From 1687bbaafdda7e80f3a17d5a421f63f641523109 Mon Sep 17 00:00:00 2001
From: buczekp <buczekp>
Date: Tue, 23 Feb 2010 08:40:39 +0000
Subject: [PATCH] [LMS-1361] use predefined query id instead of sql for
security reasons
SVN: 14877
---
.../GridCustomExpressionTranslator.java | 4 +---
.../web/client/IQueryClientService.java | 4 ++++
.../web/client/IQueryClientServiceAsync.java | 5 +++++
.../application/module/IQueryProvider.java | 2 ++
.../application/module/QueryViewer.java | 20 +++++++++++------
.../module/RunCannedQueryToolbar.java | 6 +++++
.../module/RunCustomQueryToolbar.java | 5 +++++
.../client/web/server/QueryClientService.java | 16 ++++++++++++++
.../plugin/query/server/QueryServer.java | 9 ++++----
.../shared/basic/dto/QueryExpression.java | 22 +++----------------
10 files changed, 60 insertions(+), 33 deletions(-)
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/translator/GridCustomExpressionTranslator.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/translator/GridCustomExpressionTranslator.java
index c4bf94ce45d..f3c2cfd6a6f 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/translator/GridCustomExpressionTranslator.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/translator/GridCustomExpressionTranslator.java
@@ -21,8 +21,6 @@ import static org.apache.commons.lang.StringEscapeUtils.escapeHtml;
import java.util.ArrayList;
import java.util.List;
-import org.apache.commons.lang.StringEscapeUtils;
-
import ch.systemsx.cisd.openbis.generic.shared.basic.ExpressionUtil;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.AbstractExpression;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.GridCustomColumn;
@@ -111,7 +109,7 @@ public final class GridCustomExpressionTranslator
result.setId(HibernateUtils.getId(expression));
result.setModificationDate(expression.getModificationDate());
result.setExpression(escapeHtml(expression.getExpression()));
- result.setDescription(StringEscapeUtils.escapeHtml(expression.getDescription()));
+ result.setDescription(escapeHtml(expression.getDescription()));
result.setRegistrator(PersonTranslator.translate(expression.getRegistrator()));
result.setRegistrationDate(expression.getRegistrationDate());
result.setDatabaseInstance(DatabaseInstanceTranslator.translate(expression
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientService.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientService.java
index 5cd1f2c447a..7c319786941 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientService.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientService.java
@@ -39,6 +39,10 @@ public interface IQueryClientService extends IClientService
/** Returns label of the database used for queries or null if it is not configured. */
public String tryToGetQueryDatabaseLabel() throws UserFailureException;
+ /** Returns results of the query with specified id. */
+ public TableModelReference createQueryResultsReport(TechId queryId,
+ QueryParameterBindings bindingsOrNull) throws UserFailureException;
+
/** Returns results of the specified SQL query. */
public TableModelReference createQueryResultsReport(String sqlQuery,
QueryParameterBindings bindingsOrNull) throws UserFailureException;
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientServiceAsync.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientServiceAsync.java
index b6c38752244..d19dc8fd3dc 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientServiceAsync.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/IQueryClientServiceAsync.java
@@ -41,6 +41,10 @@ public interface IQueryClientServiceAsync extends IClientServiceAsync
/** @see IQueryClientService#tryToGetQueryDatabaseLabel() */
public void tryToGetQueryDatabaseLabel(AsyncCallback<String> callback);
+ /** @see IQueryClientService#createQueryResultsReport(TechId, QueryParameterBindings) */
+ public void createQueryResultsReport(TechId techId, QueryParameterBindings bindingsOrNull,
+ AsyncCallback<TableModelReference> callback);
+
/** @see IQueryClientService#createQueryResultsReport(String, QueryParameterBindings) */
public void createQueryResultsReport(String sqlQuery, QueryParameterBindings bindingsOrNull,
AsyncCallback<TableModelReference> callback);
@@ -65,4 +69,5 @@ public interface IQueryClientServiceAsync extends IClientServiceAsync
/** @see IQueryClientService#updateQuery(IExpressionUpdates) */
public void updateQuery(final IExpressionUpdates queryUpdate, AsyncCallback<Void> callback);
+
}
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/IQueryProvider.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/IQueryProvider.java
index 7d0e17125b8..34369263ac7 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/IQueryProvider.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/IQueryProvider.java
@@ -24,6 +24,8 @@ import ch.systemsx.cisd.openbis.plugin.query.shared.basic.dto.QueryParameterBind
*/
public interface IQueryProvider extends IDatabaseModificationObserver
{
+ Long tryGetQueryId();
+
String tryGetSQLQuery();
QueryParameterBindings tryGetQueryParameterBindings();
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/QueryViewer.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/QueryViewer.java
index c23a42729f6..5243bf300bf 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/QueryViewer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/QueryViewer.java
@@ -31,6 +31,7 @@ import ch.systemsx.cisd.openbis.generic.client.web.client.application.ui.report.
import ch.systemsx.cisd.openbis.generic.client.web.client.application.ui.report.ReportGeneratedCallback.IOnReportComponentGeneratedAction;
import ch.systemsx.cisd.openbis.generic.client.web.client.application.util.IDelegatedAction;
import ch.systemsx.cisd.openbis.generic.shared.basic.IReportInformationProvider;
+import ch.systemsx.cisd.openbis.generic.shared.basic.TechId;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.DatabaseModificationKind;
import ch.systemsx.cisd.openbis.plugin.query.client.web.client.IQueryClientServiceAsync;
import ch.systemsx.cisd.openbis.plugin.query.client.web.client.application.Constants;
@@ -86,16 +87,21 @@ public class QueryViewer extends ContentPanel implements IDatabaseModificationOb
private void refresh()
{
+ Long queryIdOrNull = queryProvider.tryGetQueryId();
String sqlQueryOrNull = queryProvider.tryGetSQLQuery();
QueryParameterBindings bindingsOrNull = queryProvider.tryGetQueryParameterBindings();
- if (sqlQueryOrNull != null)
+ ReportGeneratedCallback callback =
+ new ReportGeneratedCallback(viewContext.getCommonViewContext(),
+ createReportInformationProvider(sqlQueryOrNull),
+ createDisplayQueryResultsAction());
+ if (queryIdOrNull != null)
{
- viewContext.getService().createQueryResultsReport(
- sqlQueryOrNull,
- bindingsOrNull,
- new ReportGeneratedCallback(viewContext.getCommonViewContext(),
- createReportInformationProvider(sqlQueryOrNull),
- createDisplayQueryResultsAction()));
+ viewContext.getService().createQueryResultsReport(new TechId(queryIdOrNull),
+ bindingsOrNull, callback);
+ } else if (sqlQueryOrNull != null)
+ {
+ viewContext.getService().createQueryResultsReport(sqlQueryOrNull, bindingsOrNull,
+ callback);
}
}
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCannedQueryToolbar.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCannedQueryToolbar.java
index 923099c6a3d..c65e7d66445 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCannedQueryToolbar.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCannedQueryToolbar.java
@@ -191,6 +191,12 @@ public class RunCannedQueryToolbar extends AbstractCustomQueryToolbar
// ICustomQueryProvider
//
+ public Long tryGetQueryId()
+ {
+ QueryExpression selectedQueryOrNull = querySelectionWidget.tryGetSelected();
+ return selectedQueryOrNull == null ? null : selectedQueryOrNull.getId();
+ }
+
public String tryGetSQLQuery()
{
QueryExpression selectedQueryOrNull = querySelectionWidget.tryGetSelected();
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCustomQueryToolbar.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCustomQueryToolbar.java
index d871a08e0c5..3da7aced0f3 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCustomQueryToolbar.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/client/application/module/RunCustomQueryToolbar.java
@@ -69,6 +69,11 @@ public class RunCustomQueryToolbar extends AbstractCustomQueryToolbar
// ICustomQueryProvider
//
+ public Long tryGetQueryId()
+ {
+ return null;
+ }
+
public String tryGetSQLQuery()
{
return queryField.getValue();
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/server/QueryClientService.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/server/QueryClientService.java
index 5c0d81d651e..768c216e075 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/server/QueryClientService.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/client/web/server/QueryClientService.java
@@ -103,6 +103,22 @@ public class QueryClientService extends AbstractClientService implements IQueryC
}
}
+ public TableModelReference createQueryResultsReport(TechId query,
