private ModelAndView handleGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String type = request.getParameter("type"); ServletContext servletContext2 = this.getServletContext(); ServletContext vlewrappercontext = servletContext2.getContext("/vlewrapper"); User user = ControllerUtil.getSignedInUser(); CredentialManager.setRequestCredentials(request, user); // get the run id String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } Run run = null; try { if (runId != null) { // get the run object run = runService.retrieveById(runId); } } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } if (type == null) { // get student data RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("brainstorm")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("aggregate")) { setProjectPath(run, request); // set the project path into the request object if (Boolean.parseBoolean(request.getParameter("allStudents"))) { // request for all students work in run. lookup workgroups in run and construct // workgroupIdString String workgroupIdStr = ""; try { Set<Workgroup> workgroups = runService.getWorkgroups(runId); for (Workgroup workgroup : workgroups) { workgroupIdStr += workgroup.getId() + ":"; } request.setAttribute("userId", workgroupIdStr); } catch (ObjectNotFoundException e) { } } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/getdata.html"); requestDispatcher.forward(request, response); } else if (type.equals("flag") || type.equals("inappropriateFlag") || type.equals("annotation")) { // get flags /* * set the user info JSONObjects into the request so the vlewrapper servlet * has access to the teacher and classmate info */ setUserInfos(run, request); setCRaterAttributes(request); RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/annotations.html"); requestDispatcher.forward(request, response); } else if (type.equals("journal")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/journaldata.html"); requestDispatcher.forward(request, response); } else if (type.equals("peerreview")) { // get the period id String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } try { /* * set the number of students in the class period for when we need * to calculate peer review opening */ Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); request.setAttribute("numWorkgroups", classmateWorkgroups.size()); } catch (ObjectNotFoundException e) { e.printStackTrace(); } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/peerreview.html"); requestDispatcher.forward(request, response); } else if (type.equals("xlsexport") || type.equals("specialExport")) { // set the user info into the request object setUserInfos(run, request); // set the project path into the request object setProjectPath(run, request); // set the project meta data into the request object setProjectMetaData(run, request); String requestPath = ""; if (type.equals("xlsexport")) { // get the path for regular exports requestPath = "/getxls.html"; } else if (type.equals("specialExport")) { // get the path for special exports requestPath = "/getSpecialExport.html"; } RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher(requestPath); requestDispatcher.forward(request, response); } else if (type.equals("ideaBasket")) { handleIdeaBasket(request, response); } else if (type.equals("studentAssetManager")) { handleStudentAssetManager(request, response); } else if (type.equals("viewStudentAssets")) { handleViewStudentAssets(request, response); } else if (type.equals("xmppAuthenticate")) { // check if this portal is xmpp enabled first String isXMPPEnabled = portalProperties.getProperty("isXMPPEnabled"); if (isXMPPEnabled != null && Boolean.valueOf(isXMPPEnabled)) { handleWISEXMPPAuthenticate(request, response); } } else if (type.equals("cRater")) { setCRaterAttributes(request); RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/cRater.html"); requestDispatcher.forward(request, response); } else if (type.equals("chatLog")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/chatLog.html"); requestDispatcher.forward(request, response); } else if (type.equals("studentStatus")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/studentStatus.html"); requestDispatcher.forward(request, response); } else if (type.equals("runStatus")) { RequestDispatcher requestDispatcher = vlewrappercontext.getRequestDispatcher("/runStatus.html"); requestDispatcher.forward(request, response); } return null; }
private boolean authorize(HttpServletRequest request) { String method = request.getMethod(); User signedInUser = ControllerUtil.getSignedInUser(); Collection<? extends GrantedAuthority> authorities = signedInUser.getUserDetails().getAuthorities(); Long signedInUserId = null; for (GrantedAuthority authority : authorities) { if (authority.getAuthority().equals(UserDetailsService.ADMIN_ROLE)) { return true; } else if (authority.getAuthority().equals(UserDetailsService.TEACHER_ROLE)) { // the signed in user is a teacher String type = request.getParameter("type"); if ("cRater".equals(type)) { // any teacher can make a cRater request return true; } Run run = null; try { // get the run object run = runService.retrieveById(new Long(request.getParameter("runId"))); } catch (NumberFormatException e) { e.printStackTrace(); } catch (ObjectNotFoundException e) { e.printStackTrace(); } if (run == null) { // we could not find the run return false; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.WRITE)) { // the teacher has write permission