/**
   * Make sure the signed in user is allowed to POST the data they are trying to POST. The user
   * should only be trying to update their own student status.
   *
   * @param request
   * @param response
   * @return
   */
  private boolean authenticateRunStatusPOST(
      HttpServletRequest request, HttpServletResponse response) {
    boolean result = false;

    // get the signed in user
    User user = ControllerUtil.getSignedInUser();

    // get the parameters from the request
    String runIdString = request.getParameter("runId");
    String status = request.getParameter("status");

    try {
      // get the run id
      Long runId = Long.parseLong(runIdString);

      // check if the user is the owner of the run and the status is not null
      if (isUserOwnerOfRun(user, runId) && status != null) {
        result = true;
      }
    } catch (NumberFormatException e) {
      e.printStackTrace();
    }

    return result;
  }
  /**
   * Make sure the signed in user is allowed to POST the data they are trying to POST. The user
   * should only be trying to update their own student status.
   *
   * @param request
   * @param response
   * @return
   */
  private boolean authenticateStudentStatusPOST(
      HttpServletRequest request, HttpServletResponse response) {
    boolean result = false;

    // get the signed in user
    User user = ControllerUtil.getSignedInUser();

    // get the parameters from the request
    String runIdString = request.getParameter("runId");
    String periodIdString = request.getParameter("periodId");
    String workgroupIdString = request.getParameter("workgroupId");
    String status = request.getParameter("status");

    try {
      Long runId = Long.parseLong(runIdString);
      Long periodId = Long.parseLong(periodIdString);
      Long workgroupId = Long.parseLong(workgroupIdString);

      // make sure the user is in the run, in the period, and is in the workgroup
      if (isUserInRun(user, runId)
          && isUserInPeriod(user, runId, periodId)
          && isUserInWorkgroupId(user, workgroupId)
          && status != null) {
        result = true;
      }

    } catch (NumberFormatException e) {
      e.printStackTrace();
    }

    return result;
  }
  /**
   * @see
   *     org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest,
   *     javax.servlet.http.HttpServletResponse)
   */
  @Override
  protected ModelAndView handleRequestInternal(
      HttpServletRequest request, HttpServletResponse response) throws Exception {
    // check if user is logged in
    if (ControllerUtil.getSignedInUser() == null) {
      response.sendRedirect("/webapp/login.html");
      return null;
    }
    boolean authorized = authorize(request);
    if (!authorized) {
      // if request is for posting unsaved data and the user is not the same user as the one that
      // should be posting it,
      // forward them to the homepage
      if (request.getRequestURI().equals("/webapp/bridge/postdata.html")) {
        User signedInUser = ControllerUtil.getSignedInUser();
        if (signedInUser.getUserDetails() instanceof TeacherUserDetails) {
          response.sendRedirect(
              "/webapp" + TelsAuthenticationProcessingFilter.TEACHER_DEFAULT_TARGET_PATH);
          return null;
        } else if (signedInUser.getUserDetails() instanceof StudentUserDetails) {
          response.sendRedirect(
              "/webapp" + TelsAuthenticationProcessingFilter.STUDENT_DEFAULT_TARGET_PATH);
          return null;
        } else {
          response.sendError(
              HttpServletResponse.SC_UNAUTHORIZED, "You are not authorized to access this page");
          return null;
        }
      } else {
        response.sendError(
            HttpServletResponse.SC_UNAUTHORIZED, "You are not authorized to access this page");
        return null;
      }
    }
    String method = request.getMethod();
    if (method.equals("GET")) {
      return handleGet(request, response);
    } else if (method.equals("POST")) {
      return handlePost(request, response);
    }

    // we only handle GET and POST requests at this point.
    return null;
  }
  private void handleStudentAssetManager(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User user = ControllerUtil.getSignedInUser();
    String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir");

    try {
      // get the run
      String runId = request.getParameter("runId");
      Run run = runService.retrieveById(new Long(runId));

      // get the project id
      Project project = run.getProject();
      Serializable projectId = project.getId();

      // set the project id into the request so the vlewrapper controller has access to it
      request.setAttribute("projectId", projectId + "");

