Index: lams_admin/src/java/org/lamsfoundation/lams/admin/service/AdminServiceProxy.java =================================================================== diff -u -r009fbce36f45d0929f8007c4bbc798242f57d3af -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_admin/src/java/org/lamsfoundation/lams/admin/service/AdminServiceProxy.java (.../AdminServiceProxy.java) (revision 009fbce36f45d0929f8007c4bbc798242f57d3af) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/service/AdminServiceProxy.java (.../AdminServiceProxy.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -29,6 +29,7 @@ import org.lamsfoundation.lams.integration.service.IIntegrationService; import org.lamsfoundation.lams.lesson.service.ILessonService; import org.lamsfoundation.lams.monitoring.service.IMonitoringService; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.statistics.service.IStatisticsService; import org.lamsfoundation.lams.themes.service.IThemeService; import org.lamsfoundation.lams.timezone.service.ITimezoneService; @@ -43,118 +44,140 @@ /** * @author jliew * - * Common class to make it easier to get the Spring beans. + * Common class to make it easier to get the Spring beans. */ public class AdminServiceProxy { - - private static IUserManagementService manageService; - private static MessageService messageService; - private static IIntegrationService integrationService; - private static IAuditService auditService; - private static IImportService importService; - private static LdapService ldapService; - private static IStatisticsService statisticsService; - private static IThemeService themeService; - private static Configuration configurationService; - private static ILessonService lessonService; - private static IMonitoringService monitoringService; - private static IEventNotificationService eventNotificationService; - private static ITimezoneService timezoneService; - - public static final IUserManagementService getService(ServletContext servletContext) { - if (manageService == null) { - manageService = (IUserManagementService)getDomainService(servletContext, "userManagementService"); - } - return manageService; + + private static IUserManagementService manageService; + private static MessageService messageService; + private static IIntegrationService integrationService; + private static IAuditService auditService; + private static IImportService importService; + private static LdapService ldapService; + private static IStatisticsService statisticsService; + private static IThemeService themeService; + private static Configuration configurationService; + private static ILessonService lessonService; + private static IMonitoringService monitoringService; + private static IEventNotificationService eventNotificationService; + private static ITimezoneService timezoneService; + private static ISecurityService securityService; + + public static final IUserManagementService getService(ServletContext servletContext) { + if (AdminServiceProxy.manageService == null) { + AdminServiceProxy.manageService = (IUserManagementService) AdminServiceProxy.getDomainService( + servletContext, "userManagementService"); } - - public static final MessageService getMessageService(ServletContext servletContext) { - if (messageService == null) { - messageService = (MessageService)getDomainService(servletContext, "adminMessageService"); - } - return messageService; + return AdminServiceProxy.manageService; + } + public static final MessageService getMessageService(ServletContext servletContext) { + if (AdminServiceProxy.messageService == null) { + AdminServiceProxy.messageService = (MessageService) AdminServiceProxy.getDomainService(servletContext, + "adminMessageService"); } - - public static final IIntegrationService getIntegrationService(ServletContext servletContext) { - if (integrationService == null){ - integrationService = (IIntegrationService)getDomainService(servletContext, "integrationService"); - } - return integrationService; + return AdminServiceProxy.messageService; + + } + + public static final IIntegrationService getIntegrationService(ServletContext servletContext) { + if (AdminServiceProxy.integrationService == null) { + AdminServiceProxy.integrationService = (IIntegrationService) AdminServiceProxy.getDomainService( + servletContext, "integrationService"); } - - public static final IAuditService getAuditService(ServletContext servletContext) { - if (auditService == null){ - auditService = (IAuditService)getDomainService(servletContext, "auditService"); - } - return auditService; + return AdminServiceProxy.integrationService; + } + + public static final IAuditService getAuditService(ServletContext servletContext) { + if (AdminServiceProxy.auditService == null) { + AdminServiceProxy.auditService = (IAuditService) AdminServiceProxy.getDomainService(servletContext, + "auditService"); } - - public static final IImportService getImportService(ServletContext servletContext) { - if (importService == null){ - importService = (IImportService)getDomainService(servletContext, "importService"); - } - return importService; + return AdminServiceProxy.auditService; + } + + public static final IImportService getImportService(ServletContext servletContext) { + if (AdminServiceProxy.importService == null) { + AdminServiceProxy.importService = (IImportService) AdminServiceProxy.getDomainService(servletContext, + "importService"); } - - public static final LdapService getLdapService(ServletContext servletContext) { - if (ldapService == null) { - ldapService = (LdapService)getDomainService(servletContext, "ldapService"); - } - return ldapService; + return AdminServiceProxy.importService; + } + + public static final LdapService getLdapService(ServletContext servletContext) { + if (AdminServiceProxy.ldapService == null) { + AdminServiceProxy.ldapService = (LdapService) AdminServiceProxy.getDomainService(servletContext, + "ldapService"); } - - public static final IStatisticsService getStatisticsService(ServletContext servletContext) { - if (statisticsService == null) { - statisticsService = (IStatisticsService)getDomainService(servletContext, "statisticsService"); - } - return statisticsService; + return AdminServiceProxy.ldapService; + } + + public static final IStatisticsService getStatisticsService(ServletContext servletContext) { + if (AdminServiceProxy.statisticsService == null) { + AdminServiceProxy.statisticsService = (IStatisticsService) AdminServiceProxy.getDomainService( + servletContext, "statisticsService"); } - - public static final IThemeService getThemeService(ServletContext servletContext) { - if (themeService == null) { - themeService = (IThemeService)getDomainService(servletContext, "themeService"); - } - return themeService; + return AdminServiceProxy.statisticsService; + } + + public static final IThemeService getThemeService(ServletContext servletContext) { + if (AdminServiceProxy.themeService == null) { + AdminServiceProxy.themeService = (IThemeService) AdminServiceProxy.getDomainService(servletContext, + "themeService"); } - - public static final Configuration getConfiguration(ServletContext servletContext) { - if (configurationService == null) { - configurationService = (Configuration)getDomainService(servletContext, "configurationService"); - } - return configurationService; + return AdminServiceProxy.themeService; + } + + public static final Configuration getConfiguration(ServletContext servletContext) { + if (AdminServiceProxy.configurationService == null) { + AdminServiceProxy.configurationService = (Configuration) AdminServiceProxy.getDomainService(servletContext, + "configurationService"); } - - public static final ILessonService getLessonService(ServletContext servletContext) { - if (lessonService == null) { - lessonService = (ILessonService)getDomainService(servletContext, "lessonService"); - } - return lessonService; + return AdminServiceProxy.configurationService; + } + + public static final ILessonService getLessonService(ServletContext servletContext) { + if (AdminServiceProxy.lessonService == null) { + AdminServiceProxy.lessonService = (ILessonService) AdminServiceProxy.getDomainService(servletContext, + "lessonService"); } - - public static final IMonitoringService getMonitoringService(ServletContext servletContext) { - if (monitoringService == null) { - monitoringService = (IMonitoringService)getDomainService(servletContext, "monitoringService"); - } - return monitoringService; + return AdminServiceProxy.lessonService; + } + + public static final IMonitoringService getMonitoringService(ServletContext servletContext) { + if (AdminServiceProxy.monitoringService == null) { + AdminServiceProxy.monitoringService = (IMonitoringService) AdminServiceProxy.getDomainService( + servletContext, "monitoringService"); } - - public static final IEventNotificationService getEventNotificationService(ServletContext servletContext) { - if (eventNotificationService == null) { - eventNotificationService = (IEventNotificationService)getDomainService(servletContext, "eventNotificationService"); - } - return eventNotificationService; + return AdminServiceProxy.monitoringService; + } + + public static final IEventNotificationService getEventNotificationService(ServletContext servletContext) { + if (AdminServiceProxy.eventNotificationService == null) { + AdminServiceProxy.eventNotificationService = (IEventNotificationService) AdminServiceProxy + .getDomainService(servletContext, "eventNotificationService"); } - - private static Object getDomainService(ServletContext servletContext,String serviceName) { - WebApplicationContext wac = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext); - return wac.getBean(serviceName); + return AdminServiceProxy.eventNotificationService; } - - public static final ITimezoneService