Index: lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java =================================================================== diff -u -r29c474b2fa79cf5f02d92428915980fd5e0011fe -rf7fae354123a6a697f51884253e0e8900c3bfcea --- lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java (.../LAMSBaseDAO.java) (revision 29c474b2fa79cf5f02d92428915980fd5e0011fe) +++ lams_common/src/java/org/lamsfoundation/lams/dao/hibernate/LAMSBaseDAO.java (.../LAMSBaseDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) @@ -14,6 +14,7 @@ import javax.persistence.criteria.CriteriaQuery; import javax.persistence.criteria.Root; +import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.hibernate.Hibernate; import org.hibernate.HibernateException; @@ -616,4 +617,11 @@ public void releaseFromCache(Object o) { getSessionFactory().getCurrentSession().evict(o); } -} + + public static void sanitiseOrderBy(String sortOrder) { + if (StringUtils.isNotBlank(sortOrder) + && !(sortOrder.equalsIgnoreCase("asc") || sortOrder.equalsIgnoreCase("desc"))) { + throw new IllegalArgumentException("Sort order must be one of \"asc\" or \"desc\""); + } + } +} \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java =================================================================== diff -u -r2188972474f8d186d6811e3dea2e4136be669335 -rf7fae354123a6a697f51884253e0e8900c3bfcea --- lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java (.../QbDAO.java) (revision 2188972474f8d186d6811e3dea2e4136be669335) +++ lams_common/src/java/org/lamsfoundation/lams/qb/dao/hibernate/QbDAO.java (.../QbDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) @@ -293,6 +293,8 @@ } else { bldr.append(ORDER_BY_NAME); } + + LAMSBaseDAO.sanitiseOrderBy(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString()); @@ -494,6 +496,7 @@ queryBuilder.append(" ORDER BY ").append(orderBy); } if (StringUtils.isNotBlank(orderDirection)) { + LAMSBaseDAO.sanitiseOrderBy(orderDirection); queryBuilder.append(" ").append(orderDirection); } } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java =================================================================== diff -u -r8930fc245209059b46a7990d39b2aaf1a4371210 -rf7fae354123a6a697f51884253e0e8900c3bfcea --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java (.../GradebookDAO.java) (revision 8930fc245209059b46a7990d39b2aaf1a4371210) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/dao/hibernate/GradebookDAO.java (.../GradebookDAO.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) @@ -24,7 +24,6 @@ import java.util.List; -import org.apache.commons.lang.StringUtils; import org.hibernate.query.NativeQuery; import org.hibernate.query.Query; import org.lamsfoundation.lams.dao.hibernate.LAMSBaseDAO; @@ -271,7 +270,7 @@ @Override public List getLessonsByGroupAndUser(final Integer userId, boolean staffOnly, final Integer orgId, int page, int size, String sortBy, String sortOrder, String searchString) { - GradebookDAO.sanitiseSortOrder(sortOrder); + LAMSBaseDAO.sanitiseOrderBy(sortOrder); final String LOAD_LESSONS_ORDERED_BY_FIELDS = "SELECT DISTINCT lesson " + "FROM Lesson lesson, LearningDesign ld, {0} Organisation lo " @@ -340,7 +339,7 @@ @Override public List getUsersByLesson(Long lessonId, int page, int size, String sortBy, String sortOrder, String searchString) { - GradebookDAO.sanitiseSortOrder(sortOrder); + LAMSBaseDAO.sanitiseOrderBy(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_lesson lesson, lams_group g, lams_user_group ug " @@ -408,7 +407,7 @@ @Override public List getUsersByActivity(Long lessonId, Long activityId, int page, int size, String sortBy, String sortOrder, String searchString) { - GradebookDAO.sanitiseSortOrder(sortOrder); + LAMSBaseDAO.sanitiseOrderBy(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_lesson lesson, lams_group g, lams_user_group ug " @@ -469,7 +468,7 @@ @Override public List getUsersByGroup(Long lessonId, Long activityId, Long groupId, int page, int size, String sortBy, String sortOrder, String searchString) { - GradebookDAO.sanitiseSortOrder(sortOrder); + LAMSBaseDAO.sanitiseOrderBy(sortOrder); final String LOAD_LEARNERS_ORDERED_BY_NAME = "SELECT DISTINCT user.* " + " FROM lams_user_group ug " + " INNER JOIN lams_user user ON ug.user_id=user.user_id " + " WHERE ug.group_id=:groupId " @@ -538,7 +537,7 @@ */ public List getUsersFromOrganisation(Integer orgId, int page, int size, String sortOrder, String searchString) { - GradebookDAO.sanitiseSortOrder(sortOrder); + LAMSBaseDAO.sanitiseOrderBy(sortOrder); final String LOAD_LEARNERS_BY_ORG = "SELECT uo.user FROM UserOrganisation uo" + " WHERE uo.organisation.organisationId=:orgId" @@ -621,11 +620,4 @@ return getSession().createQuery(GET_ARCHIVED_ACTIVITY_MARKS, GradebookUserActivityArchive.class) .setParameter("activityId", activityId).setParameter("userId", userId).list(); } - - static void sanitiseSortOrder(String sortOrder) { - if (StringUtils.isNotBlank(sortOrder) - && !(sortOrder.equalsIgnoreCase("asc") || sortOrder.equalsIgnoreCase("desc"))) { - throw new IllegalArgumentException("Sort order must be one of \"asc\" or \"desc\""); - } - } } \ No newline at end of file Index: lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java =================================================================== diff -u -rf299a43b38f1c06f1c9a0810b3ae6205b10e0269 -rf7fae354123a6a697f51884253e0e8900c3bfcea --- lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java (.../AssessmentUserDAOHibernate.java) (revision f299a43b38f1c06f1c9a0810b3ae6205b10e0269) +++ lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/dao/hibernate/AssessmentUserDAOHibernate.java (.../AssessmentUserDAOHibernate.java) (revision f7fae354123a6a697f51884253e0e8900c3bfcea) @@ -131,6 +131,8 @@ } else { bldr.append(LOAD_USERS_ORDERED_ORDER_BY_NAME); } + + LAMSBaseDAO.sanitiseOrderBy(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString()); @@ -234,6 +236,8 @@ } else { bldr.append(LOAD_USERS_ORDERED_ORDER_BY_NAME); } + + LAMSBaseDAO.sanitiseOrderBy(sortOrder); bldr.append(sortOrder); NativeQuery query = getSession().createNativeQuery(bldr.toString());