      // get the workgroup id
      List<Workgroup> workgroupListByOfferingAndUser =
          workgroupService.getWorkgroupListByOfferingAndUser(run, user);
      Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
      Long workgroupId = workgroup.getId();

      // set the workgroup id into the request so the vlewrapper controller has access to it
      request.setAttribute(
          "dirName",
          run.getId()
              + "/"
              + workgroupId
              + "/unreferenced"); // looks like /studentuploads/[runId]/[workgroupId]/unreferenced
      String commandParamter = request.getParameter("command");
      if (commandParamter != null && "studentAssetCopyForReference".equals(commandParamter)) {
        request.setAttribute(
            "referencedDirName",
            run.getId()
                + "/"
                + workgroupId
                + "/referenced"); // if we're copying student asset for reference, also pass along
                                  // the referenced dir. looks like
                                  // /studentuploads/[runId]/[workgroupId]/referenced
      }
      if (studentuploads_base_dir != null) {
        request.setAttribute("studentuploads_base_dir", studentuploads_base_dir);
      }
      // forward the request to the vlewrapper controller
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html");
      requestDispatcher.forward(request, response);
    } catch (NumberFormatException e) {
      e.printStackTrace();
    } catch (ObjectNotFoundException e) {
      e.printStackTrace();
    }
  }
  /**
   * @see
   *     org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest,
   *     javax.servlet.http.HttpServletResponse)
   */
  @Override
  protected ModelAndView handleRequestInternal(
      HttpServletRequest request, HttpServletResponse response) throws Exception {

    String outResponse = "";
    User user = ControllerUtil.getSignedInUser();
    Set<User> owners = new TreeSet<User>();
    owners.add(user);

    Project project = projectService.getById(Long.parseLong(request.getParameter(PROJECTID)));

    CreateOtmlModuleParameters params = new CreateOtmlModuleParameters();
    params.setName(project.getCurnit().getSdsCurnit().getName());
    params.setUrl(RooloOtmlModuleDao.defaultOtrunkCurnitUrl);
    params.setRetrieveotmlurl(
        Util.getPortalUrl(request) + "/repository/retrieveotml.html?otmlModuleId=");
    byte[] otmlbytes = (byte[]) project.getCurnit().accept(new CurnitGetOtmlVisitor());
    if (otmlbytes != null) {
      params.setOtml(otmlbytes);
      Curnit copiedCurnit = curnitService.createCurnit(params);

      ProjectParameters projParams = new ProjectParameters();

      projParams.setCurnitId(copiedCurnit.getId());
      projParams.setJnlpId(project.getJnlp().getId());
      projParams.setOwners(owners);
      projParams.setProjectname(project.getName());
      projParams.setProjectType(project.getProjectType());

      projectService.createProject(projParams);

      outResponse =
          "Project "
              + project.getName()
              + " has been successfully "
              + "copied and can be found in My Customized Projects.";
    } else {
      outResponse = "This project is not of a type that can be copied.";
    }

    ModelAndView modelAndView = new ModelAndView();
    modelAndView.addObject(RESPONSE, outResponse);
    return modelAndView;
  }
  private ModelAndView handlePost(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    String type = request.getParameter("type");
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User user = ControllerUtil.getSignedInUser();
    CredentialManager.setRequestCredentials(request, user);

    if (type == null) {
      // post student data
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/postdata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("flag")
        || type.equals("inappropriateFlag")
        || type.equals("annotation")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/annotations.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("journal")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/journaldata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("peerreview")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/peerreview.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("ideaBasket")) {
      handleIdeaBasket(request, response);
    } else if (type.equals("studentAssetManager")) {
      handleStudentAssetManager(request, response);
    } else if (type.equals("viewStudentAssets")) {
      handleViewStudentAssets(request, response);
    } else if (type.equals("chatLog")) {
      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("studentStatus")) {
      handleStudentStatus(request, response);
    } else if (type.equals("runStatus")) {
      handleRunStatus(request, response);
    }
    return null;
  }
  private void handleViewStudentAssets(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User user = ControllerUtil.getSignedInUser();
    String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir");

    try {
      // get the run
      String runId = request.getParameter("runId");
      Run run = runService.retrieveById(new Long(runId));