getTimezoneService(ServletContext servletContext) { - if (timezoneService == null) { - timezoneService = (ITimezoneService)getDomainService(servletContext, "timezoneService"); - } - return timezoneService; + + private static Object getDomainService(ServletContext servletContext, String serviceName) { + WebApplicationContext wac = WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext); + return wac.getBean(serviceName); + } + + public static final ITimezoneService getTimezoneService(ServletContext servletContext) { + if (AdminServiceProxy.timezoneService == null) { + AdminServiceProxy.timezoneService = (ITimezoneService) AdminServiceProxy.getDomainService(servletContext, + "timezoneService"); } -} + return AdminServiceProxy.timezoneService; + } + + public static final ISecurityService getSecurityService(ServletContext servletContext) { + if (AdminServiceProxy.securityService == null) { + AdminServiceProxy.securityService = (ISecurityService) AdminServiceProxy.getDomainService(servletContext, + "securityService"); + } + return AdminServiceProxy.securityService; + } +} \ No newline at end of file Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java =================================================================== diff -u -r7ab9e2377fd1ff4c3c5554bd1f6dffe3384f6f9a -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java (.../OrgManageAction.java) (revision 7ab9e2377fd1ff4c3c5554bd1f6dffe3384f6f9a) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java (.../OrgManageAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -37,6 +37,7 @@ import org.apache.struts.action.ActionMapping; import org.lamsfoundation.lams.admin.service.AdminServiceProxy; import org.lamsfoundation.lams.admin.web.form.OrgManageForm; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.usermanagement.Organisation; import org.lamsfoundation.lams.usermanagement.OrganisationState; import org.lamsfoundation.lams.usermanagement.OrganisationType; @@ -63,134 +64,123 @@ /** * struts doclets * - * @struts:action path="/orgmanage" - * name="OrgManageForm" - * input=".orglist" - * scope="request" - * validate="false" + * @struts:action path="/orgmanage" name="OrgManageForm" input=".orglist" scope="request" validate="false" * * @struts:action-forward name="orglist" path=".orglist" */ public class OrgManageAction extends Action { - - private static IUserManagementService service; - private static MessageService messageService; - - public ActionForward execute(ActionMapping mapping, - ActionForm form, - HttpServletRequest request, - HttpServletResponse response) throws Exception{ - - service = AdminServiceProxy.getService(getServlet().getServletContext()); - messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext()); - - // Get organisation whose child organisations we will populate the OrgManageForm with - Integer orgId = WebUtil.readIntParam(request, "org", true); - Organisation org = null; - if (orgId == null){ - orgId = (Integer)request.getAttribute("org"); - } - if ((orgId != null) && (orgId > 0)) { - org = (Organisation)service.findById(Organisation.class, orgId); - if (org == null){ - request.setAttribute("errorName", "OrgManageAction"); - request.setAttribute("errorMessage", messageService.getMessage("error.org.invalid")); - return mapping.findForward("error"); - } - } - - // get number of users figure - // TODO use hql that does a count instead of getting whole objects - Integer numUsers = (service.getRootOrganisation().equals(org) - ? service.getCountUsers() - : Integer.valueOf(service.getUsersFromOrganisation(orgId).size()) - ); - String key = (service.getRootOrganisation().getOrganisationId().equals(orgId) - ? "label.users.in.system" - : "label.users.in.group" - ); - String[] args = { numUsers.toString() }; - request.setAttribute("numUsers", messageService.getMessage(key, args)); - - // get logged in user's id - Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID(); - - // Set OrgManageForm - OrgManageForm orgManageForm = (OrgManageForm)form; - if (orgManageForm == null) { - orgManageForm = new OrgManageForm(); - orgManageForm.setStateId(OrganisationState.ACTIVE); - } else if (orgManageForm.getStateId() == null) { - orgManageForm.setStateId(OrganisationState.ACTIVE); - } - orgManageForm.setParentId(orgId); - orgManageForm.setParentName(org.getName()); - orgManageForm.setType(org.getOrganisationType().getOrganisationTypeId()); - - // Get list of child organisations depending on requestor's role and the organisation's type - if (!orgManageForm.getType().equals(OrganisationType.CLASS_TYPE)) { - List orgManageBeans = new ArrayList(); - if (request.isUserInRole(Role.SYSADMIN) || request.isUserInRole(Role.GROUP_ADMIN) || request.isUserInRole(Role.GROUP_MANAGER)){ - // the organisation type of the children - Integer typeId = (orgManageForm.getType().equals(OrganisationType.ROOT_TYPE) - ? OrganisationType.COURSE_TYPE - : OrganisationType.CLASS_TYPE - ); - HashMap properties = new HashMap(); - properties.put("organisationType.organisationTypeId", typeId); - properties.put("organisationState.organisationStateId", orgManageForm.getStateId()); - List organisations = service.findByProperties(Organisation.class, properties); - - for (int i=0; i orgManageBeans = new ArrayList(); + // the organisation type of the children + Integer typeId = (orgManageForm.getType().equals(OrganisationType.ROOT_TYPE) ? OrganisationType.COURSE_TYPE + : OrganisationType.CLASS_TYPE); + + HashMap properties = new HashMap(); + properties.put("organisationType.organisationTypeId", typeId); + properties.put("organisationState.organisationStateId", orgManageForm.getStateId()); + List organisations = userManagementService.findByProperties(Organisation.class, properties); + + for (Organisation organisation : organisations) { + Organisation parentOrg = (typeId.equals(OrganisationType.CLASS_TYPE)) ? organisation + .getParentOrganisation() : organisation; + // do not list this org if it is not a child of the requested parent + if (typeId.equals(OrganisationType.CLASS_TYPE) && !parentOrg.getOrganisationId().equals(orgId)) { + continue; } - - - - // let the jsp know whether to display links - request.setAttribute("createGroup", request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin()); - request.setAttribute("editGroup", service.canEditGroup(userId, orgId)); - request.setAttribute("manageGlobalRoles", request.isUserInRole(Role.SYSADMIN)); - return mapping.findForward("orglist"); + + OrgManageBean orgManageBean = new OrgManageBean(); + BeanUtils.copyProperties(orgManageBean, organisation); + orgManageBean.setStatus(organisation.getOrganisationState().getDescription()); + orgManageBean.setEditable(true); + orgManageBeans.add(orgManageBean); + } + Collections.sort(orgManageBeans); + orgManageForm.setOrgManageBeans(orgManageBeans); + request.setAttribute("OrgManageForm", orgManageForm); + + // display org info + request.setAttribute("org", org); } -} + // let the jsp know whether to display links + request.setAttribute("createGroup", isGlobalManager); + request.setAttribute("editGroup", true); + request.setAttribute("manageGlobalRoles", request.isUserInRole(Role.SYSADMIN)); + return mapping.findForward("orglist"); + } +} \ No newline at end of file Index: lams_build/lib/lams/lams-admin.jar =================================================================== diff -u -rd56929f06ad90a63082d514e6521adc175f3de27 -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f Binary files differ Index: lams_build/lib/lams/lams-central.jar =================================================================== diff -u -rc6c0c809a24fad08c33e762caa19a9f16ba7c4ba -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f Binary files differ Index: lams_build/lib/lams/lams-gradebook.jar =================================================================== diff -u -rc6c0c809a24fad08c33e762caa19a9f16ba7c4ba -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f Binary files differ Index: lams_build/lib/lams/lams-monitoring.jar =================================================================== diff -u -rc6c0c809a24fad08c33e762caa19a9f16ba7c4ba -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f Binary files differ Index: lams_build/lib/lams/lams.jar =================================================================== diff -u -rc6c0c809a24fad08c33e762caa19a9f16ba7c4ba -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java (.../AuthoringAction.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java (.../AuthoringAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -124,7 +124,7 @@ public ActionForward openAuthoring(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws IOException, JSONException { request.setAttribute(AttributeNames.PARAM_CONTENT_FOLDER_ID, FileUtil.generateUniqueContentFolderID()); - + request.setAttribute("tools", getLearningDesignService().getToolDTOs(true, request.getRemoteUser())); // build list of existing learning library groups List groups = getLearningDesignService().getLearningLibraryGroups(); @@ -368,7 +368,7 @@ } catch (Exception e) { response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); } - + return null; } @@ -454,7 +454,7 @@ // if the tool content ID was not provided, generate the next unique content ID for the tool toolContentID = authoringService.insertToolContentID(toolID); } - + if (toolContentID != null) { String contentFolderID = request.getParameter(AttributeNames.PARAM_CONTENT_FOLDER_ID); if (StringUtils.isBlank(contentFolderID)) { @@ -727,13 +727,13 @@ } return AuthoringAction.learningDesignService; } - + private ISecurityService getSecurityService() { - if (securityService == null) { + if (AuthoringAction.securityService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - securityService = (ISecurityService) ctx.getBean("securityService"); + AuthoringAction.securityService = (ISecurityService) ctx.getBean("securityService"); } - return securityService; + return AuthoringAction.securityService; } } \ No newline at end of file Index: lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupAction.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupAction.java (.../DisplayGroupAction.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupAction.java (.../DisplayGroupAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -92,8 +92,8 @@ if (org != null) { User user = getUser(request.getRemoteUser()); if (!getSecurityService().hasOrgRole(orgId, user.getUserId(), - new String[] { Role.LEARNER, Role.MONITOR, Role.AUTHOR }, "display group", false) - && !getSecurityService().isGroupManager(orgId, user.getUserId(), "display group", false)) { + new String[] { Role.GROUP_MANAGER, Role.LEARNER, Role.MONITOR, Role.AUTHOR }, "display group", + false)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a part of the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsAction.java =================================================================== diff -u -r813ab0cf9ff81d0832a7f7ec185ef9dc4ce1c987 -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsAction.java (.../FindUserLessonsAction.java) (revision 813ab0cf9ff81d0832a7f7ec185ef9dc4ce1c987) +++ lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsAction.java (.../FindUserLessonsAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -3,14 +3,13 @@ import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; -import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; -import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts.action.ActionForm; @@ -19,14 +18,18 @@ import org.apache.struts.actions.DispatchAction; import org.apache.tomcat.util.json.JSONArray; import org.apache.tomcat.util.json.JSONObject; -import org.lamsfoundation.lams.learning.service.ILearnerService; import org.lamsfoundation.lams.lesson.Lesson; import org.lamsfoundation.lams.lesson.dto.LessonDTO; import org.lamsfoundation.lams.lesson.service.ILessonService; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.usermanagement.Organisation; import org.lamsfoundation.lams.usermanagement.User; +import org.lamsfoundation.lams.usermanagement.dto.UserDTO; import org.lamsfoundation.lams.usermanagement.service.IUserManagementService; +import org.lamsfoundation.lams.util.CentralConstants; import org.lamsfoundation.lams.util.WebUtil; +import org.lamsfoundation.lams.web.session.SessionManager; +import org.lamsfoundation.lams.web.util.AttributeNames; import org.springframework.web.context.WebApplicationContext; import org.springframework.web.context.support.WebApplicationContextUtils; @@ -39,60 +42,47 @@ * @struts.action-forward name="success-getResults" path="/findUserLessons.jsp" */ public class FindUserLessonsAction extends DispatchAction { + private static final Logger log = Logger.getLogger(FindUserLessonsAction.class); - private static final Logger logger = Logger.getLogger(FindUserLessonsAction.class); - private static IUserManagementService userManagementService; - private static ILessonService lessonService; + private static ISecurityService securityService; - private static ILearnerService learnerService; - - @Override - public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) throws Exception { - - // setup service - if (userManagementService == null || lessonService == null) { - setupService(); - } - - return super.execute(mapping, form, request, response); - } - public ActionForward getResults(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { - // get query String query = WebUtil.readStrParam(request, "query", true); Integer courseID = WebUtil.readIntParam(request, "courseID", true); Integer classID = WebUtil.readIntParam(request, "classID", true); if (courseID == null) { - throw new ServletException(); + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Missing course ID"); + return null; } - if (query != null) { - Organisation group = (Organisation) userManagementService.findById(Organisation.class, courseID); + User viewer = getUserManagementService().getUserByLogin(request.getRemoteUser()); + if (!getSecurityService().isGroupMonitor(courseID, viewer.getUserId(), "find user lessons", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); + return null; + } + if (query != null) { + Organisation group = (Organisation) getUserManagementService().findById(Organisation.class, courseID); Set users = getUserSet(query, group); - - User viewer = (User) userManagementService.getUserByLogin(request.getRemoteUser()); Map> userLessonsMap = new HashMap>(); for (User user : users) { - // get all lessons for 'user' in 'group' and add to lessons map - List lessons = (lessonService.getLessonsByGroupAndUser(user.getUserId(), group - .getOrganisationId())); - + List lessons = (getLessonService().getLessonsByGroupAndUser(user.getUserId(), + group.getOrganisationId())); + List lessonDTOs = new ArrayList(); for (Lesson lesson : lessons) { LessonDTO dto = new LessonDTO(lesson); // flag to display monitor link only if user is staff member of lesson dto.setDisplayMonitor(lesson.getLessonClass().isStaffMember(viewer)); lessonDTOs.add(dto); } - + userLessonsMap.put(user, lessonDTOs); } @@ -107,61 +97,72 @@ return mapping.findForward("success-getResults"); } + @SuppressWarnings("unchecked") private Set getUserSet(String query, Organisation rootOrg) { - Set userSet = new HashSet(); - String[] tokens = query.trim().split("\\s+"); // Separated by "whitespace" - for (String token : tokens) { - userSet.addAll(userManagementService.searchUserSingleTerm(token, rootOrg.getOrganisationId(), true)); + userSet.addAll(getUserManagementService().searchUserSingleTerm(token, rootOrg.getOrganisationId(), true)); } return userSet; } public ActionForward autocomplete(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { + Integer courseID = WebUtil.readIntParam(request, "courseID", true); + if (!getSecurityService().isGroupMonitor(courseID, getUserId(), "autocomplete for find user lessons", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); + return null; + } String query = WebUtil.readStrParam(request, "term", true); - Integer courseID = WebUtil.readIntParam(request, "courseID", true); + Organisation rootOrg = (Organisation) getUserManagementService().findById(Organisation.class, courseID); - Organisation rootOrg = (Organisation) userManagementService.findById(Organisation.class, courseID); - Set userSet = getUserSet(query, rootOrg); - - JSONArray jsonArray=new JSONArray(); + JSONArray jsonArray = new JSONArray(); for (User user : userSet) { JSONObject jsonObject = new JSONObject(); jsonObject.put("value", user.getFirstName() + " " + user.getLastName()); jsonArray.put(jsonObject); } - + response.setContentType("application/json;charset=utf-8"); response.getWriter().print(jsonArray); - return null; } + + private Integer getUserId() { + HttpSession ss = SessionManager.getSession(); + UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER); + return user != null ? user.getUserID() : null; + } - private void setupService() { - if (userManagementService == null) { - WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + private IUserManagementService getUserManagementService() { + if (FindUserLessonsAction.userManagementService == null) { + WebApplicationContext wac = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - userManagementService = (IUserManagementService) ctx.getBean("userManagementService"); + FindUserLessonsAction.userManagementService = (IUserManagementService) wac + .getBean(CentralConstants.USER_MANAGEMENT_SERVICE_BEAN_NAME); } + return FindUserLessonsAction.userManagementService; + } - if (lessonService == null) { + private ILessonService getLessonService() { + if (FindUserLessonsAction.lessonService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - lessonService = (ILessonService) ctx.getBean("lessonService"); + FindUserLessonsAction.lessonService = (ILessonService) ctx.getBean("lessonService"); } + return FindUserLessonsAction.lessonService; + } - if (learnerService == null) { + private ISecurityService getSecurityService() { + if (FindUserLessonsAction.securityService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - learnerService = (ILearnerService) ctx.getBean("learnerService"); + FindUserLessonsAction.securityService = (ISecurityService) ctx.getBean("securityService"); } - + return FindUserLessonsAction.securityService; } - -} +} \ No newline at end of file Index: lams_central/src/java/org/lamsfoundation/lams/web/HomeAction.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/web/HomeAction.java (.../HomeAction.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_central/src/java/org/lamsfoundation/lams/web/HomeAction.java (.../HomeAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -136,105 +136,97 @@ */ public ActionForward learner(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { - try { - HomeAction.log.debug("request learner"); - Long lessonId = WebUtil.readLongParam(req, AttributeNames.PARAM_LESSON_ID); - String mode = WebUtil.readStrParam(req, AttributeNames.PARAM_MODE, true); - UserDTO user = getUser(); if (user == null) { HomeAction.log.error("learner: User missing from session. "); return mapping.findForward("error"); - } else { - Lesson lesson = lessonId != null ? getLessonService().getLesson(lessonId) : null; - if ((lesson == null) || !lesson.isLessonStarted()) { - return displayMessage(mapping, req, "message.lesson.not.started.cannot.participate"); - } - if (!getLessonService().checkLessonReleaseConditions(lessonId, user.getUserID())) { - return displayMessage(mapping, req, "message.preceding.lessons.not.finished.cannot.participate"); - } + } - if ((lesson.getLessonClass() == null) - || !lesson.getLessonClass().getLearners().contains(getRealUser(user))) { - HomeAction.log.error("learner: User " + user.getLogin() - + " is not a learner in the requested lesson. Cannot access the lesson."); - return displayMessage(mapping, req, "error.authorisation"); - } + if (!getSecurityService().isLessonLearner(lessonId, user.getUserID(), "access lesson", false)) { + res.