Advertisement
Guest User

Untitled

a guest
May 10th, 2017
128
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.61 KB | None | 0 0
  1. require "sqlite3"
  2. require "digest"
  3. require "securerandom"
  4.  
  5. # Anmol Srivastava | asrivas2 | 114101433 | TA: JT, 12 PM
  6.  
  7. # Things to fix - PART 1: (REMEMBER TO UPDATE DATA.DB IF YOU MAKE REAL CHANGES ON WEBSITE)
  8. # - Validate all command fields per BASH
  9. # - If user not allowed to use method, no action and FALSE
  10. # - @shell_pwd, @controller_pwd, latter is project directory path
  11. # - all session tokens revoked when an account is deleted.
  12. # - shell use restricted to project directory and its contents
  13. # - cannot delete data.db, controller.rb, or main.rb - SEE DIR AND FILE CLASSES IN RUBY
  14. # - database only allows access to menu and user profiles, not session data, etc.
  15.  
  16. # Things to do - Part 2:
  17. # - salt hash thingy - expand
  18.  
  19. def non_injecting(str)
  20. if str =~ %r{[;,--]} or str =~ %r{[<,>,",&]} # Comment out the "
  21. return false
  22. end
  23. return true
  24. end
  25.  
  26. module Menu
  27. def create_menu(name)
  28. if non_injecting name and (authorize @session_id) != -1 then
  29. @db.execute_batch "INSERT INTO Menus (Name) VALUES(\"#{name}\")"
  30. end
  31. return false
  32. end
  33.  
  34. def read_menu()
  35. if (authorize @session_id) != -1 then
  36. menus = []
  37. @db.execute "SELECT RowID, Name FROM Menus" do |menu|
  38. id, name = menu[0], menu[1]
  39. menus << { :id => id, :name => name }
  40. end
  41. return menus
  42. end
  43. return false
  44. end
  45.  
  46. def update_menu(id, name)
  47. if non_injecting id and non_injecting name and (authorize @session_id) != -1 then
  48. @db.execute_batch "UPDATE Menus SET Name = \"#{name}\" WHERE RowID = #{id}"
  49. end
  50. return false
  51. end
  52.  
  53. def delete_menu(id)
  54. if non_injecting id and (authorize @session_id) != -1 then
  55. @db.execute_batch "DELETE FROM Menus WHERE RowID = #{id}"
  56. end
  57. return false
  58. end
  59. end
  60.  
  61. module Item
  62. def create_item(menu, name, price, description)
  63. if non_injecting menu and non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  64. @db.execute_batch "INSERT INTO Items (Menu, Name, Price, Description) VALUES(#{menu}, \"#{name}\", #{price}, \"#{description}\")"
  65. end
  66. return false
  67. end
  68.  
  69. def read_item()
  70. if (authorize @session_id) != -1
  71. items = []
  72. @db.execute "SELECT RowID, Menu, Name, Price, Description FROM Items" do |item|
  73. id, menu, name, price, description = item[0], item[1], item[2], item[3], item[4]
  74. items << { :id => id, :menu => menu, :name => name, :price => price, :description => description }
  75. end
  76. return items
  77. end
  78. return false
  79. end
  80.  
  81. def update_item(id, menu, name, price, description)
  82. if non_injecting id and non_injecting menu and non_injecting name and non_injecting price and non_injecting description and (authorize @session_id) != -1 then
  83. @db.execute_batch "UPDATE Items SET Menu = #{menu}, Name = \"#{name}\", Price = #{price}, Description = \"#{description}\" WHERE RowID = #{id}"
  84. end
  85. return false
  86. end
  87.  
  88. def delete_item(id)
  89. if non_injecting id and (authorize @session_id) != -1 then
  90. @db.execute_batch "DELETE FROM Items WHERE RowID = #{id}"
  91. end
  92. return false
  93. end
  94. end
  95.  
  96.  
  97. module User
  98. def create_user(name, password, admin, salary)
  99. if non_injecting name and non_injecting password and non_injecting salary and admin? @session_id then
  100. @db.execute_batch "INSERT INTO Users (Name, Password, Admin, Salary) VALUES(\"#{name}\", \"#{password}\", #{admin}, #{salary})"
  101. end
  102. return false
  103. end
  104.  
  105. def read_user()
  106. users = []
  107. @db.execute "SELECT RowID, Name, Password, Admin, Salary FROM Users" do |user|
  108. id, name, password, admin, salary = user[0], user[1], user[2], user[3], user[4]
  109. users << {:id => id, :name => name, :password => password, :admin => admin, :salary => salary}
  110. end
  111. if not admin?(@session_id) then
  112. user_id = authorize(@session_id)
  113. users.select! { |u| u[:id] == user_id }
  114. end
  115. return users
  116. end
  117.  
