Portal Stories - I tell you, that I did it - but I don't show it to you

After being shocked by a very "good" administrator, not being able to load a standard LDIF file after 2 hours of consecutive work - I just realised that this day holds a lot of potential for further problems. How darn right I was.

After deciding that it would suck to much, when I would add 166 users manually to the OID via it's Web-UI, I decided there must be at least a marginal better way to do it. I think I should tell you, that the Web-UI for Oracle's latest production OID is a really "gem" in the software industry. It looks good, you get your job done - everything is perfect, at least as long so you try to only do one thing per day. Try to add several users to the OID or try to add several existing users to a new group. You really should try it - then you will appreciate my solution.

Since adding 166 users to the OID manually didn't make me feel warn and fuzzy - I decided that can be done programmatically (like creation the LDIF file was done). So I asked my colleague to help me with WATiR (Web Application Testing in Ruby). After about one hour of pair-programming we had: Something that loads the users from a CSV file, instruments with the help of WATiR Internet Explorer and enters "auto magically" users into the OID.

I like this piece of software really much - I was at lunch and WATiR added user over user to the OID.
After lunch I decided to do some cross checking - maybe something went wrong, just in case. Since I thought it would suck again, to look at each of this 166 users again, I thought I'm "so clever", I will just look at the target group, and if it's 166 members look okay - then everything *should* be okay.

So, switch to the groups view, search the desired group and click on edit *drum roll please*:

This group has 166 Members. All of the group Members could be retrieved in a timely manner. You can proceed to manage the group; however, the list of Members is not available to display at this time.


WTF. WTF? WTF! Are you kidding? All members could be retrieved and I can continue - but I won't see them? No tell me, what I should tell our customers: "Ehm, everything is ready - but we couldn't check it ..."

Somethimes, it's really hard to believe that this piece of software is meant to be sold. This must be some kind of user study: "How much can they take ?".

Please Oracle, try to use our software at least for one day with more that 5 users.

Enhancing your portal with (PL)SQL-Injection

Today I wanted to install a new and selfwritten portlet on Oracle Portal.
Since I have no access to the infrastructure and midtier databases, I had to install everything through the web interface.

BTW: Oracle - your textareas are way to small to use them for something more than:

begin
null;
end;


In the middle of the installation I noticed that I could not install all parts of my portlet (tables, views, packages and trigger spread over several schemas)

After some research I found a very interesting link under Navigator - Database Objects - Create New...: "Script".
It displays a tiny textarea with the headline: "Enter a DML statement or PL/SQL Block".

Nice, I tought - so let's clear the log table with it:

truncate table log_entries;


But guess what it answered:
This statement is not supported.

Hm, but wait, it allows us to write PLSQL - so let's try this again:

begin
execute immediate 'truncate table log_entries';
end;


Now the answer was:
PL/SQL Procedure successful.


Thank you, Oracle for building such great PLSQL and SQL injection abled admin interfaces :)

BTW:
If you want to create a package or trigger, you have to watchout for 3 things:
1) strip out all comments (needed for the next step)
2) make it a one-liner
3) replace all ' with ''' (3 times) - since you will put our code into another PL/SQL code.

Than just do:

begin
execute immediate ' < your_code_here > ';
end;


And you're done.

Notice: This doesn't circumvent security in any sense - you still need your rights inside the database (create table,package,trigger,...). But since you can run this with the priviledges of the oracle portal user (per default: portal), you can in fact "enhance" about anything in the Oracle Portal you need to :)