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the lesson"); + return null; + } - // check if the lesson is scheduled to be finished to individual users - if (lesson.isScheduledToCloseForIndividuals()) { - GroupUser groupUser = getGroupUserDAO().getGroupUser(lesson, user.getUserID()); - if ((groupUser != null) && (groupUser.getScheduledLessonEndDate() != null) - && groupUser.getScheduledLessonEndDate().before(new Date())) { - HomeAction.log.error("learner: User " + user.getLogin() - + " cannot access the lesson due to lesson end date has passed."); - return displayMessage(mapping, req, "error.finish.date.passed"); + String mode = WebUtil.readStrParam(req, AttributeNames.PARAM_MODE, true); + Lesson lesson = lessonId != null ? getLessonService().getLesson(lessonId) : null; + if (!lesson.isLessonStarted()) { + return displayMessage(mapping, req, "message.lesson.not.started.cannot.participate"); + } + if (!getLessonService().checkLessonReleaseConditions(lessonId, user.getUserID())) { + return displayMessage(mapping, req, "message.preceding.lessons.not.finished.cannot.participate"); + } - } + // check if the lesson is scheduled to be finished to individual users + if (lesson.isScheduledToCloseForIndividuals()) { + GroupUser groupUser = getGroupUserDAO().getGroupUser(lesson, user.getUserID()); + if ((groupUser != null) && (groupUser.getScheduledLessonEndDate() != null) + && groupUser.getScheduledLessonEndDate().before(new Date())) { + HomeAction.log.error("learner: User " + user.getLogin() + + " cannot access the lesson due to lesson end date has passed."); + return displayMessage(mapping, req, "error.finish.date.passed"); } + } - // check lesson's state if its suitable for learner's access - if (!lesson.isLessonAccessibleForLearner()) { - return displayMessage(mapping, req, "error.lesson.not.accessible.for.learners"); - } + // check lesson's state if its suitable for learner's access + if (!lesson.isLessonAccessibleForLearner()) { + return displayMessage(mapping, req, "error.lesson.not.accessible.for.learners"); + } - // show lesson intro page if required and it's not been shown already - boolean isLessonIntroWatched = WebUtil.readBooleanParam(req, "isLessonIntroWatched", false); - if (lesson.isEnableLessonIntro() && !isLessonIntroWatched) { - req.setAttribute("learnerURL", "learnerURL"); - req.setAttribute("lesson", lesson); - req.setAttribute("displayDesignImage", lesson.isDisplayDesignImage()); - req.setAttribute("isMonitor", lesson.getLessonClass().isStaffMember(getRealUser(user))); + // show lesson intro page if required and it's not been shown already + boolean isLessonIntroWatched = WebUtil.readBooleanParam(req, "isLessonIntroWatched", false); + if (lesson.isEnableLessonIntro() && !isLessonIntroWatched) { + req.setAttribute("learnerURL", "learnerURL"); + req.setAttribute("lesson", lesson); + req.setAttribute("displayDesignImage", lesson.isDisplayDesignImage()); + req.setAttribute("isMonitor", lesson.getLessonClass().isStaffMember(getRealUser(user))); - // check if we need to create learning design SVG - if (lesson.isDisplayDesignImage()) { - Long learningDesignId = lesson.getLearningDesign().getLearningDesignId(); - req.setAttribute(AttributeNames.PARAM_LEARNINGDESIGN_ID, learningDesignId); + // check if we need to create learning design SVG + if (lesson.isDisplayDesignImage()) { + Long learningDesignId = lesson.getLearningDesign().getLearningDesignId(); + req.setAttribute(AttributeNames.PARAM_LEARNINGDESIGN_ID, learningDesignId); - if (lesson.getLearnerProgresses().isEmpty()) { - // create svg, png files on the server - getLearningDesignService().createLearningDesignSVG(learningDesignId, - SVGGenerator.OUTPUT_FORMAT_SVG); - getLearningDesignService().createLearningDesignSVG(learningDesignId, - SVGGenerator.OUTPUT_FORMAT_PNG); - } + if (lesson.getLearnerProgresses().isEmpty()) { + // create svg, png files on the server + getLearningDesignService().createLearningDesignSVG(learningDesignId, + SVGGenerator.OUTPUT_FORMAT_SVG); + getLearningDesignService().createLearningDesignSVG(learningDesignId, + SVGGenerator.OUTPUT_FORMAT_PNG); } - return mapping.findForward("lessonIntro"); } + return mapping.findForward("lessonIntro"); + } - if (lesson.getLearnerRestart()) { - // start the lesson from the beginning each time - getLessonService().removeLearnerProgress(lessonId, user.getUserID()); - } + if (lesson.getLearnerRestart()) { + // start the lesson from the beginning each time + getLessonService().removeLearnerProgress(lessonId, user.getUserID()); + } - if (mode != null) { - req.setAttribute(AttributeNames.PARAM_MODE, mode); - } + if (mode != null) { + req.setAttribute(AttributeNames.PARAM_MODE, mode); + } - req.setAttribute(AttributeNames.PARAM_LESSON_ID, String.valueOf(lessonId)); - req.setAttribute(AttributeNames.PARAM_EXPORT_PORTFOLIO_ENABLED, String.valueOf(lesson - .getLearnerExportAvailable() != null ? lesson.getLearnerExportAvailable() : Boolean.TRUE)); - req.setAttribute(AttributeNames.PARAM_PRESENCE_ENABLED, - String.valueOf(lesson.getLearnerPresenceAvailable())); - req.setAttribute(AttributeNames.PARAM_PRESENCE_IM_ENABLED, - String.valueOf(lesson.getLearnerImAvailable())); - req.setAttribute(AttributeNames.PARAM_TITLE, URLEncoder.encode(lesson.getLessonName(), "UTF8")); + req.setAttribute(AttributeNames.PARAM_LESSON_ID, String.valueOf(lessonId)); + req.setAttribute(AttributeNames.PARAM_EXPORT_PORTFOLIO_ENABLED, String.valueOf(lesson + .getLearnerExportAvailable() != null ? lesson.getLearnerExportAvailable() : Boolean.TRUE)); + req.setAttribute(AttributeNames.PARAM_PRESENCE_ENABLED, + String.valueOf(lesson.getLearnerPresenceAvailable())); + req.setAttribute(AttributeNames.PARAM_PRESENCE_IM_ENABLED, String.valueOf(lesson.getLearnerImAvailable())); + req.setAttribute(AttributeNames.PARAM_TITLE, URLEncoder.encode(lesson.getLessonName(), "UTF8")); - /* Date Format for Chat room append */ - DateFormat sfm = new SimpleDateFormat("yyyyMMdd_HHmmss"); - req.setAttribute(AttributeNames.PARAM_CREATE_DATE_TIME, sfm.format(lesson.getCreateDateTime())); + /* Date Format for Chat room append */ + DateFormat sfm = new SimpleDateFormat("yyyyMMdd_HHmmss"); + req.setAttribute(AttributeNames.PARAM_CREATE_DATE_TIME, sfm.format(lesson.getCreateDateTime())); - // forward to /lams/learning/main.jsp - String serverURLContextPath = Configuration.get(ConfigurationKeys.SERVER_URL_CONTEXT_PATH); - serverURLContextPath = serverURLContextPath.startsWith("/") ? serverURLContextPath : "/" - + serverURLContextPath; - serverURLContextPath += serverURLContextPath.endsWith("/") ? "" : "/"; - getServlet().getServletContext().getContext(serverURLContextPath + "learning") - .getRequestDispatcher("/main.jsp").forward(req, res); - return null; - } + // forward to /lams/learning/main.jsp + String serverURLContextPath = Configuration.get(ConfigurationKeys.SERVER_URL_CONTEXT_PATH); + serverURLContextPath = serverURLContextPath.startsWith("/") ? serverURLContextPath : "/" + + serverURLContextPath; + serverURLContextPath += serverURLContextPath.endsWith("/") ? "" : "/"; + getServlet().getServletContext().getContext(serverURLContextPath + "learning") + .getRequestDispatcher("/main.jsp").forward(req, res); + return null; } catch (Exception e) { HomeAction.log.error("Failed to load learner", e); @@ -247,54 +239,51 @@ */ public ActionForward author(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { - try { - HomeAction.log.debug("request author"); UserDTO user = getUser(); if (user == null) { HomeAction.log.error("admin: User missing from session. "); return mapping.findForward("error"); - } else { - Long learningDesignID = null; - String layout = null; - String serverUrl = Configuration.get(ConfigurationKeys.SERVER_URL); - req.setAttribute("serverUrl", serverUrl); + } + + Long learningDesignID = null; + String layout = null; + String serverUrl = Configuration.get(ConfigurationKeys.SERVER_URL); + req.setAttribute("serverUrl", serverUrl); - String requestSrc = req.getParameter("requestSrc"); - String notifyCloseURL = req.getParameter(AttributeNames.PARAM_NOTIFY_CLOSE_URL); - String isPostMessageToParent = req.getParameter("isPostMessageToParent"); - String customCSV = req.getParameter(AttributeNames.PARAM_CUSTOM_CSV); - String extLmsId = req.getParameter(AttributeNames.PARAM_EXT_LMS_ID); + String requestSrc = req.getParameter("requestSrc"); + String notifyCloseURL = req.getParameter(AttributeNames.PARAM_NOTIFY_CLOSE_URL); + String isPostMessageToParent = req.getParameter("isPostMessageToParent"); + String customCSV = req.getParameter(AttributeNames.PARAM_CUSTOM_CSV); + String extLmsId = req.getParameter(AttributeNames.PARAM_EXT_LMS_ID); - if (req.getParameter("learningDesignID") != null) { - learningDesignID = WebUtil.readLongParam(req, "learningDesignID"); - } + if (req.getParameter("learningDesignID") != null) { + learningDesignID = WebUtil.readLongParam(req, "learningDesignID"); + } - if (req.getParameter("layout") != null) { - layout = WebUtil.readStrParam(req, "layout"); - } + if (req.getParameter("layout") != null) { + layout = WebUtil.readStrParam(req, "layout"); + } - if (layout != null) { - req.setAttribute("layout", layout); - } + if (layout != null) { + req.setAttribute("layout", layout); + } - if (req.getParameter("learningDesignID") != null) { - learningDesignID = WebUtil.readLongParam(req, "learningDesignID"); - } + if (req.getParameter("learningDesignID") != null) { + learningDesignID = WebUtil.readLongParam(req, "learningDesignID"); + } - if (learningDesignID != null) { - req.setAttribute("learningDesignID", learningDesignID); - } - - req.setAttribute("requestSrc", requestSrc); - req.setAttribute(AttributeNames.PARAM_NOTIFY_CLOSE_URL, notifyCloseURL); - req.setAttribute("isPostMessageToParent", isPostMessageToParent); - req.setAttribute(AttributeNames.PARAM_CUSTOM_CSV, customCSV); - req.setAttribute(AttributeNames.PARAM_EXT_LMS_ID, extLmsId); - - return mapping.findForward("author"); + if (learningDesignID != null) { + req.setAttribute("learningDesignID", learningDesignID); } + req.setAttribute("requestSrc", requestSrc); + req.setAttribute(AttributeNames.PARAM_NOTIFY_CLOSE_URL, notifyCloseURL); + req.setAttribute("isPostMessageToParent", isPostMessageToParent); + req.setAttribute(AttributeNames.PARAM_CUSTOM_CSV, customCSV); + req.setAttribute(AttributeNames.PARAM_EXT_LMS_ID, extLmsId); + + return mapping.findForward("author"); } catch (Exception e) { HomeAction.log.error("Failed to load author", e); return mapping.findForward("error"); @@ -306,27 +295,24 @@ */ public ActionForward monitorLesson(ActionMapping mapping, ActionForm form, HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { - if (HomeAction.log.isDebugEnabled()) { - HomeAction.log.debug("Requested Lesson Monitor"); - } - Long lessonId = WebUtil.readLongParam(req, AttributeNames.PARAM_LESSON_ID); UserDTO user = getUser(); if (user == null) { HomeAction.log.error("User missing from session. Can not open Lesson Monitor."); return mapping.findForward("error"); - } else { - Lesson lesson = lessonId == null ? null : getLessonService().getLesson(lessonId); - if (lesson == null) { - HomeAction.log.error("Lesson " + lessonId + " does not exist. Can not open Lesson Monitor."); - return mapping.findForward("error"); - } - - String url = Configuration.get(ConfigurationKeys.SERVER_URL) - + "monitoring/monitoring.do?method=monitorLesson&lessonID=" + lessonId; - res.sendRedirect(url); - return null; } + + Lesson lesson = lessonId == null ? null : getLessonService().getLesson(lessonId); + if (lesson == null) { + HomeAction.log.error("Lesson " + lessonId + " does not exist. Can not open Lesson Monitor."); + return mapping.findForward("error"); + } + + // security check will be done there + String url = Configuration.get(ConfigurationKeys.SERVER_URL) + + "monitoring/monitoring.do?method=monitorLesson&lessonID=" + lessonId; + res.sendRedirect(url); + return null; } @SuppressWarnings("unchecked") @@ -337,7 +323,7 @@ Integer organisationID = new Integer(WebUtil.readIntParam(req, "organisationID")); if (!getSecurityService().isGroupMonitor(organisationID, userDTO.getUserID(), "add lesson", false)) { - res.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); + res.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java =================================================================== diff -u -r943d43d5e2afea12f2fdcb9e6ef24bc1a524b4a9 -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java (.../LessonConditionsAction.java) (revision 943d43d5e2afea12f2fdcb9e6ef24bc1a524b4a9) +++ lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsAction.java (.../LessonConditionsAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -23,6 +23,7 @@ /* $Id$ */ package org.lamsfoundation.lams.web; +import java.io.IOException; import java.util.ArrayList; import java.util.Calendar; import java.util.Date; @@ -54,7 +55,7 @@ import org.lamsfoundation.lams.lesson.service.ILessonService; import org.lamsfoundation.lams.lesson.util.LessonComparator; import org.lamsfoundation.lams.monitoring.service.IMonitoringService; -import org.lamsfoundation.lams.tool.exception.DataMissingException; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.usermanagement.User; import org.lamsfoundation.lams.usermanagement.dto.UserDTO; import org.lamsfoundation.lams.util.CentralConstants; @@ -87,22 +88,25 @@ private static ILessonService lessonService; private static IMonitoringService monitoringService; private static IGroupUserDAO groupUserDAO; + private static ISecurityService securityService; /** * Prepares data for thickbox displayed on Index page. * + * @throws IOException + * * @throws InvalidParameterException */ @SuppressWarnings("unchecked") public ActionForward getIndexLessonConditions(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) { - + HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); - Lesson lesson = getLessonService().getLesson(lessonId); - if (lesson == null) { - throw new IllegalArgumentException("Lesson with ID: " + lessonId + " does not exist."); + if (!getSecurityService().isLessonMonitor(lessonId, getUser().getUserID(), "show lesson conditions", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); + return null; } + Lesson lesson = getLessonService().getLesson(lessonId); List precedingLessons = new ArrayList(lesson.getPrecedingLessons().size()); for (Lesson precedingLesson : lesson.getPrecedingLessons()) { IndexLessonBean precedingLessonBean = new IndexLessonBean(precedingLesson.getLessonId(), @@ -146,23 +150,30 @@ request.setAttribute(LessonConditionsAction.PARAM_INDIVIDUAL_FINISH, false); } - request.setAttribute(CentralConstants.PARAM_EDIT, canEdit(request, lesson)); + request.setAttribute(CentralConstants.PARAM_EDIT, lesson.getUser().getUserId().equals(getUser().getUserID())); return mapping.findForward(LessonConditionsAction.FORWARD_INDEX_LESSON_CONDITION); } /** * Removes given lesson from dependecies and displays updated list in thickbox. * + * @throws IOException + * * @throws InvalidParameterException */ public ActionForward removeLessonDependency(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); + if (!getSecurityService().isLessonOwner(lessonId, getUser().getUserID(), "remove lesson dependency", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); + return null; + } + Long removedPrecedingLessonId = WebUtil.readLongParam(request, LessonConditionsAction.PARAM_PRECEDING_LESSON_ID, false); - Lesson lesson = getLessonAndCheckPermissions(request, lessonId); + Lesson lesson = getLessonService().getLesson(lessonId); Iterator precedingLessonIter = lesson.getPrecedingLessons().iterator(); while (precedingLessonIter.hasNext()) { if (precedingLessonIter.next().getLessonId().equals(removedPrecedingLessonId)) { @@ -178,15 +189,21 @@ /** * Adds given lesson to dependecies and displays updated list in thickbox. * + * @throws IOException + * * @throws InvalidParameterException */ public ActionForward addLessonDependency(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); + if (!getSecurityService().isLessonOwner(lessonId, getUser().getUserID(), "add lesson dependency", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); + return null; + } + Long addedPrecedingLessonId = WebUtil.readLongParam(request, LessonConditionsAction.PARAM_PRECEDING_LESSON_ID, false); - - Lesson lesson = getLessonAndCheckPermissions(request, lessonId); + Lesson lesson = getLessonService().getLesson(lessonId); Lesson addedPrecedingLesson = getLessonService().getLesson(addedPrecedingLessonId); if (addedPrecedingLesson == null) { throw new IllegalArgumentException("Preceding lesson with ID: " + lessonId + " does not exist."); @@ -200,17 +217,25 @@ /** * Sets lesson finish date, either for individuals or lesson as a whole. If days<=0, schedule is removed. + * + * @throws IOException */ + @SuppressWarnings("unchecked") public ActionForward setDaysToLessonFinish(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) { + HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); + if (!getSecurityService().isLessonOwner(lessonId, getUser().getUserID(), "set days to lesson finish", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); + return null; + } + int daysToLessonFinish = WebUtil.readIntParam(request, LessonConditionsAction.PARAM_LESSON_DAYS_TO_FINISH, false); boolean individualFinish = WebUtil.readBooleanParam(request, LessonConditionsAction.PARAM_INDIVIDUAL_FINISH, false); ActionMessages errors = new ActionMessages(); - Lesson lesson = getLessonAndCheckPermissions(request, lessonId); + Lesson lesson = getLessonService().getLesson(lessonId); HttpSession session = SessionManager.getSession(); UserDTO currentUser = (UserDTO) session.getAttribute(AttributeNames.USER); try { @@ -278,29 +303,11 @@ return getIndexLessonConditions(mapping, form, request, response); } - private Lesson getLessonAndCheckPermissions(HttpServletRequest request, Long lessonId) { - Lesson lesson = getLessonService().getLesson(lessonId); - if (lesson == null) { - throw new IllegalArgumentException("Lesson with ID: " + lessonId + " does not exist."); - } - if (!canEdit(request, lesson)) { - throw new SecurityException("Current user can not edit lesson conditions"); - } - return lesson; + private UserDTO getUser() { + HttpSession ss = SessionManager.getSession(); + return (UserDTO) ss.getAttribute(AttributeNames.USER); } - /** - * Checks if user is allowed to edit lesson conditions. - */ - private boolean canEdit(HttpServletRequest request, Lesson lesson) { - HttpSession session = SessionManager.getSession(); - UserDTO currentUser = (UserDTO) session.getAttribute(AttributeNames.USER); - if (currentUser == null) { - throw new DataMissingException("User DTO missing from session."); - } - return currentUser.getUserID().equals(lesson.getUser().getUserId()); - } - private ILessonService getLessonService() { if (LessonConditionsAction.lessonService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() @@ -319,6 +326,16 @@ return LessonConditionsAction.monitoringService; } + private ISecurityService getSecurityService() { + if (LessonConditionsAction.securityService == null) { + WebApplicationContext webContext = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + .getServletContext()); + LessonConditionsAction.securityService = (ISecurityService) webContext.getBean("securityService"); + } + + return LessonConditionsAction.securityService; + } + private IGroupUserDAO getGroupUserDAO() { if (LessonConditionsAction.groupUserDAO == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() Index: lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupAction.java =================================================================== diff -u -r438b7544a11300402105903895b51b626a79de3f -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupAction.java (.../OrganisationGroupAction.java) (revision 438b7544a11300402105903895b51b626a79de3f) +++ lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupAction.java (.../OrganisationGroupAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -23,6 +23,7 @@ /* $Id$ */ package org.lamsfoundation.lams.web; +import java.io.IOException; import java.util.Collection; import java.util.Collections; import java.util.Comparator; @@ -54,12 +55,12 @@ import org.lamsfoundation.lams.lesson.Lesson; import org.lamsfoundation.lams.lesson.service.ILessonService; import org.lamsfoundation.lams.monitoring.web.GroupingAJAXAction; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.usermanagement.OrganisationGroup; import org.lamsfoundation.lams.usermanagement.OrganisationGrouping; import org.lamsfoundation.lams.usermanagement.Role; import org.lamsfoundation.lams.usermanagement.User; import org.lamsfoundation.lams.usermanagement.dto.UserDTO; -import org.lamsfoundation.lams.usermanagement.exception.UserAccessDeniedException; import org.lamsfoundation.lams.usermanagement.service.IUserManagementService; import org.lamsfoundation.lams.util.AlphanumComparator; import org.lamsfoundation.lams.util.WebUtil; @@ -139,16 +140,19 @@ private static IUserManagementService userManagementService; private static ILessonService lessonService; + private static ISecurityService securityService; private static final String MAPPING_VIEW_GROUPINGS = "viewGroupings"; private static final String MAPPING_VIEW_GROUPS = "viewGroups"; /** * Shows course grouping list or redirects to groups if a grouping was already chosen. + * + * @throws IOException */ @SuppressWarnings("unchecked") public ActionForward viewGroupings(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) throws JSONException { + HttpServletResponse response) throws JSONException, IOException { Long activityID = WebUtil.readLongParam(request, AttributeNames.PARAM_ACTIVITY_ID, true); boolean lessonGroupsExist = getLessonGrouping(request, activityID, false) != null; if (lessonGroupsExist) { @@ -164,14 +168,17 @@ organisationId = ((Lesson) getUserManagementService().findById(Lesson.class, lessonId)).getOrganisation() .getOrganisationId(); } + // check if user is allowed to view and edit groups + if (!getSecurityService().hasOrgRole(organisationId, userId, + new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, + "view organisation groupings", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); + return null; + } + boolean isGroupSuperuser = getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_ADMIN) || getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_MANAGER); - if (!isGroupSuperuser && !getUserManagementService().isUserInRole(userId, organisationId, Role.AUTHOR) - && !getUserManagementService().isUserInRole(userId, organisationId, Role.MONITOR)) { - throw new UserAccessDeniedException("User " + userId + " may not view groupings for course " - + organisationId); - } if (OrganisationGroupAction.log.isDebugEnabled()) { OrganisationGroupAction.log.debug("Displaying course groupings for user " + userId + " and organisation " @@ -193,10 +200,12 @@ /** * View groups of the given grouping. + * + * @throws IOException */ @SuppressWarnings("unchecked") public ActionForward viewGroups(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) throws JSONException { + HttpServletResponse response) throws JSONException, IOException { Integer userId = getUserDTO().getUserID(); Integer organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID, true); Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID, true); @@ -208,12 +217,15 @@ } // check if user is allowed to view and edit groups + if (!getSecurityService().hasOrgRole(organisationId, userId, + new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, + "view organisation groups", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); + return null; + } + boolean isGroupSuperuser = getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_ADMIN) || getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_MANAGER); - if (!isGroupSuperuser && !getUserManagementService().isUserInRole(userId, organisationId, Role.AUTHOR) - && !getUserManagementService().isUserInRole(userId, organisationId, Role.MONITOR)) { - throw new UserAccessDeniedException("User " + userId + " may not view groups for course " + organisationId); - } if (OrganisationGroupAction.log.isDebugEnabled()) { OrganisationGroupAction.log.debug("Displaying course groups for user " + userId + " and organisation " @@ -291,17 +303,19 @@ * Saves a course grouping. * * @throws InvalidParameterException + * @throws IOException */ @SuppressWarnings("unchecked") public ActionForward save(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) throws JSONException, InvalidParameterException { + HttpServletResponse response) throws JSONException, InvalidParameterException, IOException { // check if user is allowed to edit groups Integer userId = getUserDTO().getUserID(); int organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); - boolean isGroupSuperuser = getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_ADMIN) - || getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_MANAGER); - if (!isGroupSuperuser) { - throw new UserAccessDeniedException("User " + userId + " may not edit groups for course " + organisationId); + // check if user is allowed to save grouping + if (!getSecurityService().hasOrgRole(organisationId, userId, + new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER }, "save organisation grouping", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); + return null; } if (OrganisationGroupAction.log.isDebugEnabled()) { @@ -372,7 +386,6 @@ } else { throw new InvalidParameterException("Grouping with name \"" + orgGroupingName + "\" already exists"); } - } getUserManagementService().saveOrganisationGrouping(orgGrouping, orgGroups); @@ -381,25 +394,25 @@ /** * Deletes course grouping with the given ID. + * + * @throws IOException */ public ActionForward removeGrouping(ActionMapping mapping, ActionForm form, HttpServletRequest request, - HttpServletResponse response) throws JSONException { + HttpServletResponse response) throws JSONException, IOException { // check if user is allowed to edit groups Integer userId = getUserDTO().getUserID(); int organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); - boolean isGroupSuperuser = getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_ADMIN) - || getUserManagementService().isUserInRole(userId, organisationId, Role.GROUP_MANAGER); - if (!isGroupSuperuser) { - throw new UserAccessDeniedException("User " + userId + " may not remove groupings for course " - + organisationId); + if (!getSecurityService().hasOrgRole(organisationId, userId, + new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER }, "remove organisation grouping", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); + return null; } Long groupingId = WebUtil.readLongParam(request, "groupingId"); if (OrganisationGroupAction.log.isDebugEnabled()) { OrganisationGroupAction.log.debug("Removing grouping " + groupingId + " for user " + userId + " and organisation " + organisationId); } - getUserManagementService().deleteById(OrganisationGrouping.class, groupingId); return viewGroupings(mapping, form, request, response); @@ -535,4 +548,13 @@ } return OrganisationGroupAction.lessonService; } + + private ISecurityService getSecurityService() { + if (OrganisationGroupAction.securityService == null) { + WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + .getServletContext()); + OrganisationGroupAction.securityService = (ISecurityService) ctx.getBean("securityService"); + } + return OrganisationGroupAction.securityService; + } } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -26,13 +26,9 @@ public interface ISecurityService { /** - * Checks if the is a manager of the class or ogranisation. + * Checks if the is a manager or monitor in the organisation. This is just a convenience method for hasOrgRole() + * with MONITOR and GROUP_MANAGER. */ - boolean isGroupManager(Integer orgId, Integer userId, String action, boolean escalate) throws SecurityException; - - /** - * Checks if the is a manager or monitor in the organisation. - */ boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean escalate) throws SecurityException; /** @@ -46,6 +42,11 @@ boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException; /** + * Checks if the user is the owner of the given lesson. + */ + boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException; + + /** * Checks if the user is either a learner or a staff member in the given lesson. */ boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean escalate) @@ -57,7 +58,8 @@ boolean isSysadmin(Integer userId, String action, boolean escalate); /** - * Checks if the user has any of the given roles in the given organisation. + * Checks if the user has any of the given roles in the given organisation. If GROUP_MANAGER and/or GROUP_ADMIN are + * given for class type organisation, their parent organisations are