      // get the project id
      Project project = run.getProject();
      Serializable projectId = project.getId();

      // set the project id into the request so the vlewrapper controller has access to it
      request.setAttribute("projectId", projectId + "");

      // set the workgroup id into the request so the vlewrapper controller has access to it
      if (studentuploads_base_dir != null) {
        request.setAttribute("studentuploads_base_dir", studentuploads_base_dir);
      }

      // workgroups is a ":" separated string of workgroups
      String workgroups = request.getParameter("workgroups");

      request.setAttribute("dirName", workgroups);

      // forward the request to the vlewrapper controller
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html");
      requestDispatcher.forward(request, response);
    } catch (NumberFormatException e) {
      e.printStackTrace();
    } catch (ObjectNotFoundException e) {
      e.printStackTrace();
    }
  }
  /**
   * @see
   *     org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest,
   *     javax.servlet.http.HttpServletResponse)
   */
  @Override
  protected ModelAndView handleRequestInternal(
      HttpServletRequest request, HttpServletResponse response) throws Exception {

    ModelAndView modelAndView = new ModelAndView();
    User user = ControllerUtil.getSignedInUser();

    // get library projects
    Set<String> tagNames = new TreeSet<String>();
    tagNames.add("library");
    List<Project> libraryProjectsList = this.projectService.getProjectListByTagNames(tagNames);

    // get user's owned projects
    List<Project> ownedProjectsList = this.projectService.getProjectList(user);
    // for now, don't separate archived projects; TODO: re-implement if archiving is re-enabled
    // List<Project> currentOwnedProjectsList = new ArrayList<Project>();
    // List<Project> archivedOwnedProjectsList = new ArrayList<Project>();

    // get user's shared projects
    List<Project> sharedProjectsList = this.projectService.getSharedProjectList(user);
    sharedProjectsList.removeAll(ownedProjectsList);
    // for now, don't separate archived projects; TODO: re-implement if archiving is re-enabled
    // List<Project> currentSharedProjectsList = new ArrayList<Project>();
    // List<Project> archivedSharedProjectsList = new ArrayList<Project>();

    // a set to hold the list of project ids in user's library
    Set<Long> projectIds = new TreeSet<Long>();

    // set root project ids, remove duplicates
    List<Project> ownedRemove = new ArrayList<Project>();
    for (int i = 0; i < ownedProjectsList.size(); i++) {
      if (ownedProjectsList.get(i).getRootProjectId() == null) {
        Long rootId = this.projectService.identifyRootProjectId(ownedProjectsList.get(i));
        ownedProjectsList.get(i).setRootProjectId(rootId);
      }
      Long id = (Long) ownedProjectsList.get(i).getId();
      projectIds.add(id);

      // check if project is in WISE library
      for (Project libProject : libraryProjectsList) {
        if (ownedProjectsList.get(i).getId() == libProject.getId()) {
          ownedRemove.add(ownedProjectsList.get(i));
        }
      }
      // if (project.isCurrent()) {
      // currentOwnedProjectsList.add(project);
      // } else {
      // archivedOwnedProjectsList.add(project);
      // }
    }
    // if project is in WISE library, remove from owned projects list (avoid duplicates)
    for (int i = 0; i < ownedRemove.size(); i++) {
      ownedProjectsList.remove(ownedRemove.get(i));
    }

    List<Project> sharedRemove = new ArrayList<Project>();
    for (int a = 0; a < sharedProjectsList.size(); a++) {
      Long rootId = this.projectService.identifyRootProjectId(sharedProjectsList.get(a));
      sharedProjectsList.get(a).setRootProjectId(rootId);
      Long id = (Long) sharedProjectsList.get(a).getId();
      projectIds.add(id);

      // check if project is in WISE library
      for (Project libProject : libraryProjectsList) {
        if (sharedProjectsList.get(a).getId() == libProject.getId()) {
          sharedRemove.add(sharedProjectsList.get(a));
        }
      }
      // if (project.isCurrent()) {
      // currentSharedProjectsList.add(project);
      // } else {
      // archivedSharedProjectsList.add(project);
      // }
    }

