zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SEBSERV-87 fix

Browse source
This commit is contained in:
anhefti 2019-08-14 16:43:23 +02:00
parent 7d476aba52
commit d8402b1a99
4 changed files with 42 additions and 9 deletions
src
main/java/ch/ethz/seb/sebserver/webservice
servicelayer/authorization
AuthorizationService.java
weblayer/api
EntityController.javaExamMonitoringController.java
test/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization
AuthorizationServiceTest.java

6
src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java
View file

@ -137,11 +137,11 @@ public interface AuthorizationService {
currentUser.getUserRoles());
}
/** Check read-only grant for a given Entity instance and current user.
/** Check read grant for a given Entity instance and current user.
*
* @param grantEntity Entity instance
* @return true if the current user has read-only grant on given Entity instance or false on deny */
default boolean hasReadonlyGrant(final GrantEntity grantEntity) {
* @return true if the current user has read grant on given Entity instance or false on deny */
default boolean hasReadGrant(final GrantEntity grantEntity) {
return hasGrant(PrivilegeType.READ, grantEntity);
}

2
src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java
View file

@ -381,7 +381,7 @@ public abstract class EntityController<T extends Entity, M extends Entity> {
protected boolean hasReadAccess(final T entity) {
final GrantEntity grantEntity = toGrantEntity(entity);
if (grantEntity != null) {
return this.authorization.hasReadonlyGrant(grantEntity);
return this.authorization.hasReadGrant(grantEntity);
}
return true;

37
src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamMonitoringController.java
View file

@ -30,9 +30,9 @@ import ch.ethz.seb.sebserver.gbl.model.exam.Exam;
import ch.ethz.seb.sebserver.gbl.model.session.ClientConnectionData;
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
import ch.ethz.seb.sebserver.gbl.util.Utils;
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.PermissionDeniedException;
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.FilterMap;
import ch.ethz.seb.sebserver.webservice.servicelayer.session.ExamSessionService;
@ -113,7 +113,9 @@ public class ExamMonitoringController {
}
final List<Exam> exams = new ArrayList<>(this.examSessionService
.getFilteredRunningExams(filterMap, Utils.truePredicate())
.getFilteredRunningExams(
filterMap,
exam -> this.hasRunningExamPrivilege(exam, institutionId))
.getOrThrow());
return ExamAdministrationController.buildSortedExamPage(
@ -135,11 +137,20 @@ public class ExamMonitoringController {
defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId,
@PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId) {
// check overall privilege
this.authorization.checkRole(
institutionId,
EntityType.EXAM,
UserRole.EXAM_SUPPORTER);
// check running exam privilege for specified exam
if (!hasRunningExamPrivilege(examId, institutionId)) {
throw new PermissionDeniedException(
EntityType.EXAM,
PrivilegeType.READ,
this.authorization.getUserService().getCurrentUser().getUserInfo());
}
return this.examSessionService
.getConnectionData(examId)
.getOrThrow();
@ -158,14 +169,36 @@ public class ExamMonitoringController {
@PathVariable(name = API.EXAM_API_PARAM_EXAM_ID, required = true) final Long examId,
@PathVariable(name = API.EXAM_API_SEB_CONNECTION_TOKEN, required = true) final String connectionToken) {
// check overall privilege
this.authorization.checkRole(
institutionId,
EntityType.EXAM,
UserRole.EXAM_SUPPORTER);
// check running exam privilege for specified exam
if (!hasRunningExamPrivilege(examId, institutionId)) {
throw new PermissionDeniedException(
EntityType.EXAM,
PrivilegeType.READ,
this.authorization.getUserService().getCurrentUser().getUserInfo());
}
return this.examSessionService
.getConnectionData(connectionToken)
.getOrThrow();
}
private boolean hasRunningExamPrivilege(final Long examId, final Long institution) {
return hasRunningExamPrivilege(
this.examSessionService.getRunningExam(examId).getOr(null),
institution);
}
private boolean hasRunningExamPrivilege(final Exam exam, final Long institution) {
if (exam == null) {
return false;
}
return exam.institutionId.equals(institution) && this.authorization.hasReadGrant(exam);
}
}

6
src/test/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceTest.java
View file

@ -42,7 +42,7 @@ public class AuthorizationServiceTest {
final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, "");
assertTrue(service.hasReadonlyGrant(institution));
assertTrue(service.hasReadGrant(institution));
assertTrue(service.hasModifyGrant(institution));
assertTrue(service.hasWriteGrant(institution));
}
@ -57,13 +57,13 @@ public class AuthorizationServiceTest {
final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, "");
assertTrue(service.hasReadonlyGrant(ownInstitution));
assertTrue(service.hasReadGrant(ownInstitution));
assertTrue(service.hasModifyGrant(ownInstitution));
assertFalse(service.hasWriteGrant(ownInstitution));
final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, "");
assertFalse(service.hasReadonlyGrant(otherInstitution));
assertFalse(service.hasReadGrant(otherInstitution));
assertFalse(service.hasModifyGrant(otherInstitution));
assertFalse(service.hasWriteGrant(otherInstitution));
}