checked. */ boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean escalate) throws SecurityException; Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -23,10 +23,15 @@ package org.lamsfoundation.lams.security; +import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; +import java.util.List; import org.apache.log4j.Logger; import org.lamsfoundation.lams.lesson.Lesson; +import org.lamsfoundation.lams.usermanagement.Organisation; +import org.lamsfoundation.lams.usermanagement.OrganisationType; import org.lamsfoundation.lams.usermanagement.Role; import org.lamsfoundation.lams.util.audit.IAuditService; @@ -39,6 +44,10 @@ private static Logger log = Logger.getLogger(SecurityService.class); private static final String SECURITY_MODULE_NAME = "security"; + private static final String[] GROUP_MONITOR_ROLES = new String[] { Role.GROUP_MANAGER, Role.MONITOR }; + private static final List GROUP_SUPER_ROLES = Collections.unmodifiableList(Arrays.asList(Role.GROUP_ADMIN, + Role.GROUP_MANAGER)); + private static final String[] EMPTY_STRING_ARRAY = new String[0]; private ISecurityDAO securityDAO; private IAuditService auditService; @@ -157,22 +166,20 @@ } @Override - public boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean escalate) + public boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException { if (lessonId == null) { - String error = "Missing lesson ID when checking if user " + userId + " is participant and can \"" + action - + "\""; + String error = "Missing lesson ID when checking if user " + userId + " is owner and can \"" + action + "\""; SecurityService.log.error(error); - auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { throw new SecurityException(error); } else { return false; } } if (userId == null) { - String error = "Missing user ID when checking if is participant in lesson " + lessonId + " and can \"" - + action + "\""; + String error = "Missing user ID when checking if is owner of lesson " + lessonId + " and can \"" + action + + "\""; SecurityService.log.error(error); if (escalate) { throw new SecurityException(error); @@ -184,7 +191,7 @@ Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); if (lesson == null) { String error = "Could not find lesson " + lessonId + " when checking if user " + userId - + " is participant and can \"" + action + "\""; + + " is owner and can \"" + action + "\""; SecurityService.log.error(error); auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { @@ -194,16 +201,8 @@ } } - Integer orgId = lesson.getOrganisation().getOrganisationId(); - boolean hasSysadminRole = securityDAO.isSysadmin(userId); - boolean hasGroupManagerRole = hasSysadminRole || securityDAO.isGroupManager(orgId, userId); - boolean hasRole = hasGroupManagerRole || securityDAO.hasOrgRole(orgId, userId, Role.LEARNER, Role.MONITOR); - - if (!hasGroupManagerRole - && !(hasRole && (securityDAO.isLessonLearner(lessonId, userId) || securityDAO.isLessonMonitor(lessonId, - userId, true)))) { - String error = "User " + userId + " is not participant in lesson " + lessonId + " and can not \"" + action - + "\""; + if (!lesson.getUser().getUserId().equals(userId)) { + String error = "User " + userId + " is not owner of lesson " + lessonId + " and can not \"" + action + "\""; SecurityService.log.error(error); auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { @@ -217,53 +216,52 @@ } @Override - public boolean isSysadmin(Integer userId, String action, boolean escalate) { - if (userId == null) { - String error = "Missing user ID when checking if is sysadmin and can \"" + action + "\""; + public boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean escalate) + throws SecurityException { + if (lessonId == null) { + String error = "Missing lesson ID when checking if user " + userId + " is participant and can \"" + action + + "\""; SecurityService.log.error(error); - throw new SecurityException(error); - } - - if (!securityDAO.isSysadmin(userId)) { - String error = "User " + userId + " is not sysadmin and can not \"" + action + "\""; - SecurityService.log.error(error); auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { throw new SecurityException(error); } else { return false; } } - - return true; - } - - @Override - public boolean isGroupManager(Integer orgId, Integer userId, String action, boolean escalate) - throws SecurityException { - if (orgId == null) { - String error = "Missing organisation ID when checking if user is a manager of organisation " + orgId - + " and can \"" + action + "\""; + if (userId == null) { + String error = "Missing user ID when checking if is participant in lesson " + lessonId + " and can \"" + + action + "\""; SecurityService.log.error(error); if (escalate) { throw new SecurityException(error); } else { return false; } } - if (userId == null) { - String error = "Missing user ID when checking if user is a manager of organisation " + orgId - + " and can \"" + action + "\""; + + Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); + if (lesson == null) { + String error = "Could not find lesson " + lessonId + " when checking if user " + userId + + " is participant and can \"" + action + "\""; SecurityService.log.error(error); + auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { throw new SecurityException(error); } else { return false; } } - if (!securityDAO.isSysadmin(userId) && !securityDAO.isGroupManager(orgId, userId)) { - String error = "User " + userId + " is not a manager of organisation " + orgId + " and can not \"" + action + Integer orgId = lesson.getOrganisation().getOrganisationId(); + boolean hasSysadminRole = securityDAO.isSysadmin(userId); + boolean hasGroupManagerRole = hasSysadminRole || securityDAO.isGroupManager(orgId, userId); + boolean hasRole = hasGroupManagerRole || securityDAO.hasOrgRole(orgId, userId, Role.LEARNER, Role.MONITOR); + + if (!hasGroupManagerRole + && !(hasRole && (securityDAO.isLessonLearner(lessonId, userId) || securityDAO.isLessonMonitor(lessonId, + userId, true)))) { + String error = "User " + userId + " is not participant in lesson " + lessonId + " and can not \"" + action + "\""; SecurityService.log.error(error); auditService.log(SecurityService.SECURITY_MODULE_NAME, error); @@ -278,33 +276,15 @@ } @Override - public boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean escalate) - throws SecurityException { - if (orgId == null) { - String error = "Missing organisation ID when checking if user is a monitor in organisation " + orgId - + " and can \"" + action + "\""; - SecurityService.log.error(error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } - } + public boolean isSysadmin(Integer userId, String action, boolean escalate) { if (userId == null) { - String error = "Missing user ID when checking if user is a monitor in organisation " + orgId - + " and can \"" + action + "\""; + String error = "Missing user ID when checking if is sysadmin and can \"" + action + "\""; SecurityService.log.error(error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + throw new SecurityException(error); } - if (!securityDAO.isSysadmin(userId) && !securityDAO.isGroupManager(orgId, userId) - && !securityDAO.hasOrgRole(orgId, userId, Role.MONITOR)) { - String error = "User " + userId + " is not a monitor in organisation " + orgId + " and can not \"" + action - + "\""; + if (!securityDAO.isSysadmin(userId)) { + String error = "User " + userId + " is not sysadmin and can not \"" + action + "\""; SecurityService.log.error(error); auditService.log(SecurityService.SECURITY_MODULE_NAME, error); if (escalate) { @@ -318,6 +298,12 @@ } @Override + public boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean escalate) + throws SecurityException { + return hasOrgRole(orgId, userId, SecurityService.GROUP_MONITOR_ROLES, action, escalate); + } + + @Override public boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean escalate) throws SecurityException { if (orgId == null) { @@ -341,19 +327,38 @@ } } - if (!securityDAO.isSysadmin(userId) && !securityDAO.hasOrgRole(orgId, userId, roles)) { - String error = "User " + userId + " does not have any of " + Arrays.toString(roles) - + " roles in organisation " + orgId + " and can not \"" + action + "\""; - SecurityService.log.error(error); - auditService.log(SecurityService.SECURITY_MODULE_NAME, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; + try { + if (securityDAO.isSysadmin(userId) || securityDAO.hasOrgRole(orgId, userId, roles)) { + return true; } + + // check for super roles in the parent organisations + List roleList = new ArrayList(Arrays.asList(roles)); + roleList.retainAll(SecurityService.GROUP_SUPER_ROLES); + if (!roleList.isEmpty()) { + Organisation organisation = (Organisation) securityDAO.find(Organisation.class, orgId); + if (OrganisationType.CLASS_TYPE.equals(organisation.getOrganisationType().getOrganisationTypeId())) { + organisation = organisation.getParentOrganisation(); + } + + if (securityDAO.hasOrgRole(organisation.getOrganisationId(), userId, + roleList.toArray(SecurityService.EMPTY_STRING_ARRAY))) { + return true; + } + } + } catch (Exception e) { + SecurityService.log.error("Error while checking user " + userId + " role in organisation " + orgId, e); } - return true; + String error = "User " + userId + " does not have any of " + Arrays.toString(roles) + " roles in organisation " + + orgId + " and can not \"" + action + "\""; + SecurityService.log.error(error); + auditService.log(SecurityService.SECURITY_MODULE_NAME, error); + if (escalate) { + throw new SecurityException(error); + } else { + return false; + } } public void setSecurityDAO(ISecurityDAO securityDAO) { Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookAction.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookAction.java (.../GradebookAction.