    // if project is in WISE library, remove from shared projects list (avoid duplicates)
    for (int a = 0; a < sharedRemove.size(); a++) {
      sharedProjectsList.remove(sharedRemove.get(a));
    }

    for (int x = 0; x < libraryProjectsList.size(); x++) {
      Long rootId = this.projectService.identifyRootProjectId(libraryProjectsList.get(x));
      libraryProjectsList.get(x).setRootProjectId(rootId);
      Long id = (Long) libraryProjectsList.get(x).getId();
      projectIds.add(id);
    }

    /* sort the project lists */
    // this.projectService.sortProjectsByDateCreated(currentOwnedProjectsList);
    // this.projectService.sortProjectsByDateCreated(archivedOwnedProjectsList);

    // modelAndView.addObject("currentOwnedProjectsList", currentOwnedProjectsList);
    // modelAndView.addObject("archivedOwnedProjectsList", archivedOwnedProjectsList);

    // this.projectService.sortProjectsByDateCreated(currentSharedProjectsList);
    // this.projectService.sortProjectsByDateCreated(archivedSharedProjectsList);

    // modelAndView.addObject("currentSharedProjectsList", currentSharedProjectsList);
    // modelAndView.addObject("archivedSharedProjectsList", archivedSharedProjectsList);

    this.projectService.sortProjectsByDateCreated(ownedProjectsList);
    this.projectService.sortProjectsByDateCreated(sharedProjectsList);
    // this.projectService.sortProjectsByDateCreated(libraryProjectsList);

    // Map<Long, Integer> usageMap = new TreeMap<Long, Integer>();
    Map<Long, String> urlMap = new TreeMap<Long, String>();
    Map<Long, String> projectThumbMap =
        new TreeMap<Long, String>(); // maps projectId to url where its thumbnail can be found
    Map<Long, String> filenameMap = new TreeMap<Long, String>();

    // a map to contain projectId to project name
    Map<Long, String> projectNameMap = new TreeMap<Long, String>();

    // a map to contain projectId to escaped project name
    Map<Long, String> projectNameEscapedMap = new TreeMap<Long, String>();

    // a map to contain projectId to run date
    Map<Long, Date> projectRunDateMap = new TreeMap<Long, Date>();

    // a map to contain projectId to run date
    Map<Long, Long> projectRunIdMap = new TreeMap<Long, Long>();

    String curriculumBaseDir = this.portalProperties.getProperty("curriculum_base_dir");
    String curriculumBaseWWW = this.portalProperties.getProperty("curriculum_base_www");
    for (Project p : ownedProjectsList) {
      if (p.isCurrent()) {
        List<Run> runList = this.runService.getProjectRuns((Long) p.getId());
        if (!runList.isEmpty()) {
          // add project and date to the maps of project runs
          // since a project can now only be run once, just use the first run in the list
          projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime());
          projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId());
        }

        String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor());

        // get the project name and put it into the map
        String projectName = p.getName();
        projectNameMap.put((Long) p.getId(), projectName);

        // replace ' with \' in the project name and put it into the map
        projectName = projectName.replaceAll("\\'", "\\\\'");
        projectNameEscapedMap.put((Long) p.getId(), projectName);

        if (url != null && url != "") {
          /*
           * add the project url to the map
           * e.g.
           * /253/wise4.project.json
           */
          urlMap.put((Long) p.getId(), url);

          int ndx = url.lastIndexOf("/");
          if (ndx != -1) {
            /*
             * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png)
             * for all projects but this could be overwritten in the future
             * e.g.
             * /253/assets/projectThumb.png
             */
            projectThumbMap.put(
                (Long) p.getId(), curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH);

            /*
             * add the project file name to the map
             * e.g.
             * /wise4.project.json
             */
            filenameMap.put((Long) p.getId(), url.substring(ndx, url.length()));
          }
        }
        // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId()));
      }
    }

    for (Project p : sharedProjectsList) {
      if (p.isCurrent()) {
        List<Run> runList = this.runService.getProjectRuns((Long) p.getId());
        if (!runList.isEmpty()) {
          // add project and date to the maps of project runs
          // since a project can now only be run once, just use the first run in the list
          projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime());
          projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId());
        }

        String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor());

        // get the project name and put it into the map
        String projectName = p.getName();
        projectNameMap.put((Long) p.getId(), projectName);