for the run so we will allow authorization return true; } else if (this.runService.hasRunPermission(run, signedInUser, BasePermission.READ)) { // the teacher only has read permission for the run if (method.equals("GET")) { // we will allow authorization for GET requests return true; } else if (method.equals("POST")) { // we will deny authorization for POST requests since the teacher only has READ // permissions return false; } } } } if (method.equals("GET")) { String workgroupIdStr = ""; // only used for annotations String fromWorkgroupIdStr = ""; String type = request.getParameter("type"); String runIdString = request.getParameter("runId"); Long runId = null; if (runIdString != null) { runId = Long.parseLong(runIdString); } String periodString = request.getParameter("periodId"); Long period = null; if (periodString != null) { period = Long.parseLong(periodString); } if (runId != null) { try { // get the run Run offering = runService.retrieveById(runId); // get the workgroup for the signed in user List<Workgroup> workgroupListByOfferingAndUser = workgroupService.getWorkgroupListByOfferingAndUser(offering, signedInUser); // get the workgroup Workgroup workgroup = workgroupListByOfferingAndUser.get(0); // get the workgroup id signedInUserId = workgroup.getId(); } catch (ObjectNotFoundException e1) { e1.printStackTrace(); } } // whether this GET request can access other workgroup's data boolean canAccessOtherWorkgroups = false; if (type == null) { workgroupIdStr = request.getParameter("userId"); } else if (type.equals("flag") || type.equals("inappropriateFlag")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("annotation")) { String annotationType = request.getParameter("annotationType"); if ("cRater".equals(annotationType)) { // anyone can make a cRater annotation return true; } workgroupIdStr = request.getParameter("toWorkgroup"); // get the fromWorkgroup id fromWorkgroupIdStr = request.getParameter("fromWorkgroup"); canAccessOtherWorkgroups = true; } else if (type.equals("brainstorm")) { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } else if (type.equals("aggregate")) { // student/teacher is trying to get other students' work so that it can be used to show // the aggregate view. nodeIds should be passed in. // Check that the nodeIds exist and that we can get the student data from them // in the VLE. if (request.getParameter("nodeIds") == null) { canAccessOtherWorkgroups = false; } else { if (request.getParameter("allStudents") != null && Boolean.valueOf(request.getParameter("allStudents"))) { return true; } else { workgroupIdStr = request.getParameter("userId"); canAccessOtherWorkgroups = true; } } } else if (type.equals("journal")) { workgroupIdStr = request.getParameter("workgroupId"); } else if (type.equals("peerreview")) { // return true for now until logic is implemented return true; } else if (type.equals("xlsexport") || type.equals("specialExport")) { // TODO: need to check user permissions return true; } else if (type.equals("ideaBasket")) { return true; } else if (type.equals("studentAssetManager")) { return true; } else if (type.equals("xmppAuthenticate")) { return true; } else if (type.equals("cRater")) { // allow students to make cRater scoring requests String cRaterRequestType = request.getParameter("cRaterRequestType"); if ("scoring".equals(cRaterRequestType)) { return true; } } else if (type.equals("runStatus")) { // check if the user is the owner of the run or in the run if (isUserOwnerOfRun(signedInUser, runId) || isUserInRun(signedInUser, runId)) { return true; } } else { // this should never happen } if (workgroupIdStr == null || workgroupIdStr.equals("")) { return false; } // split up all the workgroup ids String[] workgroupIds = workgroupIdStr.split(":"); // check if this GET request can access other workgroups if (canAccessOtherWorkgroups) { // this GET request is allowed to access other workgroup work try { if (fromWorkgroupIdStr != null && !fromWorkgroupIdStr.equals("") && fromWorkgroupIdStr.equals(signedInUserId)) { /* * the signed in user id is the same as the from workgroup id so * we will allow it. this basically means the current user is * requesting the annotations that he/she wrote. */ return true; } else { // obtain all the workgroups of the classmates of the current user Set<Workgroup> classmateWorkgroups = runService.getWorkgroups(runId, period); /* * see if the workgroupIds the user is trying to access is * in the above set of classmate workgroups, if all the * workgroupIds beingaccessed are allowed, it will return * true and allow it, otherwise it will return false and * deny access */ return elementsInCollection(workgroupIds, classmateWorkgroups); } } catch (ObjectNotFoundException e) { e.printStackTrace(); } } else { /* * this GET request is not allowed to access other workgroup work * it can only access the workgroup the current user is in */ // obtain all the workgroups that the current user is in List<Workgroup> workgroupsForUser = workgroupService.getWorkgroupsForUser(signedInUser); /* * see if the workgroupIds the user is trying to access is in * the above list of workgroups, if all the workgroupIds being * accessed are allowed, it will return true and allow it, * otherwise it will return false and deny access */ return elementsInCollection(workgroupIds, workgroupsForUser); } return false; } else if (method.equals("POST")) { return true; } // other request methods are not authorized at this point return false; }