コード例 #1
0
  /**
   * Check if the user is in the workgroup id
   *
   * @param user the user
   * @param workgroupId the workgroup id
   * @return whether the user is in the workgroup
   */
  private boolean isUserInWorkgroupId(User user, Long workgroupId) {
    boolean result = false;

    if (user != null && workgroupId != null) {
      // get all the workgroups this user is in
      List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(user);

      Iterator<Workgroup> workgroupsForUserIterator = workgroupsForUser.iterator();

      // loop through all the workgroups this user is in
      while (workgroupsForUserIterator.hasNext()) {
        // get a workgroup
        Workgroup tempWorkgroup = workgroupsForUserIterator.next();

        if (tempWorkgroup != null) {
          // get the workgroup id
          Long tempWorkgroupId = tempWorkgroup.getId();

          // check if the workgroup id matches the one we are searching for
          if (workgroupId.equals(tempWorkgroupId)) {
            // the workgroup id matches so the user is in the workgroup
            result = true;
            break;
          }
        }
      }
    }

    return result;
  }
コード例 #2
0
  private void handleStudentAssetManager(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User user = ControllerUtil.getSignedInUser();
    String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir");

    try {
      // get the run
      String runId = request.getParameter("runId");
      Run run = runService.retrieveById(new Long(runId));

      // get the project id
      Project project = run.getProject();
      Serializable projectId = project.getId();

      // set the project id into the request so the vlewrapper controller has access to it
      request.setAttribute("projectId", projectId + "");

      // get the workgroup id
      List<Workgroup> workgroupListByOfferingAndUser =
          workgroupService.getWorkgroupListByOfferingAndUser(run, user);
      Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
      Long workgroupId = workgroup.getId();

      // set the workgroup id into the request so the vlewrapper controller has access to it
      request.setAttribute(
          "dirName",
          run.getId()
              + "/"
              + workgroupId
              + "/unreferenced"); // looks like /studentuploads/[runId]/[workgroupId]/unreferenced
      String commandParamter = request.getParameter("command");
      if (commandParamter != null && "studentAssetCopyForReference".equals(commandParamter)) {
        request.setAttribute(
            "referencedDirName",
            run.getId()
                + "/"
                + workgroupId
                + "/referenced"); // if we're copying student asset for reference, also pass along
                                  // the referenced dir. looks like
                                  // /studentuploads/[runId]/[workgroupId]/referenced
      }
      if (studentuploads_base_dir != null) {
        request.setAttribute("studentuploads_base_dir", studentuploads_base_dir);
      }
      // forward the request to the vlewrapper controller
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html");
      requestDispatcher.forward(request, response);
    } catch (NumberFormatException e) {
      e.printStackTrace();
    } catch (ObjectNotFoundException e) {
      e.printStackTrace();
    }
  }
コード例 #3
0
  private void handleIdeaBasket(HttpServletRequest request, HttpServletResponse response)
      throws ServletException, IOException {
    ServletContext servletContext2 = this.getServletContext();
    ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
    User signedInUser = ControllerUtil.getSignedInUser();
    String action = request.getParameter("action");

    try {
      // get the run
      String runId = request.getParameter("runId");
      Run run = runService.retrieveById(new Long(runId));

      // get the project id
      Project project = run.getProject();
      Serializable projectId = project.getId();

      // set the project id into the request so the vlewrapper controller has access to it
      request.setAttribute("projectId", projectId + "");

      // get the authorities for the signed in user
      MutableUserDetails signedInUserDetails = signedInUser.getUserDetails();
      Collection<? extends GrantedAuthority> authorities = signedInUserDetails.getAuthorities();

      boolean isAdmin = false;
      boolean isTeacher = false;
      boolean isStudent = false;

      // this value will determine whether the user can modify anything they want in the public idea
      // basket
      boolean isPrivileged = false;

      for (GrantedAuthority authority : authorities) {
        if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
          // user is an admin or teacher
          isAdmin = true;
          isPrivileged = true;
        } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
          // user is an admin or teacher
          isTeacher = true;
          isPrivileged = true;
        }
      }

      if (!isTeacher) {
        isStudent = true;
      }

      request.setAttribute("isPrivileged", isPrivileged);

      if (isAdmin) {
        // user is an admin so we do not need to retrieve the workgroup id
      } else if (isTeacher) {
        // user is a teacher so we will retrieve their workgroup id for the run