        // replace ' with \' in the project name and put it into the map
        projectName = projectName.replaceAll("\\'", "\\\\'");
        projectNameEscapedMap.put((Long) p.getId(), projectName);

        if (url != null && url != "") {
          /*
           * add the project url to the map
           * e.g.
           * /253/wise4.project.json
           */
          urlMap.put((Long) p.getId(), url);

          int ndx = url.lastIndexOf("/");
          if (ndx != -1) {
            /*
             * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png)
             * for all projects but this could be overwritten in the future
             * e.g.
             * /253/assets/projectThumb.png
             */
            projectThumbMap.put(
                (Long) p.getId(), curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH);

            /*
             * add the project file name to the map
             * e.g.
             * /wise4.project.json
             */
            filenameMap.put((Long) p.getId(), url.substring(ndx, url.length()));
          }
        }
        // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId()));
      }
    }

    for (Project p : libraryProjectsList) {
      if (p.isCurrent()) {
        List<Run> runList = this.runService.getProjectRuns((Long) p.getId());
        if (!runList.isEmpty()) {
          // add project and date to the maps of project runs
          // since a project can now only be run once, just use the first run in the list
          projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime());
          projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId());
        }

        String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor());

        // get the project name and put it into the map
        String projectName = p.getName();
        projectNameMap.put((Long) p.getId(), projectName);

        // replace ' with \' in the project name and put it into the map
        projectName = projectName.replaceAll("\\'", "\\\\'");
        projectNameEscapedMap.put((Long) p.getId(), projectName);

        if (url != null && url != "") {
          /*
           * add the project url to the map
           * e.g.
           * /253/wise4.project.json
           */
          urlMap.put((Long) p.getId(), url);

          int ndx = url.lastIndexOf("/");

          if (ndx != -1) {
            /*
             * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png)
             * for all projects but this could be overwritten in the future
             * e.g.
             * /253/assets/projectThumb.png
             */
            String projectThumbPath =
                curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH;
            projectThumbMap.put((Long) p.getId(), projectThumbPath);

            /*
             * add the project file name to the map
             * e.g.
             * /wise4.project.json
             */
            filenameMap.put((Long) p.getId(), url.substring(ndx, url.length()));
          }
        }
        // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId()));
      }
    }

    // send in owned, shared, library, bookmarked projects, and list of project ids
    List<Project> bookmarkedProjectsList = this.projectService.getBookmarkerProjectList(user);
    modelAndView.addObject("bookmarkedProjectsList", bookmarkedProjectsList);
    modelAndView.addObject("ownedProjectsList", ownedProjectsList);
    modelAndView.addObject("sharedProjectsList", sharedProjectsList);
    modelAndView.addObject("libraryProjectsList", libraryProjectsList);
    modelAndView.addObject("projectIds", projectIds);
    modelAndView.addObject("sharedRemove", sharedRemove);
    modelAndView.addObject("ownedRemove", ownedRemove);

    // modelAndView.addObject("usageMap", usageMap);
    modelAndView.addObject("urlMap", urlMap);
    modelAndView.addObject("projectThumbMap", projectThumbMap);
    modelAndView.addObject("filenameMap", filenameMap);
    modelAndView.addObject("curriculumBaseDir", curriculumBaseDir);
    modelAndView.addObject("curriculumBaseWWW", curriculumBaseWWW);
    modelAndView.addObject("projectNameMap", projectNameMap);
    modelAndView.addObject("projectNameEscapedMap", projectNameEscapedMap);
    modelAndView.addObject("projectRunDateMap", projectRunDateMap);
    modelAndView.addObject("projectRunIdMap", projectRunIdMap);
    modelAndView.addObject("user", user);
    return modelAndView;
  }
  private void handleIdeaBasket(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User signedInUser = ControllerUtil.getSignedInUser();
    String action = request.getParameter("action");

    try {
      // get the run
      String runId = request.getParameter("runId");
      Run run = runService.retrieveById(new Long(runId));

      // get the project id
      Project project = run.getProject();
      Serializable projectId = project.getId();

      // set the project id into the request so the vlewrapper controller has access to it
      request.setAttribute("projectId", projectId + "");