  118. def update_user(id, name, password, admin, salary)
  119. if non_injecting name and non_injecting password and non_injecting salary and (authorize @session_id) != -1 then
  120. if admin? @session_id then
  121. @db.execute_batch "UPDATE Users SET " +
  122. "Name = \"#{name}\", Password = \"#{password}\", " +
  123. "Admin = #{admin}, Salary = #{salary} WHERE RowID = #{id}"
  124. else
  125. if (authorize @session_id) == id then
  126. @db.execute_batch "UPDATE Users SET " +
  127. "Name = \"#{name}\", Password = \"#{password}\" WHERE RowID = #{id}"
  128. else
  129. return false
  130. end
  131. end
  132. end
  133. return false
  134. end
  135.  
  136. def delete_user(id)
  137. if authorize(@session_id) != id and admin? (@session_id) then
  138. @db.execute_batch "DELETE FROM Users WHERE RowID = #{id}"
  139. return true
  140. end
  141. return false
  142. end
  143. end
  144.  
  145. module Access
  146. def create_session()
  147. random = Random.new
  148. session_id = random.rand(1000000000)
  149. @db.execute_batch "INSERT INTO Sessions (SessionID, UserID) VALUES(#{session_id}, -1)"
  150. return session_id
  151. end
  152.  
  153. def authenticate(name, password)
  154. if non_injecting name and non_injecting password then
  155. session_id = create_session()
  156. user = nil
  157.  
  158. @db.execute "SELECT RowID FROM Users WHERE Name = \"#{name}\" AND Password = \"#{password}\"" do |u|
  159. user_id = u[0]
  160. escalate(user_id, session_id)
  161. return session_id
  162. end
  163.  
  164. return -1
  165. end
  166. return false
  167. end
  168.  
  169. def escalate(user_id, session_id)
  170. @db.execute_batch "UPDATE Sessions SET UserID = #{user_id} WHERE SessionID = #{session_id}"
  171. end
  172.  
  173. def admin?(session_id)
  174. user_id = authorize(session_id)
  175. @db.execute "SELECT Admin FROM Users WHERE RowID = #{user_id}" do |user|
  176. admin = user[0]
  177. return admin == 1
  178. end
  179. return false
  180. end
  181.  
  182. def authorize(session_id)
  183. @db.execute "SELECT UserID FROM Sessions WHERE SessionID = #{session_id}" do |session|
  184. user_id = session[0]
  185. return user_id
  186. end
  187. return -1
  188. end
  189.  
  190. def delete_session(session_id)
  191. @db.execute_batch "DELETE FROM Sessions WHERE SessionID = #{session_id}"
  192. end
  193.  
  194. def guard(page)
  195. if page == :dashboard and admin? @session_id then
  196. return true
  197. end
  198. if page == :menu and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  199. return true
  200. end
  201. if page == :users and ((admin? @session_id) or ((authorize @session_id) != -1)) then
  202. return true
  203. end
  204. return false
  205. end
  206. end
  207.  
  208. module Terminal
  209. def shell(command)
  210. # Commands that = bad: deleting data.db, main.rb, controller.rb, or going out of p. dir./content
  211. if admin? @session_id then
  212. # navigate to the correct shell directory
  213. Dir.chdir @shell_pwd
  214.  
  215. # if command is `cd` then navigate to and save the shell's new pwd
  216. if command =~ /cd\W+((?:[^\/]*\/)*.*)/ then
  217. if not $1 == "" then
  218. # If in p7, can't go up - otherwise can go up.
  219. if @shell_pwd == @controller_pwd and (Dir.glob @shell_pwd).include? $1 then
  220. Dir.chdir $1
  221. else
  222.  
  223. end
  224. return false
  225. else
  226. Dir.chdir command[3..-1]
  227. end
  228.  
  229. @shell_pwd = Dir.pwd # update the shell directory
  230. Dir.chdir @controller_pwd # return to the controller's home directory
  231. return ""
  232. # otherwise execute the command
  233. else
  234. output = `#{command}`
  235. Dir.chdir @controller_pwd # return to the controller's home directory
  236. return output
  237. end
  238. end
  239. return false
  240. end
  241. end
  242.  
  243. #
  244. # NOTICE: You DO NOT need to modify anything below this point.
  245. # Modifications below this point may cause you to FAIL
  246. # our tests.
  247. #
  248.  
  249. module Util
  250. def collate_menus()
  251. menus = []
  252. result = { :menus => menus }
  253. id_to_name = {}
  254.  
  255. read_menu.each do |menu|
  256. id, name = menu[:id], menu[:name]
  257. id_to_name[id] = name
  258. menus << { :name => name, :items => [] }
  259. end
  260.  
  261. read_item.each do |item|
  262. menu, name, price, description = item[:menu], item[:name], item[:price], item[:description]
  263. (menus.find { |m| m[:name] == id_to_name[menu] })[:items] << { :name => name, :price => price, :description => description }
  264. end
  265.  
  266. return result
  267. end
  268. end
  269.  
  270. class Controller
  271. include Menu
  272. include Item
  273. include User
  274. include Access
  275. include Terminal
  276. include Util
  277.  
  278. attr_accessor :session_id, :shell_pwd
  279. attr_reader :db, :controller_pwd
  280.  
  281. def initialize()
  282. @db = SQLite3::Database.new "data.db"
  283. @shell_pwd = Dir.pwd
  284. @controller_pwd = Dir.pwd
  285. @session_id = -1
  286. end
  287. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement