/** * Make sure the signed in user is allowed to POST the data they are trying to POST. The user * should only be trying to update their own student status. * * @param request * @param response * @return */ private boolean authenticateRunStatusPOST( HttpServletRequest request, HttpServletResponse response) { boolean result = false; // get the signed in user User user = ControllerUtil.getSignedInUser(); // get the parameters from the request String runIdString = request.getParameter("runId"); String status = request.getParameter("status"); try { // get the run id Long runId = Long.parseLong(runIdString); // check if the user is the owner of the run and the status is not null if (isUserOwnerOfRun(user, runId) && status != null) { result = true; } } catch (NumberFormatException e) { e.printStackTrace(); } return result; }
/** * Make sure the signed in user is allowed to POST the data they are trying to POST. The user * should only be trying to update their own student status. * * @param request * @param response * @return */ private boolean authenticateStudentStatusPOST( HttpServletRequest request, HttpServletResponse response) { boolean result = false; // get the signed in user User user = ControllerUtil.getSignedInUser(); // get the parameters from the request String runIdString = request.getParameter("runId"); String periodIdString = request.getParameter("periodId"); String workgroupIdString = request.getParameter("workgroupId"); String status = request.getParameter("status"); try { Long runId = Long.parseLong(runIdString); Long periodId = Long.parseLong(periodIdString); Long workgroupId = Long.parseLong(workgroupIdString); // make sure the user is in the run, in the period, and is in the workgroup if (isUserInRun(user, runId) && isUserInPeriod(user, runId, periodId) && isUserInWorkgroupId(user, workgroupId) && status != null) { result = true; } } catch (NumberFormatException e) { e.printStackTrace(); } return result; }
/** * @see * org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest, * javax.servlet.http.HttpServletResponse) */ @Override protected ModelAndView handleRequestInternal( HttpServletRequest request, HttpServletResponse response) throws Exception { // check if user is logged in if (ControllerUtil.getSignedInUser() == null) { response.sendRedirect("/webapp/login.html"); return null; } boolean authorized = authorize(request); if (!authorized) { // if request is for posting unsaved data and the user is not the same user as the one that // should be posting it, // forward them to the homepage if (request.getRequestURI().equals("/webapp/bridge/postdata.html")) { User signedInUser = ControllerUtil.getSignedInUser(); if (signedInUser.getUserDetails() instanceof TeacherUserDetails) { response.sendRedirect( "/webapp" + TelsAuthenticationProcessingFilter.TEACHER_DEFAULT_TARGET_PATH); return null; } else if (signedInUser.getUserDetails() instanceof StudentUserDetails) { response.sendRedirect( "/webapp" + TelsAuthenticationProcessingFilter.STUDENT_DEFAULT_TARGET_PATH); return null; } else { response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "You are not authorized to access this page"); return null; } } else { response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "You are not authorized to access this page"); return null; } } String method = request.getMethod(); if (method.equals("GET")) { return handleGet(request, response); } else if (method.equals("POST")) { return handlePost(request, response); } // we only handle GET and POST requests at this point. return null; }
private void handleStudentAssetManager(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir"); try { // get the run String runId = request.getParameter("runId"); Run run = runService.retrieveById(new Long(runId)); // get the project id Project project = run.getProject(); Serializable projectId = project.getId(); // set the project id into the request so the vlewrapper controller has access to it request.setAttribute("projectId", projectId + ""); // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, user); Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long workgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute( "dirName", run.getId() + "/" + workgroupId + "/unreferenced"); // looks like /studentuploads/[runId]/[workgroupId]/unreferenced String commandParamter = request.getParameter("command"); if (commandParamter != null && "studentAssetCopyForReference".equals(commandParamter)) { request.setAttribute( "referencedDirName", run.getId() + "/" + workgroupId + "/referenced"); // if we're copying student asset for reference, also pass along // the referenced dir. looks like // /studentuploads/[runId]/[workgroupId]/referenced } if (studentuploads_base_dir != null) { request.setAttribute("studentuploads_base_dir", studentuploads_base_dir); } // forward the request to the vlewrapper controller RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html"); requestDispatcher.forward(request, response); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } }
/** * @see * org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest, * javax.servlet.http.HttpServletResponse) */ @Override protected ModelAndView handleRequestInternal( HttpServletRequest request, HttpServletResponse response) throws Exception { String outResponse = ""; User user = ControllerUtil.getSignedInUser(); Set<User> owners = new TreeSet<User>(); owners.add(user); Project project = projectService.getById(Long.parseLong(request.getParameter(PROJECTID))); CreateOtmlModuleParameters params = new CreateOtmlModuleParameters(); params.setName(project.getCurnit().getSdsCurnit().getName()); params.setUrl(RooloOtmlModuleDao.defaultOtrunkCurnitUrl); params.setRetrieveotmlurl( Util.getPortalUrl(request) + "/repository/retrieveotml.html?otmlModuleId="); byte[] otmlbytes = (byte[]) project.getCurnit().accept(new CurnitGetOtmlVisitor()); if (otmlbytes != null) { params.setOtml(otmlbytes); Curnit copiedCurnit = curnitService.createCurnit(params); ProjectParameters projParams = new ProjectParameters(); projParams.setCurnitId(copiedCurnit.getId()); projParams.setJnlpId(project.getJnlp().getId()); projParams.setOwners(owners); projParams.setProjectname(project.getName()); projParams.setProjectType(project.getProjectType()); projectService.createProject(projParams); outResponse = "Project " + project.getName() + " has been successfully " + "copied and can be found in My Customized Projects."; } else { outResponse = "This project is not of a type that can be copied."; } ModelAndView modelAndView = new ModelAndView(); modelAndView.addObject(RESPONSE, outResponse); return modelAndView; }
private ModelAndView handlePost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String type = request.getParameter("type"); ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); CredentialManager.setRequestCredentials(request, user); if (type == null) { // post student data RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/postdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("flag") || type.equals("inappropriateFlag") || type.equals("annotation")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/annotations.html"); requestDispatcher.forward(request, response); } else if (type.equals("journal")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/journaldata.html"); requestDispatcher.forward(request, response); } else if (type.equals("peerreview")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/peerreview.html"); requestDispatcher.forward(request, response); } else if (type.equals("ideaBasket")) { handleIdeaBasket(request, response); } else if (type.equals("studentAssetManager")) { handleStudentAssetManager(request, response); } else if (type.equals("viewStudentAssets")) { handleViewStudentAssets(request, response); } else if (type.equals("chatLog")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html"); requestDispatcher.forward(request, response); } else if (type.equals("studentStatus")) { handleStudentStatus(request, response); } else if (type.equals("runStatus")) { handleRunStatus(request, response); } return null; }
private void handleViewStudentAssets(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); String studentuploads_base_dir = portalProperties.getProperty("studentuploads_base_dir"); try { // get the run String runId = request.getParameter("runId"); Run run = runService.retrieveById(new Long(runId)); // get the project id Project project = run.getProject(); Serializable projectId = project.getId(); // set the project id into the request so the vlewrapper controller has access to it request.setAttribute("projectId", projectId + ""); // set the workgroup id into the request so the vlewrapper controller has access to it if (studentuploads_base_dir != null) { request.setAttribute("studentuploads_base_dir", studentuploads_base_dir); } // workgroups is a ":" separated string of workgroups String workgroups = request.getParameter("workgroups"); request.setAttribute("dirName", workgroups); // forward the request to the vlewrapper controller RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/vle/studentassetmanager.html"); requestDispatcher.forward(request, response); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } }
/** * @see * org.springframework.web.servlet.mvc.AbstractController#handleRequestInternal(javax.servlet.http.HttpServletRequest, * javax.servlet.http.HttpServletResponse) */ @Override protected ModelAndView handleRequestInternal( HttpServletRequest request, HttpServletResponse response) throws Exception { ModelAndView modelAndView = new ModelAndView(); User user = ControllerUtil.getSignedInUser(); // get library projects Set<String> tagNames = new TreeSet<String>(); tagNames.add("library"); List<Project> libraryProjectsList = this.projectService.getProjectListByTagNames(tagNames); // get user's owned projects List<Project> ownedProjectsList = this.projectService.getProjectList(user); // for now, don't separate archived projects; TODO: re-implement if archiving is re-enabled // List<Project> currentOwnedProjectsList = new ArrayList<Project>(); // List<Project> archivedOwnedProjectsList = new ArrayList<Project>(); // get user's shared projects List<Project> sharedProjectsList = this.projectService.getSharedProjectList(user); sharedProjectsList.removeAll(ownedProjectsList); // for now, don't separate archived projects; TODO: re-implement if archiving is re-enabled // List<Project> currentSharedProjectsList = new ArrayList<Project>(); // List<Project> archivedSharedProjectsList = new ArrayList<Project>(); // a set to hold the list of project ids in user's library Set<Long> projectIds = new TreeSet<Long>(); // set root project ids, remove duplicates List<Project> ownedRemove = new ArrayList<Project>(); for (int i = 0; i < ownedProjectsList.size(); i++) { if (ownedProjectsList.get(i).getRootProjectId() == null) { Long rootId = this.projectService.identifyRootProjectId(ownedProjectsList.get(i)); ownedProjectsList.get(i).setRootProjectId(rootId); } Long id = (Long) ownedProjectsList.get(i).getId(); projectIds.add(id); // check if project is in WISE library for (Project libProject : libraryProjectsList) { if (ownedProjectsList.get(i).getId() == libProject.getId()) { ownedRemove.add(ownedProjectsList.get(i)); } } // if (project.isCurrent()) { // currentOwnedProjectsList.add(project); // } else { // archivedOwnedProjectsList.add(project); // } } // if project is in WISE library, remove from owned projects list (avoid duplicates) for (int i = 0; i < ownedRemove.size(); i++) { ownedProjectsList.remove(ownedRemove.get(i)); } List<Project> sharedRemove = new ArrayList<Project>(); for (int a = 0; a < sharedProjectsList.size(); a++) { Long rootId = this.projectService.identifyRootProjectId(sharedProjectsList.get(a)); sharedProjectsList.get(a).setRootProjectId(rootId); Long id = (Long) sharedProjectsList.get(a).getId(); projectIds.add(id); // check if project is in WISE library for (Project libProject : libraryProjectsList) { if (sharedProjectsList.get(a).getId() == libProject.getId()) { sharedRemove.add(sharedProjectsList.get(a)); } } // if (project.isCurrent()) { // currentSharedProjectsList.add(project); // } else { // archivedSharedProjectsList.add(project); // } } // if project is in WISE library, remove from shared projects list (avoid duplicates) for (int a = 0; a < sharedRemove.size(); a++) { sharedProjectsList.remove(sharedRemove.get(a)); } for (int x = 0; x < libraryProjectsList.size(); x++) { Long rootId = this.projectService.identifyRootProjectId(libraryProjectsList.get(x)); libraryProjectsList.get(x).setRootProjectId(rootId); Long id = (Long) libraryProjectsList.get(x).getId(); projectIds.add(id); } /* sort the project lists */ // this.projectService.sortProjectsByDateCreated(currentOwnedProjectsList); // this.projectService.sortProjectsByDateCreated(archivedOwnedProjectsList); // modelAndView.addObject("currentOwnedProjectsList", currentOwnedProjectsList); // modelAndView.addObject("archivedOwnedProjectsList", archivedOwnedProjectsList); // this.projectService.sortProjectsByDateCreated(currentSharedProjectsList); // this.projectService.sortProjectsByDateCreated(archivedSharedProjectsList); // modelAndView.addObject("currentSharedProjectsList", currentSharedProjectsList); // modelAndView.addObject("archivedSharedProjectsList", archivedSharedProjectsList); this.projectService.sortProjectsByDateCreated(ownedProjectsList); this.projectService.sortProjectsByDateCreated(sharedProjectsList); // this.projectService.sortProjectsByDateCreated(libraryProjectsList); // Map<Long, Integer> usageMap = new TreeMap<Long, Integer>(); Map<Long, String> urlMap = new TreeMap<Long, String>(); Map<Long, String> projectThumbMap = new TreeMap<Long, String>(); // maps projectId to url where its thumbnail can be found Map<Long, String> filenameMap = new TreeMap<Long, String>(); // a map to contain projectId to project name Map<Long, String> projectNameMap = new TreeMap<Long, String>(); // a map to contain projectId to escaped project name Map<Long, String> projectNameEscapedMap = new TreeMap<Long, String>(); // a map to contain projectId to run date Map<Long, Date> projectRunDateMap = new TreeMap<Long, Date>(); // a map to contain projectId to run date Map<Long, Long> projectRunIdMap = new TreeMap<Long, Long>(); String curriculumBaseDir = this.portalProperties.getProperty("curriculum_base_dir"); String curriculumBaseWWW = this.portalProperties.getProperty("curriculum_base_www"); for (Project p : ownedProjectsList) { if (p.isCurrent()) { List<Run> runList = this.runService.getProjectRuns((Long) p.getId()); if (!runList.isEmpty()) { // add project and date to the maps of project runs // since a project can now only be run once, just use the first run in the list projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime()); projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId()); } String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor()); // get the project name and put it into the map String projectName = p.getName(); projectNameMap.put((Long) p.getId(), projectName); // replace ' with \' in the project name and put it into the map projectName = projectName.replaceAll("\\'", "\\\\'"); projectNameEscapedMap.put((Long) p.getId(), projectName); if (url != null && url != "") { /* * add the project url to the map * e.g. * /253/wise4.project.json */ urlMap.put((Long) p.getId(), url); int ndx = url.lastIndexOf("/"); if (ndx != -1) { /* * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png) * for all projects but this could be overwritten in the future * e.g. * /253/assets/projectThumb.png */ projectThumbMap.put( (Long) p.getId(), curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH); /* * add the project file name to the map * e.g. * /wise4.project.json */ filenameMap.put((Long) p.getId(), url.substring(ndx, url.length())); } } // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId())); } } for (Project p : sharedProjectsList) { if (p.isCurrent()) { List<Run> runList = this.runService.getProjectRuns((Long) p.getId()); if (!runList.isEmpty()) { // add project and date to the maps of project runs // since a project can now only be run once, just use the first run in the list projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime()); projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId()); } String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor()); // get the project name and put it into the map String projectName = p.getName(); projectNameMap.put((Long) p.getId(), projectName); // replace ' with \' in the project name and put it into the map projectName = projectName.replaceAll("\\'", "\\\\'"); projectNameEscapedMap.put((Long) p.getId(), projectName); if (url != null && url != "") { /* * add the project url to the map * e.g. * /253/wise4.project.json */ urlMap.put((Long) p.getId(), url); int ndx = url.lastIndexOf("/"); if (ndx != -1) { /* * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png) * for all projects but this could be overwritten in the future * e.g. * /253/assets/projectThumb.png */ projectThumbMap.put( (Long) p.getId(), curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH); /* * add the project file name to the map * e.g. * /wise4.project.json */ filenameMap.put((Long) p.getId(), url.substring(ndx, url.length())); } } // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId())); } } for (Project p : libraryProjectsList) { if (p.isCurrent()) { List<Run> runList = this.runService.getProjectRuns((Long) p.getId()); if (!runList.isEmpty()) { // add project and date to the maps of project runs // since a project can now only be run once, just use the first run in the list projectRunDateMap.put((Long) p.getId(), runList.get(0).getStarttime()); projectRunIdMap.put((Long) p.getId(), (Long) runList.get(0).getId()); } String url = (String) p.getCurnit().accept(new CurnitGetCurnitUrlVisitor()); // get the project name and put it into the map String projectName = p.getName(); projectNameMap.put((Long) p.getId(), projectName); // replace ' with \' in the project name and put it into the map projectName = projectName.replaceAll("\\'", "\\\\'"); projectNameEscapedMap.put((Long) p.getId(), projectName); if (url != null && url != "") { /* * add the project url to the map * e.g. * /253/wise4.project.json */ urlMap.put((Long) p.getId(), url); int ndx = url.lastIndexOf("/"); if (ndx != -1) { /* * add project thumb url to projectThumbMap. for now this is the same (/assets/project_thumb.png) * for all projects but this could be overwritten in the future * e.g. * /253/assets/projectThumb.png */ String projectThumbPath = curriculumBaseWWW + url.substring(0, ndx) + PROJECT_THUMB_PATH; projectThumbMap.put((Long) p.getId(), projectThumbPath); /* * add the project file name to the map * e.g. * /wise4.project.json */ filenameMap.put((Long) p.getId(), url.substring(ndx, url.length())); } } // usageMap.put((Long) p.getId(), this.runService.getProjectUsage((Long) p.getId())); } } // send in owned, shared, library, bookmarked projects, and list of project ids List<Project> bookmarkedProjectsList = this.projectService.getBookmarkerProjectList(user); modelAndView.addObject("bookmarkedProjectsList", bookmarkedProjectsList); modelAndView.addObject("ownedProjectsList", ownedProjectsList); modelAndView.addObject("sharedProjectsList", sharedProjectsList); modelAndView.addObject("libraryProjectsList", libraryProjectsList); modelAndView.addObject("projectIds", projectIds); modelAndView.addObject("sharedRemove", sharedRemove); modelAndView.addObject("ownedRemove", ownedRemove); // modelAndView.addObject("usageMap", usageMap); modelAndView.addObject("urlMap", urlMap); modelAndView.addObject("projectThumbMap", projectThumbMap); modelAndView.addObject("filenameMap", filenameMap); modelAndView.addObject("curriculumBaseDir", curriculumBaseDir); modelAndView.addObject("curriculumBaseWWW", curriculumBaseWWW); modelAndView.addObject("projectNameMap", projectNameMap); modelAndView.addObject("projectNameEscapedMap", projectNameEscapedMap); modelAndView.addObject("projectRunDateMap", projectRunDateMap); modelAndView.addObject("projectRunIdMap", projectRunIdMap); modelAndView.addObject("user", user); return modelAndView; }
private void handleIdeaBasket(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User signedInUser = ControllerUtil.getSignedInUser(); String action = request.getParameter("action"); try { // get the run String runId = request.getParameter("runId"); Run run = runService.retrieveById(new Long(runId)); // get the project id Project project = run.getProject(); Serializable projectId = project.getId(); // set the project id into the request so the vlewrapper controller has access to it request.setAttribute("projectId", projectId + ""); // get the authorities for the signed in user MutableUserDetails signedInUserDetails = signedInUser.getUserDetails(); Collection<? extends GrantedAuthority> authorities = signedInUserDetails.getAuthorities(); boolean isAdmin = false; boolean isTeacher = false; boolean isStudent = false; // this value will determine whether the user can modify anything they want in the public idea // basket boolean isPrivileged = false; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { // user is an admin or teacher isAdmin = true; isPrivileged = true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // user is an admin or teacher isTeacher = true; isPrivileged = true; } } if (!isTeacher) { isStudent = true; } request.setAttribute("isPrivileged", isPrivileged); if (isAdmin) { // user is an admin so we do not need to retrieve the workgroup id } else if (isTeacher) { // user is a teacher so we will retrieve their workgroup id for the run // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser); // add nullpointer check Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long signedInWorkgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + ""); } else if (isStudent) { /* * the user is a student so we will make sure the run id * matches the run they are currently working on and then * retrieve their workgroup id for the run */ HashMap<String, Run> studentsToRuns = (HashMap<String, Run>) request.getSession().getServletContext().getAttribute("studentsToRuns"); String sessionId = request.getSession().getId(); if (studentsToRuns != null && studentsToRuns.containsKey(sessionId)) { Run sessionRun = studentsToRuns.get(sessionId); Long sessionRunId = sessionRun.getId(); if (sessionRunId.equals(new Long(runId))) { // get the workgroup id List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(run, signedInUser); // add nullpointer check Workgroup workgroup = workgroupListByOfferingAndUser.get(0); Long signedInWorkgroupId = workgroup.getId(); // set the workgroup id into the request so the vlewrapper controller has access to it request.setAttribute("signedInWorkgroupId", signedInWorkgroupId + ""); } else { // run id does not match the run that the student is logged in to response.sendError( HttpServletResponse.SC_UNAUTHORIZED, "Run id does not match run that student is logged in to"); return; } } else { // session id was not found which means the session probably timed out response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Session no longer valid"); return; } } // forward the request to the vlewrapper controller RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/ideaBasket.html"); requestDispatcher.forward(request, response); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } }
private ModelAndView handleGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String type = request.getParameter("type"); ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); CredentialManager.setRequestCredentials(request, user); // get the run id String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } Run run = null; try { if (runId != null) { // get the run object run = runService.retrieveById(runId); } } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } if (type == null) { // get student data RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("brainstorm")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("aggregate")) { setProjectPath(run, request); // set the project path into the request object if (Boolean.parseBoolean(request.getParameter("allStudents"))) { // request for all students work in run. lookup workgroups in run and construct // workgroupIdString String workgroupIdStr = ""; try { Set<Workgroup> workgroups = runService.getWorkgroups(runId); for (Workgroup workgroup : workgroups) { workgroupIdStr += workgroup.getId() + ":"; } request.setAttribute("userId", workgroupIdStr); } catch (ObjectNotFoundException e) { } } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("flag") || type.equals("inappropriateFlag") || type.equals("annotation")) { // get flags /* * set the user info JSONObjects into the request so the vlewrapper servlet * has access to the teacher and classmate info */ setUserInfos(run, request); setCRaterAttributes(request); RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/annotations.html"); requestDispatcher.forward(request, response); } else if (type.equals("journal")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/journaldata.html"); requestDispatcher.forward(request, response); } else if (type.equals("peerreview")) { // get the period id String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } try { /* * set the number of students in the class period for when we need * to calculate peer review opening */ Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); request.setAttribute("numWorkgroups", classmateWorkgroups.size()); } catch (ObjectNotFoundException e) { e.printStackTrace(); } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/peerreview.html"); requestDispatcher.forward(request, response); } else if (type.equals("xlsexport") || type.equals("specialExport")) { // set the user info into the request object setUserInfos(run, request); // set the project path into the request object setProjectPath(run, request); // set the project meta data into the request object setProjectMetaData(run, request); String requestPath = ""; if (type.equals("xlsexport")) { // get the path for regular exports requestPath = "/getxls.html"; } else if (type.equals("specialExport")) { // get the path for special exports requestPath = "/getSpecialExport.html"; } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher(requestPath); requestDispatcher.forward(request, response); } else if (type.equals("ideaBasket")) { handleIdeaBasket(request, response); } else if (type.equals("studentAssetManager")) { handleStudentAssetManager(request, response); } else if (type.equals("viewStudentAssets")) { handleViewStudentAssets(request, response); } else if (type.equals("xmppAuthenticate")) { // check if this portal is xmpp enabled first String isXMPPEnabled = portalProperties.getProperty("isXMPPEnabled"); if (isXMPPEnabled != null && Boolean.valueOf(isXMPPEnabled)) { handleWISEXMPPAuthenticate(request, response); } } else if (type.equals("cRater")) { setCRaterAttributes(request); RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/cRater.html"); requestDispatcher.forward(request, response); } else if (type.equals("chatLog")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html"); requestDispatcher.forward(request, response); } else if (type.equals("studentStatus")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/studentStatus.html"); requestDispatcher.forward(request, response); } else if (type.equals("runStatus")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/runStatus.html"); requestDispatcher.forward(request, response); } return null; }
private boolean authorize(HttpServletRequest request) { String method = request.getMethod(); User signedInUser = ControllerUtil.getSignedInUser(); Collection<? extends GrantedAuthority> authorities = signedInUser.getUserDetails().getAuthorities(); Long signedInUserId = null; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { return true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // the signed in user is a teacher String type = request.getParameter("type"); if ("cRater".equals(type)) { // any teacher can make a cRater request return true; } Run run = null; try { // get the run object run = runService.retrieveById(new Long(request.getParameter("runId"))); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } if (run == null) { // we could not find the run return false; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) { // the teacher has write permission for the run so we will allow authorization return true; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) { // the teacher only has read permission for the run if (method.equals("GET")) { // we will allow