      // get the authorities for the signed in user
      MutableUserDetails signedInUserDetails = signedInUser.getUserDetails();
      Collection<? extends GrantedAuthority> authorities = signedInUserDetails.getAuthorities();

      boolean isAdmin = false;
      boolean isTeacher = false;
      boolean isStudent = false;

      // this value will determine whether the user can modify anything they want in the public idea
      // basket
      boolean isPrivileged = false;

      for (GrantedAuthority authority : authorities) {
        if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
          // user is an admin or teacher
          isAdmin = true;
          isPrivileged = true;
        } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
          // user is an admin or teacher
          isTeacher = true;
          isPrivileged = true;
        }
      }

      if (!isTeacher) {
        isStudent = true;
      }

      request.setAttribute("isPrivileged", isPrivileged);

      if (isAdmin) {
        // user is an admin so we do not need to retrieve the workgroup id
      } else if (isTeacher) {
        // user is a teacher so we will retrieve their workgroup id for the run

        // get the workgroup id
        List<Workgroup> workgroupListByOfferingAndUser =
            workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
        // add nullpointer check
        Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
        Long signedInWorkgroupId = workgroup.getId();

        // set the workgroup id into the request so the vlewrapper controller has access to it
        request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
      } else if (isStudent) {
        /*
         * the user is a student so we will make sure the run id
         * matches the run they are currently working on and then
         * retrieve their workgroup id for the run
         */

        HashMap<String, Run> studentsToRuns =
            (HashMap<String, Run>)
                request.getSession().getServletContext().getAttribute("studentsToRuns");

        String sessionId = request.getSession().getId();

        if (studentsToRuns != null && studentsToRuns.containsKey(sessionId)) {
          Run sessionRun = studentsToRuns.get(sessionId);
          Long sessionRunId = sessionRun.getId();

          if (sessionRunId.equals(new Long(runId))) {
            // get the workgroup id
            List<Workgroup> workgroupListByOfferingAndUser =
                workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
            // add nullpointer check
            Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
            Long signedInWorkgroupId = workgroup.getId();

            // set the workgroup id into the request so the vlewrapper controller has access to it
            request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
          } else {
            // run id does not match the run that the student is logged in to
            response.sendError(
                HttpServletResponse.SC_UNAUTHORIZED,
                "Run id does not match run that student is logged in to");
            return;
          }
        } else {
          // session id was not found which means the session probably timed out
          response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Session no longer valid");
          return;
        }
      }

      // forward the request to the vlewrapper controller
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/ideaBasket.html");
      requestDispatcher.forward(request, response);
    } catch (NumberFormatException e) {
      e.printStackTrace();
    } catch (ObjectNotFoundException e) {
      e.printStackTrace();
    }
  }
  private ModelAndView handleGet(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    String type = request.getParameter("type");
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");

    User user = ControllerUtil.getSignedInUser();
    CredentialManager.setRequestCredentials(request, user);

    // get the run id
    String runIdString = request.getParameter("runId");
    Long runId = null;

    if (runIdString != null) {
      runId = Long.parseLong(runIdString);
    }

    Run run = null;
    try {
      if (runId != null) {
        // get the run object
        run = runService.retrieveById(runId);
      }
    } catch (ObjectNotFoundException e1) {
      e1.printStackTrace();
    }

    if (type == null) {
      // get student data
      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("brainstorm")) {
      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("aggregate")) {
      setProjectPath(run, request); // set the project path into the request object
      if (Boolean.parseBoolean(request.getParameter("allStudents"))) {
        // request for all students work in run. lookup workgroups in run and construct
        // workgroupIdString
        String workgroupIdStr = "";
        try {
          Set<Workgroup> workgroups = runService.getWorkgroups(runId);
          for (Workgroup workgroup : workgroups) {
            workgroupIdStr += workgroup.getId() + ":";
          }
          request.setAttribute("userId", workgroupIdStr);
        } catch (ObjectNotFoundException e) {
        }
      }

      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("flag")
        || type.equals("inappropriateFlag")
        || type.equals("annotation")) { // get flags
      /*
       * set the user info JSONObjects into the request so the vlewrapper servlet
       * has access to the teacher and classmate info
       */
      setUserInfos(run, request);

      setCRaterAttributes(request);

