private void handleStudentAssetManager(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
ServletContext servletContext2 = this.getServletContext();
ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
User user = ControllerUtil.getSignedInUser();
String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir");
try {
// get the run
String runId = request.getParameter("runId");
Run run = runService.retrieveById(new Long(runId));
// get the project id
Project project = run.getProject();
Serializable projectId = project.getId();
// set the project id into the request so the vlewrapper controller has access to it
request.setAttribute("projectId", projectId + "");
// get the workgroup id
List<Workgroup> workgroupListByOfferingAndUser =
workgroupService.getWorkgroupListByOfferingAndUser(run, user);
Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
Long workgroupId = workgroup.getId();
// set the workgroup id into the request so the vlewrapper controller has access to it
request.setAttribute(
"dirName",
run.getId()
+ "/"
+ workgroupId
+ "/unreferenced"); // looks like /studentuploads/[runId]/[workgroupId]/unreferenced
String commandParamter = request.getParameter("command");
if (commandParamter != null && "studentAssetCopyForReference".equals(commandParamter)) {
request.setAttribute(
"referencedDirName",
run.getId()
+ "/"
+ workgroupId
+ "/referenced"); // if we're copying student asset for reference, also pass along
// the referenced dir. looks like
// /studentuploads/[runId]/[workgroupId]/referenced
}
if (studentuploads_base_dir != null) {
request.setAttribute("studentuploads_base_dir", studentuploads_base_dir);
}
// forward the request to the vlewrapper controller
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html");
requestDispatcher.forward(request, response);
} catch (NumberFormatException e) {
e.printStackTrace();
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
}
private void handleIdeaBasket(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
ServletContext servletContext2 = this.getServletContext();
ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper");
User signedInUser = ControllerUtil.getSignedInUser();
String action = request.getParameter("action");
try {
// get the run
String runId = request.getParameter("runId");
Run run = runService.retrieveById(new Long(runId));
// get the project id
Project project = run.getProject();
Serializable projectId = project.getId();
// set the project id into the request so the vlewrapper controller has access to it
request.setAttribute("projectId", projectId + "");
// get the authorities for the signed in user
MutableUserDetails signedInUserDetails = signedInUser.getUserDetails();
Collection<? extends GrantedAuthority> authorities = signedInUserDetails.getAuthorities();
boolean isAdmin = false;
boolean isTeacher = false;
boolean isStudent = false;
// this value will determine whether the user can modify anything they want in the public idea
// basket
boolean isPrivileged = false;
for (GrantedAuthority authority : authorities) {
if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
// user is an admin or teacher
isAdmin = true;
isPrivileged = true;
} else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
// user is an admin or teacher
isTeacher = true;
isPrivileged = true;
}
}
if (!isTeacher) {
isStudent = true;
}
request.setAttribute("isPrivileged", isPrivileged);
if (isAdmin) {
// user is an admin so we do not need to retrieve the workgroup id
} else if (isTeacher) {
// user is a teacher so we will retrieve their workgroup id for the run
// get the workgroup id
List<Workgroup> workgroupListByOfferingAndUser =
workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
// add nullpointer check
Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
Long signedInWorkgroupId = workgroup.getId();
// set the workgroup id into the request so the vlewrapper controller has access to it
request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
} else if (isStudent) {
/*
* the user is a student so we will make sure the run id
* matches the run they are currently working on and then
* retrieve their workgroup id for the run
*/
HashMap<String, Run> studentsToRuns =
(HashMap<String, Run>)
request.getSession().getServletContext().getAttribute("studentsToRuns");
String sessionId = request.getSession().getId();
if (studentsToRuns != null && studentsToRuns.containsKey(sessionId)) {
Run sessionRun = studentsToRuns.get(sessionId);
Long sessionRunId = sessionRun.getId();
if (sessionRunId.equals(new Long(runId))) {
// get the workgroup id
List<Workgroup> workgroupListByOfferingAndUser =
workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser);
// add nullpointer check
Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
Long signedInWorkgroupId = workgroup.getId();
// set the workgroup id into the request so the vlewrapper controller has access to it
request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + "");
} else {
// run id does not match the run that the student is logged in to
response.sendError(
HttpServletResponse.SC_UNAUTHORIZED,
"Run id does not match run that student is logged in to");
return;
}
} else {
// session id was not found which means the session probably timed out
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Session no longer valid");
return;
}
}
// forward the request to the vlewrapper controller
RequestDispatcher requestDispatcher =
vlewrappercontext.getRequestDispatcher("/ideaBasket.html");
requestDispatcher.forward(request, response);
} catch (NumberFormatException e) {
e.printStackTrace();
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
}
private boolean authorize(HttpServletRequest request) {
String method = request.getMethod();
User signedInUser = ControllerUtil.getSignedInUser();
Collection<? extends GrantedAuthority> authorities =
signedInUser.getUserDetails().getAuthorities();
Long signedInUserId = null;
for (GrantedAuthority authority : authorities) {
if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) {