authorization for GET requests return true; } else if (method.equals("POST")) { // we will deny authorization for POST requests since the teacher only has READ // permissions return false; } } } } if (method.equals("GET")) { String workgroupIdStr = ""; // only used for annotations String fromWorkgroupIdStr = ""; String type = request.getParameter("type"); String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } if (runId != null) { try { // get the run Run offering = runService.retrieveById(runId); // get the workgroup for the signed in user List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser); // get the workgroup Workgroup workgroup = workgroupListByOfferingAndUser.get(0); // get the workgroup id signedInUserId = workgroup.getId(); } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } } // whether this GET request can access other workgroup's data boolean canAccessOtherWorkgroups = false; if (type == null) { workgroupIdStr = request.getParameter("userId"); } else if (type.equals("flag") || type.equals("inappropriateFlag")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("annotation")) { String annotationType = request.getParameter("annotationType"); if ("cRater".equals(annotationType)) { // anyone can make a cRater annotation return true; } workgroupIdStr = request.getParameter("toWorkgroup"); // get the fromWorkgroup id fromWorkgroupIdStr = request.getParameter("fromWorkgroup"); canAccessOtherWorkgroups = true; } else if (type.equals("brainstorm")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("aggregate")) { // student/teacher is trying to get other students' work so that it can be used to show // the aggregate view. nodeIds should be passed in. // Check that the nodeIds exist and that we can get the student data from them // in the VLE. if (request.getParameter("nodeIds") == null) { canAccessOtherWorkgroups = false; } else { if (request.getParameter("allStudents") != null && Boolean.valueOf(request.getParameter("allStudents"))) { return true; } else { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } } } else if (type.equals("journal")) { workgroupIdStr = request.getParameter("workgroupId"); } else if (type.equals("peerreview")) { // return true for now until logic is implemented return true; } else if (type.equals("xlsexport") || type.equals("specialExport")) { // TODO: need to check user permissions return true; } else if (type.equals("ideaBasket")) { return true; } else if (type.equals("studentAssetManager")) { return true; } else if (type.equals("xmppAuthenticate")) { return true; } else if (type.equals("cRater")) { // allow students to make cRater scoring requests String cRaterRequestType = request.getParameter("cRaterRequestType"); if ("scoring".equals(cRaterRequestType)) { return true; } } else if (type.equals("runStatus")) { // check if the user is the owner of the run or in the run if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) { return true; } } else { // this should never happen } if (workgroupIdStr == null || workgroupIdStr.equals("")) { return false; } // split up all the workgroup ids String[] workgroupIds = workgroupIdStr.split(":"); // check if this GET request can access other workgroups if (canAccessOtherWorkgroups) { // this GET request is allowed to access other workgroup work try { if (fromWorkgroupIdStr != null && !fromWorkgroupIdStr.equals("") && fromWorkgroupIdStr.equals(signedInUserId)) { /* * the signed in user id is the same as the from workgroup id so * we will allow it. this basically means the current user is * requesting the annotations that he/she wrote. */ return true; } else { // obtain all the workgroups of the classmates of the current user Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); /* * see if the workgroupIds the user is trying to access is * in the above set of classmate workgroups, if all the * workgroupIds beingaccessed are allowed, it will return * true and allow it, otherwise it will return false and * deny access */ return elementsInCollection(workgroupIds, classmateWorkgroups); } } catch (ObjectNotFoundException e) { e.printStackTrace(); } } else { /* * this GET request is not allowed to access other workgroup work * it can only access the workgroup the current user is in */ // obtain all the workgroups that the current user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser); /* * see if the workgroupIds the user is trying to access is in * the above list of workgroups, if all the workgroupIds being * accessed are allowed, it will return true and allow it, * otherwise it will return false and deny access */ return elementsInCollection(workgroupIds, workgroupsForUser); } return false; } else if (method.equals("POST")) { return true; } // other request methods are not authorized at this point return false; }