/** * Check if the user is in the workgroup id * * @param user the user * @param workgroupId the workgroup id * @return whether the user is in the workgroup */ private boolean isUserInWorkgroupId(User user, Long workgroupId) { boolean result = false; if (user != null && workgroupId != null) { // get all the workgroups this user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(user); Iterator<Workgroup> workgroupsForUserIterator = workgroupsForUser.iterator(); // loop through all the workgroups this user is in while (workgroupsForUserIterator.hasNext()) { // get a workgroup Workgroup tempWorkgroup = workgroupsForUserIterator.next(); if (tempWorkgroup != null) { // get the workgroup id Long tempWorkgroupId = tempWorkgroup.getId(); // check if the workgroup id matches the one we are searching for if (workgroupId.equals(tempWorkgroupId)) { // the workgroup id matches so the user is in the workgroup result = true; break; } } } } return result; }
private void handleStudentAssetManager(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir"); try { // get the run String runId = request.getParameter("runId"); Run run = runService.retrieveById(new Long(runId)); // get the project id Project project = run.getProject(); Serializable projectId = project.getId(); // set the project id into the request so the vlewrapper controller has access to it request.setAttribute("projectId", projectId + ""); // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, user); Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long workgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute( "dirName", run.getId() + "/" + workgroupId + "/unreferenced"); // looks like /studentuploads/[runId]/[workgroupId]/unreferenced String commandParamter = request.getParameter("command"); if (commandParamter != null && "studentAssetCopyForReference".equals(commandParamter)) { request.setAttribute( "referencedDirName", run.getId() + "/" + workgroupId + "/referenced"); // if we're copying student asset for reference, also pass along // the referenced dir. looks like // /studentuploads/[runId]/[workgroupId]/referenced } if (studentuploads_base_dir != null) { request.setAttribute("studentuploads_base_dir", studentuploads_base_dir); } // forward the request to the vlewrapper controller RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html"); requestDispatcher.forward(request, response); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } }
private void handleIdeaBasket(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User signedInUser = ControllerUtil.getSignedInUser(); String action = request.getParameter("action"); try { // get the run String runId = request.getParameter("runId"); Run run = runService.retrieveById(new Long(runId)); // get the project id Project project = run.getProject(); Serializable projectId = project.getId(); // set the project id into the request so the vlewrapper controller has access to it request.setAttribute("projectId", projectId + ""); // get the authorities for the signed in user MutableUserDetails signedInUserDetails = signedInUser.getUserDetails(); Collection<? extends GrantedAuthority> authorities = signedInUserDetails.getAuthorities(); boolean isAdmin = false; boolean isTeacher = false; boolean isStudent = false; // this value will determine whether the user can modify anything they want in the public idea // basket boolean isPrivileged = false; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { // user is an admin or teacher isAdmin = true; isPrivileged = true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // user is an admin or teacher isTeacher = true; isPrivileged = true; } } if (!isTeacher) { isStudent = true; } request.setAttribute("isPrivileged", isPrivileged); if (isAdmin) { // user is an admin so we do not need to retrieve the workgroup id } else if (isTeacher) { // user is a teacher so we will retrieve their workgroup id for the run // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser); // add nullpointer check Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long signedInWorkgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + ""); } else if (isStudent) { /* * the user is a student so we will make sure the run id * matches the run they are currently working on and then * retrieve their workgroup id for the run */ HashMap<String, Run> studentsToRuns = (HashMap<String, Run>) request.getSession().getServletContext().getAttribute("studentsToRuns"); String sessionId = request.getSession().getId(); if (studentsToRuns != null && studentsToRuns.containsKey(sessionId)) { Run sessionRun = studentsToRuns.get(sessionId); Long sessionRunId = sessionRun.getId(); if (sessionRunId.equals(new Long(runId))) { // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser); // add nullpointer check Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long signedInWorkgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + ""); } else { // run id does not match the run that the student is logged in to response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Run id does not match run that student is logged in to"); return; } } else { // session id was not found which means the session probably timed out response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Session no longer valid"); return; } } // forward the request to the vlewrapper controller RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/ideaBasket.html"); requestDispatcher.forward(request, response); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } }
private boolean authorize(HttpServletRequest request) { String method = request.getMethod(); User signedInUser = ControllerUtil.getSignedInUser(); Collection<? extends GrantedAuthority> authorities = signedInUser.getUserDetails().getAuthorities(); Long signedInUserId = null; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { return true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // the signed in user is a teacher String type = request.getParameter("type"); if ("cRater".equals(type)) { // any teacher can make a cRater request return true; } Run run = null; try { // get the run object run = runService.retrieveById(new Long(request.getParameter("runId"))); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } if (run == null) { // we could not find the run return false; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) { // the teacher has write permission for the run so we will allow authorization return true; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) { // the teacher only has read permission for the run if (method.equals("GET")) { // we will allow authorization for GET requests return true; } else if (method.equals("POST")) { // we will deny authorization for POST requests since the teacher only has READ // permissions return false; } } } } if (method.equals("GET")) { String workgroupIdStr = ""; // only used for annotations String fromWorkgroupIdStr = ""; String type = request.getParameter("type"); String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } if (runId != null) { try { // get the run Run offering = runService.retrieveById(runId); // get the workgroup for the signed in user List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser); // get the workgroup Workgroup workgroup = workgroupListByOfferingAndUser.get(0); // get the workgroup id signedInUserId = workgroup.getId(); } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } } // whether this GET request can access other workgroup's data boolean canAccessOtherWorkgroups = false; if (type == null) { workgroupIdStr = request.getParameter("userId"); } else if (type.equals("flag") || type.equals("inappropriateFlag")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("annotation")) { String annotationType = request.getParameter("annotationType"); if ("cRater".equals(annotationType)) { // anyone can make a cRater annotation return true; } workgroupIdStr = request.getParameter("toWorkgroup"); // get the fromWorkgroup id fromWorkgroupIdStr = request.getParameter("fromWorkgroup"); canAccessOtherWorkgroups = true; } else if (type.equals("brainstorm")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("aggregate")) { // student/teacher is trying to get other students' work so that it can be used to show // the aggregate view. nodeIds should be passed in. // Check that the nodeIds exist and that we can get the student data from them // in the VLE. if (request.getParameter("nodeIds") == null) { canAccessOtherWorkgroups = false; } else { if (request.getParameter("allStudents") != null && Boolean.valueOf(request.getParameter("allStudents"))) { return true; } else { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } } } else if (type.equals("journal")) { workgroupIdStr = request.getParameter("workgroupId"); } else if (type.equals("peerreview")) { // return true for now until logic is implemented return true; } else if (type.equals("xlsexport") || type.equals("specialExport")) { // TODO: need to check user permissions return true; } else if (type.equals("ideaBasket")) { return true; } else if (type.equals("studentAssetManager")) { return true; } else if (type.equals("xmppAuthenticate")) { return true; } else if (type.equals("cRater")) { // allow students to make cRater scoring requests String cRaterRequestType = request.getParameter("cRaterRequestType"); if ("scoring".equals(cRaterRequestType)) { return true; } } else if (type.equals("runStatus")) { // check if the user is the owner of the run or in the run if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) { return true; } } else { // this should never happen } if (workgroupIdStr == null || workgroupIdStr.equals("")) { return false; } // split up all the workgroup ids String[] workgroupIds = workgroupIdStr.split(":"); // check if this GET request can access other workgroups if (canAccessOtherWorkgroups) { // this GET request is allowed to access other workgroup work try { if (fromWorkgroupIdStr != null && !fromWorkgroupIdStr.equals("") && fromWorkgroupIdStr.equals(signedInUserId)) { /* * the signed in user id is the same as the from workgroup id so * we will allow it. this basically means the current user is * requesting the annotations that he/she wrote. */ return true; } else { // obtain all the workgroups of the classmates of the current user Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); /* * see if the workgroupIds the user is trying to access is * in the above set of classmate workgroups, if all the * workgroupIds beingaccessed are allowed, it will return * true and allow it, otherwise it will return false and * deny access */ return elementsInCollection(workgroupIds, classmateWorkgroups); } } catch (ObjectNotFoundException e) { e.printStackTrace(); } } else { /* * this GET request is not allowed to access other workgroup work * it can only access the workgroup the current user is in */ // obtain all the workgroups that the current user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser); /* * see if the workgroupIds the user is trying to access is in * the above list of workgroups, if all the workgroupIds being * accessed are allowed, it will return true and allow it, * otherwise it will return false and deny access */ return elementsInCollection(workgroupIds, workgroupsForUser); } return false; } else if (method.equals("POST")) { return true; } // other request methods are not authorized at this point return false; }