      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/annotations.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("journal")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/journaldata.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("peerreview")) {
      // get the period id
      String periodString = request.getParameter("periodId");
      Long period = null;
      if (periodString != null) {
        period = Long.parseLong(periodString);
      }

      try {
        /*
         * set the number of students in the class period for when we need
         * to calculate peer review opening
         */
        Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);
        request.setAttribute("numWorkgroups", classmateWorkgroups.size());
      } catch (ObjectNotFoundException e) {
        e.printStackTrace();
      }
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/peerreview.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("xlsexport") || type.equals("specialExport")) {
      // set the user info into the request object
      setUserInfos(run, request);

      // set the project path into the request object
      setProjectPath(run, request);

      // set the project meta data into the request object
      setProjectMetaData(run, request);

      String requestPath = "";

      if (type.equals("xlsexport")) {
        // get the path for regular exports
        requestPath = "/getxls.html";
      } else if (type.equals("specialExport")) {
        // get the path for special exports
        requestPath = "/getSpecialExport.html";
      }

      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher(requestPath);
      requestDispatcher.forward(request, response);
    } else if (type.equals("ideaBasket")) {
      handleIdeaBasket(request, response);
    } else if (type.equals("studentAssetManager")) {
      handleStudentAssetManager(request, response);
    } else if (type.equals("viewStudentAssets")) {
      handleViewStudentAssets(request, response);
    } else if (type.equals("xmppAuthenticate")) {
      // check if this portal is xmpp enabled first
      String isXMPPEnabled = portalProperties.getProperty("isXMPPEnabled");
      if (isXMPPEnabled != null && Boolean.valueOf(isXMPPEnabled)) {
        handleWISEXMPPAuthenticate(request, response);
      }
    } else if (type.equals("cRater")) {
      setCRaterAttributes(request);

      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/cRater.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("chatLog")) {
      RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("studentStatus")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/studentStatus.html");
      requestDispatcher.forward(request, response);
    } else if (type.equals("runStatus")) {
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/runStatus.html");
      requestDispatcher.forward(request, response);
    }

    return null;
  }
  private boolean authorize(HttpServletRequest request) {
    String method = request.getMethod();
    User signedInUser = ControllerUtil.getSignedInUser();
    Collection<? extends GrantedAuthority> authorities =
        signedInUser.getUserDetails().getAuthorities();
    Long signedInUserId = null;
    for (GrantedAuthority authority : authorities) {
      if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
        return true;
      } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
        // the signed in user is a teacher

        String type = request.getParameter("type");
        if ("cRater".equals(type)) {
          // any teacher can make a cRater request
          return true;
        }

        Run run = null;
        try {
          // get the run object
          run = runService.retrieveById(new Long(request.getParameter("runId")));
        } catch (NumberFormatException e) {
          e.printStackTrace();
        } catch (ObjectNotFoundException e) {
          e.printStackTrace();
        }

        if (run == null) {
          // we could not find the run
          return false;
        } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) {
          // the teacher has write permission for the run so we will allow authorization
          return true;
        } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) {
          // the teacher only has read permission for the run

          if (method.equals("GET")) {
            // we will allow authorization for GET requests
            return true;
          } else if (method.equals("POST")) {
            // we will deny authorization for POST requests since the teacher only has READ
            // permissions
            return false;
          }
        }
      }
    }
    if (method.equals("GET")) {
      String workgroupIdStr = "";

      // only used for annotations
      String fromWorkgroupIdStr = "";

      String type = request.getParameter("type");

      String runIdString = request.getParameter("runId");
      Long runId = null;

      if (runIdString != null) {
        runId = Long.parseLong(runIdString);
      }

      String periodString = request.getParameter("periodId");
      Long period = null;
      if (periodString != null) {
        period = Long.parseLong(periodString);
      }

      if (runId != null) {
        try {
          // get the run
          Run offering = runService.retrieveById(runId);

          // get the workgroup for the signed in user
          List<Workgroup> workgroupListByOfferingAndUser =
              workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser);

          // get the workgroup
          Workgroup workgroup = workgroupListByOfferingAndUser.get(0);

