/** * Check if the user is in the workgroup id * * @param user the user * @param workgroupId the workgroup id * @return whether the user is in the workgroup */ private boolean isUserInWorkgroupId(User user, Long workgroupId) { boolean result = false; if (user != null && workgroupId != null) { // get all the workgroups this user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(user); Iterator<Workgroup> workgroupsForUserIterator = workgroupsForUser.iterator(); // loop through all the workgroups this user is in while (workgroupsForUserIterator.hasNext()) { // get a workgroup Workgroup tempWorkgroup = workgroupsForUserIterator.next(); if (tempWorkgroup != null) { // get the workgroup id Long tempWorkgroupId = tempWorkgroup.getId(); // check if the workgroup id matches the one we are searching for if (workgroupId.equals(tempWorkgroupId)) { // the workgroup id matches so the user is in the workgroup result = true; break; } } } } return result; }
private boolean authorize(HttpServletRequest request) { String method = request.getMethod(); User signedInUser = ControllerUtil.getSignedInUser(); Collection<? extends GrantedAuthority> authorities = signedInUser.getUserDetails().getAuthorities(); Long signedInUserId = null; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { return true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // the signed in user is a teacher String type = request.getParameter("type"); if ("cRater".equals(type)) { // any teacher can make a cRater request return true; } Run run = null; try { // get the run object run = runService.retrieveById(new Long(request.getParameter("runId"))); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } if (run == null) { // we could not find the run return false; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) { // the teacher has write permission for the run so we will allow authorization return true; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) { // the teacher only has read permission for the run if (method.equals("GET")) { // we will allow authorization for GET requests return true; } else if (method.equals("POST")) { // we will deny authorization for POST requests since the teacher only has READ // permissions return false; } } } } if (method.equals("GET")) { String workgroupIdStr = ""; // only used for annotations String fromWorkgroupIdStr = ""; String type = request.getParameter("type"); String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } if (runId != null) { try { // get the run Run offering = runService.retrieveById(runId); // get the workgroup for the signed in user List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser); // get the workgroup Workgroup workgroup = workgroupListByOfferingAndUser.get(0); // get the workgroup id signedInUserId = workgroup.getId(); } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } } // whether this GET request can access other workgroup's data boolean canAccessOtherWorkgroups = false; if (type == null) { workgroupIdStr = request.getParameter("userId"); } else if (type.equals("flag") || type.equals("inappropriateFlag")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("annotation")) { String annotationType = request.getParameter("annotationType"); if ("cRater".equals(annotationType)) { // anyone can make a cRater annotation return true; } workgroupIdStr = request.getParameter("toWorkgroup"); // get the fromWorkgroup id fromWorkgroupIdStr = request.getParameter("fromWorkgroup"); canAccessOtherWorkgroups = true; } else if (type.equals("brainstorm")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("aggregate")) { // student/teacher is trying to get other students' work so that it can be used to show // the aggregate view. nodeIds should be passed in. // Check that the nodeIds exist and that we can get the student data from them // in the VLE. if (request.getParameter("nodeIds") == null) { canAccessOtherWorkgroups = false; } else { if (request.getParameter("allStudents") != null && Boolean.valueOf(request.getParameter("allStudents"))) { return true; } else { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } } } else if (type.equals("journal")) { workgroupIdStr = request.getParameter("workgroupId"); } else if (type.equals("peerreview")) { // return true for now until logic is implemented return true; } else if (type.equals("xlsexport") || type.equals("specialExport")) { // TODO: need to check user permissions return true; } else if (type.equals("ideaBasket")) { return true; } else if (type.equals("studentAssetManager")) { return true; } else if (type.equals("xmppAuthenticate")) { return true; } else if (type.equals("cRater")) { // allow students to make cRater scoring requests String cRaterRequestType = request.getParameter("cRaterRequestType"); if ("scoring".equals(cRaterRequestType)) { return true; } } else if (type.equals("runStatus")) { // check if the user is the owner of the run or in the run if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) { return true; } } else { // this should never happen } if (workgroupIdStr == null || workgroupIdStr.equals("")) { return false; } // split up all the workgroup ids String[] workgroupIds = workgroupIdStr.split(":"); // check if this GET request can access other workgroups if (canAccessOtherWorkgroups) { // this GET request is allowed to access other workgroup work try { if (fromWorkgroupIdStr != null && !fromWorkgroupIdStr.equals("") && fromWorkgroupIdStr.equals(signedInUserId)) { /* * the signed in user id is the same as the from workgroup id so * we will allow it. this basically means the current user is * requesting the annotations that he/she wrote. */ return true; } else { // obtain all the workgroups of the classmates of the current user Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); /* * see if the workgroupIds the user is trying to access is * in the above set of classmate workgroups, if all the * workgroupIds beingaccessed are allowed, it will return * true and allow it, otherwise it will return false and * deny access */ return elementsInCollection(workgroupIds, classmateWorkgroups); } } catch (ObjectNotFoundException e) { e.printStackTrace(); } } else { /* * this GET request is not allowed to access other workgroup work * it can only access the workgroup the current user is in */ // obtain all the workgroups that the current user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser); /* * see if the workgroupIds the user is trying to access is in * the above list of workgroups, if all the workgroupIds being * accessed are allowed, it will return true and allow it, * otherwise it will return false and deny access */ return elementsInCollection(workgroupIds, workgroupsForUser); } return false; } else if (method.equals("POST")) { return true; } // other request methods are not authorized at this point return false; }