+ QueryParameterBindings bindingsOrNull)
+ {
+ try
+ {
+ final String sessionToken = getSessionToken();
+ final TableModel tableModel =
+ queryServer.queryDatabase(sessionToken, query, bindingsOrNull);
+ String resultSetKey = saveInCache(tableModel.getRows());
+ return new TableModelReference(resultSetKey, tableModel.getHeader());
+ } catch (final UserFailureException e)
+ {
+ throw UserFailureExceptionTranslator.translate(e);
+ }
+ }
+
public List<QueryExpression> listQueries()
throws ch.systemsx.cisd.openbis.generic.client.web.client.exception.UserFailureException
{
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
index ebabc090627..b2e12fc955e 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/server/QueryServer.java
@@ -21,6 +21,7 @@ import java.util.Properties;
import javax.annotation.Resource;
+import org.apache.commons.lang.StringEscapeUtils;
import org.springframework.dao.DataAccessException;
import org.springframework.stereotype.Component;
@@ -74,8 +75,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
QueryServer(final ISessionManager<Session> sessionManager, final IDAOFactory daoFactory,
final ISampleTypeSlaveServerPlugin sampleTypeSlaveServerPlugin,
- final IDataSetTypeSlaveServerPlugin dataSetTypeSlaveServerPlugin,
- IDAO dao)
+ final IDataSetTypeSlaveServerPlugin dataSetTypeSlaveServerPlugin, IDAO dao)
{
super(sessionManager, daoFactory, sampleTypeSlaveServerPlugin, dataSetTypeSlaveServerPlugin);
this.dao = dao;
@@ -188,7 +188,8 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
{
IQueryDAO queryDAO = getDAOFactory().getQueryDAO();
QueryPE query = queryDAO.getByTechId(queryId);
- return queryDatabase(query.getExpression(), bindings);
+ String expression = StringEscapeUtils.unescapeHtml(query.getExpression());
+ return queryDatabase(expression, bindings);
} catch (DataAccessException ex)
{
throw new UserFailureException(ex.getMostSpecificCause().getMessage(), ex);
@@ -199,7 +200,7 @@ public class QueryServer extends AbstractServer<IQueryServer> implements IQueryS
{
return getDAO().query(sqlQuery, bindings);
}
-
+
private IDAO getDAO()
{
if (dao == null)
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/basic/dto/QueryExpression.java b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/basic/dto/QueryExpression.java
index eba620b45d5..56cb8631e68 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/basic/dto/QueryExpression.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/plugin/query/shared/basic/dto/QueryExpression.java
@@ -16,8 +16,6 @@
package ch.systemsx.cisd.openbis.plugin.query.shared.basic.dto;
-import java.util.List;
-
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.AbstractExpressionWithParameters;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.ServiceVersionHolder;
@@ -26,32 +24,18 @@ import ch.systemsx.cisd.openbis.generic.shared.basic.dto.ServiceVersionHolder;
*
* @author Piotr Buczek
*/
+// TODO 2010-02-23, Piotr Buczek: no need to use subclasses
public class QueryExpression extends AbstractExpressionWithParameters
{
private static final long serialVersionUID = ServiceVersionHolder.VERSION;
- private List<String> allParameters;
-
public QueryExpression()
{
}
- // TODO remove
- public List<String> getAllParameters()
- {
- return allParameters;
- }
-
- private void setAllParameters(List<String> allParameters)
- {
- this.allParameters = allParameters;
- }
-
- @Override
- public void setupParameters(List<String> allParameters)
+ public QueryExpression(String expression)
{
- super.setupParameters(allParameters);
- setAllParameters(allParameters);
+ setExpression(expression);
}
}
--
GitLab