zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SEBSERV-87 fix

Browse source
This commit is contained in:
anhefti 2019-08-14 16:43:23 +02:00
parent 7d476aba52
commit d8402b1a99
4 changed files with 42 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
View file

@ -137,11 +137,11 @@ public interface AuthorizationService {
currentUser.getUserRoles()); currentUser.getUserRoles());
} }
/** Check read-only grant for a given Entity instance and current user. /** Check read grant for a given Entity instance and current user.
* *
* @param grantEntity Entity instance * @param grantEntity Entity instance
* @return true if the current user has read-only grant on given Entity instance or false on deny */ * @return true if the current user has read grant on given Entity instance or false on deny */
default boolean hasReadonlyGrant(final GrantEntity grantEntity) { default boolean hasReadGrant(final GrantEntity grantEntity) {
return hasGrant(PrivilegeType.READ, grantEntity); return hasGrant(PrivilegeType.READ, grantEntity);
} }

2
src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java
View file

@ -381,7 +381,7 @@ public abstract class EntityController<T extends Entity, M extends Entity> {
protected boolean hasReadAccess(final T entity) { protected boolean hasReadAccess(final T entity) {
final GrantEntity grantEntity = toGrantEntity(entity); final GrantEntity grantEntity = toGrantEntity(entity);
if (grantEntity != null) { if (grantEntity != null) {
return this.authorization.hasReadonlyGrant(grantEntity); return this.authorization.hasReadGrant(grantEntity);
} }
return true; return true;

37
src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamMonitoringController.java
View file

@ -30,9 +30,9 @@ import ch.ethz.seb.sebserver.gbl.model.exam.Exam;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData; import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData;
import ch.ethz.seb.sebserver.gbl.model.user.UserRole; import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
import ch.ethz.seb.sebserver.gbl.util.Utils;
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.PermissionDeniedException;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.FilterMap; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.FilterMap;
import ch.ethz.seb.sebserver.webservice.servicelayer.session.ExamSessionService; import ch.ethz.seb.sebserver.webservice.servicelayer.session.ExamSessionService;
@ -113,7 +113,9 @@ public class ExamMonitoringController {
} }
final List<Exam> exams = new ArrayList<>(this.examSessionService final List<Exam> exams = new ArrayList<>(this.examSessionService
.getFilteredRunningExams(filterMap, Utils.truePredicate()) .getFilteredRunningExams(
filterMap,
exam -> this.hasRunningExamPrivilege(exam, institutionId))
.getOrThrow()); .getOrThrow());
return ExamAdministrationController.buildSortedExamPage( return ExamAdministrationController.buildSortedExamPage(
@ -135,11 +137,20 @@ public class ExamMonitoringController {
defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId, defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId,
@PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId) { @PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId) {
// check overall privilege
this.authorization.checkRole( this.authorization.checkRole(
institutionId, institutionId,
EntityType.EXAM, EntityType.EXAM,
UserRole.EXAM_SUPPORTER); UserRole.EXAM_SUPPORTER);
// check running exam privilege for specified exam
if (!hasRunningExamPrivilege(examId, institutionId)) {
throw new PermissionDeniedException(
EntityType.EXAM,
PrivilegeType.READ,
this.authorization.getUserService().getCurrentUser().getUserInfo());
}
return this.examSessionService return this.examSessionService
.getConnectionData(examId) .getConnectionData(examId)
.getOrThrow(); .getOrThrow();
@ -158,14 +169,36 @@ public class ExamMonitoringController {
@PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId, @PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId,
@PathVariable(name = API.EXAM_API_SEB_CONNECTION_TOKEN, required = true) final String connectionToken) { @PathVariable(name = API.EXAM_API_SEB_CONNECTION_TOKEN, required = true) final String connectionToken) {
// check overall privilege
this.authorization.checkRole( this.authorization.checkRole(
institutionId, institutionId,
EntityType.EXAM, EntityType.EXAM,
UserRole.EXAM_SUPPORTER); UserRole.EXAM_SUPPORTER);
// check running exam privilege for specified exam
if (!hasRunningExamPrivilege(examId, institutionId)) {
throw new PermissionDeniedException(
EntityType.EXAM,
PrivilegeType.READ,
this.authorization.getUserService().getCurrentUser().getUserInfo());
}
return this.examSessionService return this.examSessionService
.getConnectionData(connectionToken) .getConnectionData(connectionToken)
.getOrThrow(); .getOrThrow();
} }
private boolean hasRunningExamPrivilege(final Long examId, final Long institution) {
return hasRunningExamPrivilege(
this.examSessionService.getRunningExam(examId).getOr(null),
institution);
}
private boolean hasRunningExamPrivilege(final Exam exam, final Long institution) {
if (exam == null) {
return false;
}
return exam.institutionId.equals(institution) && this.authorization.hasReadGrant(exam);
}
} }

6
src/test/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceTest.java
View file

@ -42,7 +42,7 @@ public class AuthorizationServiceTest {
final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, ""); final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, "");
assertTrue(service.hasReadonlyGrant(institution)); assertTrue(service.hasReadGrant(institution));
assertTrue(service.hasModifyGrant(institution)); assertTrue(service.hasModifyGrant(institution));
assertTrue(service.hasWriteGrant(institution)); assertTrue(service.hasWriteGrant(institution));
} }
@ -57,13 +57,13 @@ public class AuthorizationServiceTest {
final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, ""); final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, "");
assertTrue(service.hasReadonlyGrant(ownInstitution)); assertTrue(service.hasReadGrant(ownInstitution));
assertTrue(service.hasModifyGrant(ownInstitution)); assertTrue(service.hasModifyGrant(ownInstitution));
assertFalse(service.hasWriteGrant(ownInstitution)); assertFalse(service.hasWriteGrant(ownInstitution));
final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, ""); final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, "");
assertFalse(service.hasReadonlyGrant(otherInstitution)); assertFalse(service.hasReadGrant(otherInstitution));
assertFalse(service.hasModifyGrant(otherInstitution)); assertFalse(service.hasModifyGrant(otherInstitution));
assertFalse(service.hasWriteGrant(otherInstitution)); assertFalse(service.hasWriteGrant(otherInstitution));
} }