return true;
} else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) {
// the signed in user is a teacher
String type = request.getParameter("type");
if ("cRater".equals(type)) {
// any teacher can make a cRater request
return true;
}
Run run = null;
try {
// get the run object
run = runService.retrieveById(new Long(request.getParameter("runId")));
} catch (NumberFormatException e) {
e.printStackTrace();
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
if (run == null) {
// we could not find the run
return false;
} else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) {
// the teacher has write permission for the run so we will allow authorization
return true;
} else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) {
// the teacher only has read permission for the run
if (method.equals("GET")) {
// we will allow authorization for GET requests
return true;
} else if (method.equals("POST")) {
// we will deny authorization for POST requests since the teacher only has READ
// permissions
return false;
}
}
}
}
if (method.equals("GET")) {
String workgroupIdStr = "";
// only used for annotations
String fromWorkgroupIdStr = "";
String type = request.getParameter("type");
String runIdString = request.getParameter("runId");
Long runId = null;
if (runIdString != null) {
runId = Long.parseLong(runIdString);
}
String periodString = request.getParameter("periodId");
Long period = null;
if (periodString != null) {
period = Long.parseLong(periodString);
}
if (runId != null) {
try {
// get the run
Run offering = runService.retrieveById(runId);
// get the workgroup for the signed in user
List<Workgroup> workgroupListByOfferingAndUser =
workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser);
// get the workgroup
Workgroup workgroup = workgroupListByOfferingAndUser.get(0);
// get the workgroup id
signedInUserId = workgroup.getId();
} catch (ObjectNotFoundException e1) {
e1.printStackTrace();
}
}
// whether this GET request can access other workgroup's data
boolean canAccessOtherWorkgroups = false;
if (type == null) {
workgroupIdStr = request.getParameter("userId");
} else if (type.equals("flag") || type.equals("inappropriateFlag")) {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
} else if (type.equals("annotation")) {
String annotationType = request.getParameter("annotationType");
if ("cRater".equals(annotationType)) {
// anyone can make a cRater annotation
return true;
}
workgroupIdStr = request.getParameter("toWorkgroup");
// get the fromWorkgroup id
fromWorkgroupIdStr = request.getParameter("fromWorkgroup");
canAccessOtherWorkgroups = true;
} else if (type.equals("brainstorm")) {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
} else if (type.equals("aggregate")) {
// student/teacher is trying to get other students' work so that it can be used to show
// the aggregate view. nodeIds should be passed in.
// Check that the nodeIds exist and that we can get the student data from them
// in the VLE.
if (request.getParameter("nodeIds") == null) {
canAccessOtherWorkgroups = false;
} else {
if (request.getParameter("allStudents") != null
&& Boolean.valueOf(request.getParameter("allStudents"))) {
return true;
} else {
workgroupIdStr = request.getParameter("userId");
canAccessOtherWorkgroups = true;
}
}
} else if (type.equals("journal")) {
workgroupIdStr = request.getParameter("workgroupId");
} else if (type.equals("peerreview")) {
// return true for now until logic is implemented
return true;
} else if (type.equals("xlsexport") || type.equals("specialExport")) {
// TODO: need to check user permissions
return true;
} else if (type.equals("ideaBasket")) {
return true;
} else if (type.equals("studentAssetManager")) {
return true;
} else if (type.equals("xmppAuthenticate")) {
return true;
} else if (type.equals("cRater")) {
// allow students to make cRater scoring requests
String cRaterRequestType = request.getParameter("cRaterRequestType");
if ("scoring".equals(cRaterRequestType)) {
return true;
}
} else if (type.equals("runStatus")) {
// check if the user is the owner of the run or in the run
if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) {
return true;
}
} else {
// this should never happen
}
if (workgroupIdStr == null || workgroupIdStr.equals("")) {
return false;
}
// split up all the workgroup ids
String[] workgroupIds = workgroupIdStr.split(":");
// check if this GET request can access other workgroups
if (canAccessOtherWorkgroups) {
// this GET request is allowed to access other workgroup work
try {
if (fromWorkgroupIdStr != null
&& !fromWorkgroupIdStr.equals("")
&& fromWorkgroupIdStr.equals(signedInUserId)) {
/*
* the signed in user id is the same as the from workgroup id so
* we will allow it. this basically means the current user is
* requesting the annotations that he/she wrote.
*/
return true;
} else {
// obtain all the workgroups of the classmates of the current user
Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period);
/*
* see if the workgroupIds the user is trying to access is
* in the above set of classmate workgroups, if all the
* workgroupIds beingaccessed are allowed, it will return
* true and allow it, otherwise it will return false and
* deny access
*/
return elementsInCollection(workgroupIds, classmateWorkgroups);
}
} catch (ObjectNotFoundException e) {
e.printStackTrace();
}
} else {
/*
* this GET request is not allowed to access other workgroup work
* it can only access the workgroup the current user is in
*/
// obtain all the workgroups that the current user is in
List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser);
/*
* see if the workgroupIds the user is trying to access is in
* the above list of workgroups, if all the workgroupIds being
* accessed are allowed, it will return true and allow it,
* otherwise it will return false and deny access
*/
return elementsInCollection(workgroupIds, workgroupsForUser);
}
return false;
} else if (method.equals("POST")) {
return true;
}
// other request methods are not authorized at this point
return false;
}