/** * Checks that the requesting user can view survey responses for some collection of users. There * may not actually be any responses to read or the responses may need to be made public first. * This only guarantees that, if the other users have any public responses that the requesting * user is allowed to view them. Therefore, this will pass as long as any of the following are * true: <br> * <br> * - If the user is a supervisor or an author.<br> * - If the user is an analyst and the campaign is shared.<br> * - If the user is the same as all of the requesting users.<br> * <br> * If you want to check if a user can read survey responses from every user in a campaign, don't * pass in any user usernames. * * @param campaignId The unique identifier for the campaign. * @param requesterUsername The requesting user's username. * @param userUsernames The array of usernames of specific users to check if the requesting user * has permission to read their information. * @throws ServiceException Thrown if none of the rules are true or there is an error. */ public void requesterCanViewUsersSurveyResponses( final String campaignId, final String requesterUsername, final String... userUsernames) throws ServiceException { try { // If the requester is asking about other users. if (userUsernames.length != 0) { // If the requester is the same as all of the users in question. boolean otherUsers = false; for (String username : userUsernames) { if (!requesterUsername.equals(username)) { otherUsers = true; } } if (!otherUsers) { return; } } List<Campaign.Role> requesterRoles = userCampaignQueries.getUserCampaignRoles(requesterUsername, campaignId); // If the requester's role list contains supervisor, return. if (requesterRoles.contains(Campaign.Role.SUPERVISOR)) { return; } // If the requester's role list contains author, return. if (requesterRoles.contains(Campaign.Role.AUTHOR)) { return; } // If the requester's role list contains analyst, if (requesterRoles.contains(Campaign.Role.ANALYST)) { Campaign.PrivacyState privacyState = campaignQueries.getCampaignPrivacyState(campaignId); if ((privacyState != null) && (Campaign.PrivacyState.SHARED.equals(privacyState))) { return; } } throw new ServiceException( ErrorCode.CAMPAIGN_INSUFFICIENT_PERMISSIONS, "The user does not have sufficient permissions to read information about other users."); } catch (DataAccessException e) { throw new ServiceException(e); } }