        // get the workgroup id
        List<Workgroup> workgroupListByOfferingAndUser =
            workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
        // add nullpointer check
        Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
        Long signedInWorkgroupId = workgroup.getId();

        // set the workgroup id into the request so the vlewrapper controller has access to it
        request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
      } else if (isStudent) {
        /*
         * the user is a student so we will make sure the run id
         * matches the run they are currently working on and then
         * retrieve their workgroup id for the run
         */

        HashMap<String, Run> studentsToRuns =
            (HashMap<String, Run>)
                request.getSession().getServletContext().getAttribute("studentsToRuns");

        String sessionId = request.getSession().getId();

        if (studentsToRuns != null && studentsToRuns.containsKey(sessionId)) {
          Run sessionRun = studentsToRuns.get(sessionId);
          Long sessionRunId = sessionRun.getId();

          if (sessionRunId.equals(new Long(runId))) {
            // get the workgroup id
            List<Workgroup> workgroupListByOfferingAndUser =
                workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
            // add nullpointer check
            Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
            Long signedInWorkgroupId = workgroup.getId();

            // set the workgroup id into the request so the vlewrapper controller has access to it
            request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
          } else {
            // run id does not match the run that the student is logged in to
            response.sendError(
                HttpServletResponse.SC_UNAUTHORIZED,
                "Run id does not match run that student is logged in to");
            return;
          }
        } else {
          // session id was not found which means the session probably timed out
          response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Session no longer valid");
          return;
        }
      }

      // forward the request to the vlewrapper controller
      RequestDispatcher requestDispatcher =
          vlewrappercontext.getRequestDispatcher("/ideaBasket.html");
      requestDispatcher.forward(request, response);
    } catch (NumberFormatException e) {
      e.printStackTrace();
    } catch (ObjectNotFoundException e) {
      e.printStackTrace();
    }
  }
コード例 #4
0
  private boolean authorize(HttpServletRequest request) {
    String method = request.getMethod();
    User signedInUser = ControllerUtil.getSignedInUser();
    Collection<? extends GrantedAuthority> authorities =
        signedInUser.getUserDetails().getAuthorities();
    Long signedInUserId = null;
    for (GrantedAuthority authority : authorities) {
      if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
        return true;
      } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
        // the signed in user is a teacher

        String type = request.getParameter("type");
        if ("cRater".equals(type)) {
          // any teacher can make a cRater request
          return true;
        }

        Run run = null;
        try {
          // get the run object
          run = runService.retrieveById(new Long(request.getParameter("runId")));
        } catch (NumberFormatException e) {
          e.printStackTrace();
        } catch (ObjectNotFoundException e) {
          e.printStackTrace();
        }

        if (run == null) {
          // we could not find the run
          return false;
        } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) {
          // the teacher has write permission for the run so we will allow authorization
          return true;
        } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) {
          // the teacher only has read permission for the run

          if (method.equals("GET")) {
            // we will allow authorization for GET requests
            return true;
          } else if (method.equals("POST")) {
            // we will deny authorization for POST requests since the teacher only has READ
            // permissions
            return false;
          }
        }
      }
    }
    if (method.equals("GET")) {
      String workgroupIdStr = "";

      // only used for annotations
      String fromWorkgroupIdStr = "";

      String type = request.getParameter("type");

      String runIdString = request.getParameter("runId");
      Long runId = null;

      if (runIdString != null) {
        runId = Long.parseLong(runIdString);
      }

      String periodString = request.getParameter("periodId");
      Long period = null;
      if (periodString != null) {
        period = Long.parseLong(periodString);
      }

      if (runId != null) {
        try {
          // get the run
          Run offering = runService.retrieveById(runId);

          // get the workgroup for the signed in user
          List<Workgroup> workgroupListByOfferingAndUser =
              workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser);

          // get the workgroup
          Workgroup workgroup = workgroupListByOfferingAndUser.get(0);

          // get the workgroup id
          signedInUserId = workgroup.getId();
        } catch (ObjectNotFoundException e1) {
          e1.printStackTrace();
        }
      }

      // whether this GET request can access other workgroup's data
      boolean canAccessOtherWorkgroups = false;

      if (type == null) {
        workgroupIdStr = request.getParameter("userId");
      } else if (type.equals("flag") || type.equals("inappropriateFlag")) {
        workgroupIdStr = request.getParameter("userId");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("annotation")) {
        String annotationType = request.getParameter("annotationType");
        if ("cRater".equals(annotationType)) {
          // anyone can make a cRater annotation
          return true;
        }
        workgroupIdStr = request.getParameter("toWorkgroup");

        // get the fromWorkgroup id
        fromWorkgroupIdStr = request.getParameter("fromWorkgroup");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("brainstorm")) {
        workgroupIdStr = request.getParameter("userId");
        canAccessOtherWorkgroups = true;
      } else if (type.equals("aggregate")) {
        // student/teacher is trying to get other students' work so that it can be used to show
        // the aggregate view. nodeIds should be passed in.
        // Check that the nodeIds exist and that we can get the student data from them
        // in the VLE.
        if (request.getParameter("nodeIds") == null) {
          canAccessOtherWorkgroups = false;
        } else {
          if (request.getParameter("allStudents") != null
              && Boolean.valueOf(request.getParameter("allStudents"))) {
            return true;
          } else {
            workgroupIdStr = request.getParameter("userId");
            canAccessOtherWorkgroups = true;
          }
        }
      } else if (type.equals("journal")) {
        workgroupIdStr = request.getParameter("workgroupId");
      } else if (type.equals("peerreview")) {
        // return true for now until logic is implemented
        return true;
      } else if (type.equals("xlsexport") || type.equals("specialExport")) {
        // TODO: need to check user permissions
        return true;
      } else if (type.equals("ideaBasket")) {
        return true;
      } else if (type.equals("studentAssetManager")) {
        return true;
      } else if (type.equals("xmppAuthenticate")) {
        return true;
      } else if (type.equals("cRater")) {
        // allow students to make cRater scoring requests
        String cRaterRequestType = request.getParameter("cRaterRequestType");
        if ("scoring".equals(cRaterRequestType)) {
          return true;
        }
      } else if (type.equals("runStatus")) {
        // check if the user is the owner of the run or in the run
        if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) {
          return true;
        }
      } else {
        // this should never happen
      }

      if (workgroupIdStr == null || workgroupIdStr.equals("")) {
        return false;
      }
      // split up all the workgroup ids
      String[] workgroupIds = workgroupIdStr.split(":");

      // check if this GET request can access other workgroups
      if (canAccessOtherWorkgroups) {
        // this GET request is allowed to access other workgroup work
        try {
          if (fromWorkgroupIdStr != null
              && !fromWorkgroupIdStr.equals("")
              && fromWorkgroupIdStr.equals(signedInUserId)) {
            /*
             * the signed in user id is the same as the from workgroup id so
             * we will allow it. this basically means the current user is
             * requesting the annotations that he/she wrote.
             */
            return true;
          } else {
            // obtain all the workgroups of the classmates of the current user
            Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);

            /*
             * see if the workgroupIds the user is trying to access is
             * in the above set of classmate workgroups, if all the
             * workgroupIds beingaccessed are allowed, it will return
             * true and allow it, otherwise it will return false and
             * deny access
             */
            return elementsInCollection(workgroupIds, classmateWorkgroups);
          }
        } catch (ObjectNotFoundException e) {
          e.printStackTrace();
        }
      } else {
        /*
         * this GET request is not allowed to access other workgroup work
         * it can only access the workgroup the current user is in
         */

        // obtain all the workgroups that the current user is in
        List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser);

        /*
         * see if the workgroupIds the user is trying to access is in
         * the above list of workgroups, if all the workgroupIds being
         * accessed are allowed, it will return true and allow it,
         * otherwise it will return false and deny access
         */
        return elementsInCollection(workgroupIds, workgroupsForUser);
      }

      return false;
    } else if (method.equals("POST")) {
      return true;
    }
    // other request methods are not authorized at this point
    return false;
  }