          // get the workgroup id
          signedInUserId = workgroup.getId();
        } catch (ObjectNotFoundException e1) {
          e1.printStackTrace();
        }
      }

      // whether this GET request can access other workgroup's data
      boolean canAccessOtherWorkgroups = false;

      if (type == null) {
        workgroupIdStr = request.getParameter("userId");
      } else if (type.equals("flag") || type.equals("inappropriateFlag")) {
        workgroupIdStr = request.getParameter("userId");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("annotation")) {
        String annotationType = request.getParameter("annotationType");
        if ("cRater".equals(annotationType)) {
          // anyone can make a cRater annotation
          return true;
        }
        workgroupIdStr = request.getParameter("toWorkgroup");

        // get the fromWorkgroup id
        fromWorkgroupIdStr = request.getParameter("fromWorkgroup");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("brainstorm")) {
        workgroupIdStr = request.getParameter("userId");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("aggregate")) {
        // student/teacher is trying to get other students' work so that it can be used to show
        // the aggregate view. nodeIds should be passed in.
        // Check that the nodeIds exist and that we can get the student data from them
        // in the VLE.
        if (request.getParameter("nodeIds") == null) {
          canAccessOtherWorkgroups = false;
        } else {
          if (request.getParameter("allStudents") != null
              && Boolean.valueOf(request.getParameter("allStudents"))) {
            return true;
          } else {
            workgroupIdStr = request.getParameter("userId");
            canAccessOtherWorkgroups = true;
          }
        }
      } else if (type.equals("journal")) {
        workgroupIdStr = request.getParameter("workgroupId");
      } else if (type.equals("peerreview")) {
        // return true for now until logic is implemented
        return true;
      } else if (type.equals("xlsexport") || type.equals("specialExport")) {
        // TODO: need to check user permissions
        return true;
      } else if (type.equals("ideaBasket")) {
        return true;
      } else if (type.equals("studentAssetManager")) {
        return true;
      } else if (type.equals("xmppAuthenticate")) {
        return true;
      } else if (type.equals("cRater")) {
        // allow students to make cRater scoring requests
        String cRaterRequestType = request.getParameter("cRaterRequestType");
        if ("scoring".equals(cRaterRequestType)) {
          return true;
        }
      } else if (type.equals("runStatus")) {
        // check if the user is the owner of the run or in the run
        if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) {
          return true;
        }
      } else {
        // this should never happen
      }

      if (workgroupIdStr == null || workgroupIdStr.equals("")) {
        return false;
      }
      // split up all the workgroup ids
      String[] workgroupIds = workgroupIdStr.split(":");

      // check if this GET request can access other workgroups
      if (canAccessOtherWorkgroups) {
        // this GET request is allowed to access other workgroup work
        try {
          if (fromWorkgroupIdStr != null
              && !fromWorkgroupIdStr.equals("")
              && fromWorkgroupIdStr.equals(signedInUserId)) {
            /*
             * the signed in user id is the same as the from workgroup id so
             * we will allow it. this basically means the current user is
             * requesting the annotations that he/she wrote.
             */
            return true;
          } else {
            // obtain all the workgroups of the classmates of the current user
            Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);

            /*
             * see if the workgroupIds the user is trying to access is
             * in the above set of classmate workgroups, if all the
             * workgroupIds beingaccessed are allowed, it will return
             * true and allow it, otherwise it will return false and
             * deny access
             */
            return elementsInCollection(workgroupIds, classmateWorkgroups);
          }
        } catch (ObjectNotFoundException e) {
          e.printStackTrace();
        }
      } else {
        /*
         * this GET request is not allowed to access other workgroup work
         * it can only access the workgroup the current user is in
         */

        // obtain all the workgroups that the current user is in
        List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser);

        /*
         * see if the workgroupIds the user is trying to access is in
         * the above list of workgroups, if all the workgroupIds being
         * accessed are allowed, it will return true and allow it,
         * otherwise it will return false and deny access
         */
        return elementsInCollection(workgroupIds, workgroupsForUser);
      }

      return false;
    } else if (method.equals("POST")) {
      return true;
    }
    // other request methods are not authorized at this point
    return false;
  }