private ModelAndView handleGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String type = request.getParameter("type");
ServletContext servletContext2 = this.getServletContext();
ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
User user = ControllerUtil.getSignedInUser();
CredentialManager.setRequestCredentials(request, user);
// get the run id
String runIdString = request.getParameter("runId");
Long runId = null;
if (runIdString != null) {
runId = Long.parseLong(runIdString);
}
Run run = null;
try {
if (runId != null) {
// get the run object
run = runService.retrieveById(runId);
}
} catch (ObjectNotFoundException e1) {
e1.printStackTrace();
}
if (type == null) {
// get student data
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
requestDispatcher.forward(request, response);
} else if (type.equals("brainstorm")) {
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
requestDispatcher.forward(request, response);
} else if (type.equals("aggregate")) {
setProjectPath(run, request); // set the project path into the request object
if (Boolean.parseBoolean(request.getParameter("allStudents"))) {
// request for all students work in run. lookup workgroups in run and construct
// workgroupIdString
String workgroupIdStr = "";
try {
Set<Workgroup> workgroups = runService.getWorkgroups(runId);
for (Workgroup workgroup : workgroups) {
workgroupIdStr += workgroup.getId() + ":";
}
request.setAttribute("userId", workgroupIdStr);
} catch (ObjectNotFoundException e) {
}
}
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
requestDispatcher.forward(request, response);
} else if (type.equals("flag")
|| type.equals("inappropriateFlag")
|| type.equals("annotation")) { // get flags
/*
* set the user info JSONObjects into the request so the vlewrapper servlet
* has access to the teacher and classmate info
*/
setUserInfos(run, request);
setCRaterAttributes(request);
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/annotations.html");
requestDispatcher.forward(request, response);
} else if (type.equals("journal")) {
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/journaldata.html");
requestDispatcher.forward(request, response);
} else if (type.equals("peerreview")) {
// get the period id
String periodString = request.getParameter("periodId");
Long period = null;
if (periodString != null) {
period = Long.parseLong(periodString);
}
try {
/*
* set the number of students in the class period for when we need
* to calculate peer review opening
*/
Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);
request.setAttribute("numWorkgroups", classmateWorkgroups.size());
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/peerreview.html");
requestDispatcher.forward(request, response);
} else if (type.equals("xlsexport") || type.equals("specialExport")) {
// set the user info into the request object
setUserInfos(run, request);
// set the project path into the request object
setProjectPath(run, request);
// set the project meta data into the request object
setProjectMetaData(run, request);
String requestPath = "";
if (type.equals("xlsexport")) {
// get the path for regular exports
requestPath = "/getxls.html";
} else if (type.equals("specialExport")) {
// get the path for special exports
requestPath = "/getSpecialExport.html";
}
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher(requestPath);
requestDispatcher.forward(request, response);
} else if (type.equals("ideaBasket")) {
handleIdeaBasket(request, response);
} else if (type.equals("studentAssetManager")) {
handleStudentAssetManager(request, response);
} else if (type.equals("viewStudentAssets")) {
handleViewStudentAssets(request, response);
} else if (type.equals("xmppAuthenticate")) {
// check if this portal is xmpp enabled first
String isXMPPEnabled = portalProperties.getProperty("isXMPPEnabled");
if (isXMPPEnabled != null && Boolean.valueOf(isXMPPEnabled)) {
handleWISEXMPPAuthenticate(request, response);
}
} else if (type.equals("cRater")) {
setCRaterAttributes(request);
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/cRater.html");
requestDispatcher.forward(request, response);
} else if (type.equals("chatLog")) {
RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html");
requestDispatcher.forward(request, response);
} else if (type.equals("studentStatus")) {
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/studentStatus.html");
requestDispatcher.forward(request, response);
} else if (type.equals("runStatus")) {
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/runStatus.html");
requestDispatcher.forward(request, response);
}
return null;
}
private boolean authorize(HttpServletRequest request) {
String method = request.getMethod();
User signedInUser = ControllerUtil.getSignedInUser();
Collection<? extends GrantedAuthority> authorities =
signedInUser.getUserDetails().getAuthorities();
Long signedInUserId = null;
for (GrantedAuthority authority : authorities) {
if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
return true;
} else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
// the signed in user is a teacher
String type = request.getParameter("type");
if ("cRater".equals(type)) {
// any teacher can make a cRater request
return true;
}
Run run = null;
try {
// get the run object
run = runService.retrieveById(new Long(request.getParameter("runId")));
} catch (NumberFormatException e) {
e.printStackTrace();
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
if (run == null) {
// we could not find the run
return false;
} else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) {
// the teacher has write permission for the run so we will allow authorization
return true;
} else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) {
// the teacher only has read permission for the run
if (method.equals("GET")) {
// we will allow authorization for GET requests
return true;
} else if (method.equals("POST")) {
// we will deny authorization for POST requests since the teacher only has READ
// permissions
return false;
}
}
}
}
if (method.equals("GET")) {
String workgroupIdStr = "";
// only used for annotations
String fromWorkgroupIdStr = "";
String type = request.getParameter("type");
String runIdString = request.getParameter("runId");
Long runId = null;
if (runIdString != null) {
runId = Long.parseLong(runIdString);
}
String periodString = request.getParameter("periodId");
Long period = null;
if (periodString != null) {
period = Long.parseLong(periodString);
}
if (runId != null) {
try {
// get the run
Run offering = runService.retrieveById(runId);
// get the workgroup for the signed in user
List<Workgroup> workgroupListByOfferingAndUser =
workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser);
// get the workgroup
Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
// get the workgroup id
signedInUserId = workgroup.getId();
} catch (ObjectNotFoundException e1) {
e1.printStackTrace();
}
}
// whether this GET request can access other workgroup's data
boolean canAccessOtherWorkgroups = false;
if (type == null) {
workgroupIdStr = request.getParameter("userId");
} else if (type.equals("flag") || type.equals("inappropriateFlag")) {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
} else if (type.equals("annotation")) {
String annotationType = request.getParameter("annotationType");
if ("cRater".equals(annotationType)) {
// anyone can make a cRater annotation
return true;
}
workgroupIdStr = request.getParameter("toWorkgroup");
// get the fromWorkgroup id
fromWorkgroupIdStr = request.getParameter("fromWorkgroup");
canAccessOtherWorkgroups = true;
} else if (type.equals("brainstorm")) {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
} else if (type.equals("aggregate")) {
// student/teacher is trying to get other students' work so that it can be used to show
// the aggregate view. nodeIds should be passed in.
// Check that the nodeIds exist and that we can get the student data from them
// in the VLE.
if (request.getParameter("nodeIds") == null) {
canAccessOtherWorkgroups = false;
} else {
if (request.getParameter("allStudents") != null
&& Boolean.valueOf(request.getParameter("allStudents"))) {
return true;
} else {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
}
}
} else if (type.equals("journal")) {
workgroupIdStr = request.getParameter("workgroupId");
} else if (type.equals("peerreview")) {
// return true for now until logic is implemented
return true;
} else if (type.equals("xlsexport") || type.equals("specialExport")) {
// TODO: need to check user permissions
return true;
} else if (type.equals("ideaBasket")) {
return true;
} else if (type.equals("studentAssetManager")) {
return true;
} else if (type.equals("xmppAuthenticate")) {
return true;
} else if (type.equals("cRater")) {
// allow students to make cRater scoring requests
String cRaterRequestType = request.getParameter("cRaterRequestType");
if ("scoring".equals(cRaterRequestType)) {
return true;
}
} else if (type.equals("runStatus")) {
// check if the user is the owner of the run or in the run
if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) {
return true;
}
} else {
// this should never happen
}
if (workgroupIdStr == null || workgroupIdStr.equals("")) {
return false;
}
// split up all the workgroup ids
String[] workgroupIds = workgroupIdStr.split(":");
// check if this GET request can access other workgroups
if (canAccessOtherWorkgroups) {
// this GET request is allowed to access other workgroup work
try {
if (fromWorkgroupIdStr != null
&& !fromWorkgroupIdStr.equals("")
&& fromWorkgroupIdStr.equals(signedInUserId)) {
/*
* the signed in user id is the same as the from workgroup id so
* we will allow it. this basically means the current user is
* requesting the annotations that he/she wrote.
*/
return true;
} else {
// obtain all the workgroups of the classmates of the current user
Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);
/*
* see if the workgroupIds the user is trying to access is
* in the above set of classmate workgroups, if all the
* workgroupIds beingaccessed are allowed, it will return
* true and allow it, otherwise it will return false and
* deny access
*/
return elementsInCollection(workgroupIds, classmateWorkgroups);
}
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
} else {
/*
* this GET request is not allowed to access other workgroup work
* it can only access the workgroup the current user is in
*/
// obtain all the workgroups that the current user is in
List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser);
/*
* see if the workgroupIds the user is trying to access is in
* the above list of workgroups, if all the workgroupIds being
* accessed are allowed, it will return true and allow it,
* otherwise it will return false and deny access
*/
return elementsInCollection(workgroupIds, workgroupsForUser);
}
return false;
} else if (method.equals("POST")) {
return true;
}
// other request methods are not authorized at this point
return false;
}
