJWT(String jwt) { + public String[] parseJWT(String jwt) { // This line will throw an exception if it is not a signed JWS (as expected) - return (String) Jwts.parserBuilder().setSigningKey(SECRET_KEY.getBytes()).build().parseClaimsJws(jwt).getBody().get("username"); + Claims claims = Jwts.parserBuilder().setSigningKey(SECRET_KEY.getBytes()).build().parseClaimsJws(jwt).getBody(); + String[] arr = { (String) claims.get("username"), (String) claims.get("role") }; + return arr; + // return (String) Jwts.parserBuilder().setSigningKey(SECRET_KEY.getBytes()).build().parseClaimsJws(jwt).getBody().get("username"); } } diff --git a/webserver/src/main/webapp/pages/chart/chart_nhu.js b/webserver/src/main/webapp/pages/chart/chart_nhu.js index e393783..63e5832 100644 --- a/webserver/src/main/webapp/pages/chart/chart_nhu.js +++ b/webserver/src/main/webapp/pages/chart/chart_nhu.js @@ -26,8 +26,8 @@ function getAllSelect(select_id) { for (let i = 0; i < selectArr.length; i++) { if ($(`#${selectArr[i]} option:selected`).val() == '') params += selectArr[i] + "_code=null" - else if (selectArr[i] == "fa" || selectArr[i] == "lec" || selectArr[i] == "pro") - params += selectArr[i] + "_code='" + $(`#${selectArr[i]} option:selected`).val() + "'" + // else if (selectArr[i] == "fa" || selectArr[i] == "lec" || selectArr[i] == "pro") + // params += selectArr[i] + "_code='" + $(`#${selectArr[i]} option:selected`).val() + "'" else params += selectArr[i] + "_code=" + $(`#${selectArr[i]} option:selected`).val() params += i == selectArr.length - 1 ? "" : "&"