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookAction.java (.../GradebookAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -318,10 +318,9 @@ Integer userID = WebUtil.readIntParam(request, GradebookConstants.PARAM_USERID); user = (User) getUserService().findById(User.class, userID); } else { - if (!getSecurityService().isGroupMonitor(courseID, viewer.getUserId(), "get course gradebook for learner", - false) - && !getSecurityService().hasOrgRole(courseID, viewer.getUserId(), new String[] { Role.LEARNER }, - "get course gradebook for learner", false)) { + if (!getSecurityService().hasOrgRole(courseID, viewer.getUserId(), + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, + "get course gradebook for learner", false)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookLearningAction.java =================================================================== diff -u -r093df66baaeb89432c9e5a0351c8fb91cc4a13ac -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookLearningAction.java (.../GradebookLearningAction.java) (revision 093df66baaeb89432c9e5a0351c8fb91cc4a13ac) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/action/GradebookLearningAction.java (.../GradebookLearningAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -80,10 +80,9 @@ GradebookLearningAction.logger.error("User missing from session. "); return mapping.findForward("error"); } - if (!getSecurityService().isGroupMonitor(oranisationID, user.getUserID(), "get learner course gradebook", - false) - && !getSecurityService().hasOrgRole(oranisationID, user.getUserID(), new String[] { Role.LEARNER }, - "get course gradebook for learner", false)) { + if (!getSecurityService().hasOrgRole(oranisationID, user.getUserID(), + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, + "get course gradebook for learner", false)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsAction.java =================================================================== diff -u -r78c30a573fad76cfbaca06810da1ec4f5bf7e6a8 -r4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsAction.java (.../EmailNotificationsAction.java) (revision 78c30a573fad76cfbaca06810da1ec4f5bf7e6a8) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsAction.java (.../EmailNotificationsAction.java) (revision 4ab4ba6ef63a831648ca63ca4d91edd4c0fba55f) @@ -18,9 +18,9 @@ * * http://www.gnu.org/licenses/gpl.txt * **************************************************************** - */ - -/* $Id$ */ + */ + +/* $Id$ */ package org.lamsfoundation.lams.monitoring.web; import java.io.IOException; @@ -40,31 +40,28 @@ import javax.servlet.http.HttpSession; import org.apache.commons.lang.StringEscapeUtils; - import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; import org.apache.tomcat.util.json.JSONArray; import org.apache.tomcat.util.json.JSONException; import org.apache.tomcat.util.json.JSONObject; -import org.lamsfoundation.lams.events.DeliveryMethodMail; import org.lamsfoundation.lams.events.IEventNotificationService; import org.lamsfoundation.lams.learning.service.ICoreLearnerService; -import org.lamsfoundation.lams.learningdesign.dao.IGroupUserDAO; import org.lamsfoundation.lams.lesson.Lesson; -import org.lamsfoundation.lams.lesson.dao.ILearnerProgressDAO; -import org.lamsfoundation.lams.lesson.service.ILessonService; import org.lamsfoundation.lams.lesson.util.LessonComparator; import org.lamsfoundation.lams.monitoring.MonitoringConstants; import org.lamsfoundation.lams.monitoring.dto.EmailScheduleMessageJobDTO; import org.lamsfoundation.lams.monitoring.service.IMonitoringService; import org.lamsfoundation.lams.monitoring.service.MonitoringServiceProxy; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.usermanagement.Organisation; import org.lamsfoundation.lams.usermanagement.User; import org.lamsfoundation.lams.usermanagement.dto.UserDTO; import org.lamsfoundation.lams.usermanagement.service.IUserManagementService; import org.lamsfoundation.lams.util.DateUtil; import org.lamsfoundation.lams.util.WebUtil; +import org.lamsfoundation.lams.util.audit.IAuditService; import org.lamsfoundation.lams.web.action.LamsDispatchAction; import org.lamsfoundation.lams.web.session.SessionManager; import org.lamsfoundation.lams.web.util.AttributeNames; @@ -85,85 +82,99 @@ * * @author Andrey Balan * - * ----------------XDoclet Tags-------------------- + * ----------------XDoclet Tags-------------------- * * @struts:action path="/emailNotifications" parameter="method" validate="false" * @struts.action-forward name = "lessonView" path = "/emailnotifications/lessonNotifications.jsp" * @struts.action-forward name = "courseView" path = "/emailnotifications/courseNotifications.jsp" * @struts.action-forward name = "userList" path = "/emailnotifications/userList.jsp" * @struts.action-forward name = "scheduledEmailList" path = "/emailnotifications/scheduledEmailList.jsp" * - * ----------------XDoclet Tags-------------------- + * ----------------XDoclet Tags-------------------- */ public class EmailNotificationsAction extends LamsDispatchAction { - + // --------------------------------------------------------------------- // Class level constants // --------------------------------------------------------------------- - + private static final String TRIGGER_PREFIX_NAME = "emailMessageOnScheduleTrigger:"; private static IEventNotificationService eventNotificationService; private static IUserManagementService userManagementService; + private static IAuditService auditService; + private static ISecurityService securityService; // --------------------------------------------------------------------- // Struts Dispatch Method // --------------------------------------------------------------------- - + /** * Shows "Email notification" page for particular lesson. */ public ActionForward getLessonView(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - - ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet() - .getServletContext()); - long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); + if (!getSecurityService().isLessonMonitor(lessonId, getUser().getUserID(), "show lesson email notifications", + false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); + return null; + } + + ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet().getServletContext()); Lesson lesson = learnerService.getLesson(lessonId); + if (!lesson.getEnableLessonNotifications()) { + getAuditService().log(MonitoringConstants.MONITORING_MODULE_NAME, + "Notifications are disabled in lesson " + lessonId); + response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Notifications are disabled in the lesson"); + return null; + } + Set activities = lesson.getLearningDesign().getActivities(); - request.setAttribute("lesson", lesson); request.setAttribute("activities", activities); return mapping.findForward("lessonView"); } - + /** * Shows "Email notification" page for particular course. */ public ActionForward getCourseView(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - - ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet() - .getServletContext()); - int orgId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); - + if (!getSecurityService() + .isGroupMonitor(orgId, getUser().getUserID(), "show course email notifications", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); + return null; + } + + ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet().getServletContext()); + // getting the organisation Organisation org = (Organisation) learnerService.getUserManagementService().findById(Organisation.class, orgId); - - //sort and filter lesson list + + // sort and filter lesson list Set lessons = new TreeSet(new LessonComparator()); - for (Lesson lesson : (Set)org.getLessons()) { + for (Lesson lesson : (Set) org.getLessons()) { if (!Lesson.REMOVED_STATE.equals(lesson.getLessonStateId()) && !Lesson.FINISHED_STATE.equals(lesson.getLessonStateId())) { lessons.add(lesson); } } - + Lesson firstLesson = null; Iterator lessonIter = lessons.iterator(); if (lessonIter.hasNext()) { firstLesson = lessonIter.next(); } - + request.setAttribute("org", org); request.setAttribute("lessons", lessons); request.setAttribute("firstLesson", firstLesson); return mapping.findForward("courseView"); } - + /** * Renders a page listing all scheduled emails. */ @@ -175,27 +186,40 @@ Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID, true); boolean isLessonNotifications = (lessonId != null); Integer organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID, true); - + if (isLessonNotifications) { + if (!getSecurityService().isLessonMonitor(lessonId, getUser().getUserID(), + "show scheduled lesson email notifications", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); + return null; + } + } else { + if (!getSecurityService().isGroupMonitor(organisationId, getUser().getUserID(), + "show scheduled course course email notifications", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); + return null; + } + } + String[] triggerNames = scheduler.getTriggerNames(Scheduler.DEFAULT_GROUP); for (String triggerName : triggerNames) { - if (triggerName.startsWith(TRIGGER_PREFIX_NAME)) { + if (triggerName.startsWith(EmailNotificationsAction.TRIGGER_PREFIX_NAME)) { Trigger trigger = scheduler.getTrigger(triggerName, Scheduler.DEFAULT_GROUP); JobDetail jobDetail = scheduler.getJobDetail(trigger.getJobName(), Scheduler.DEFAULT_GROUP); JobDataMap jobDataMap = jobDetail.getJobDataMap(); - - //filter triggers + + // filter triggers if (isLessonNotifications) { Object jobLessonId = jobDataMap.get(AttributeNames.PARAM_LESSON_ID); - if ((jobLessonId == null) || (! lessonId.equals(jobLessonId))) { + if ((jobLessonId == null) || (!lessonId.equals(jobLessonId))) { continue; } } else { Object jobOrganisationId = jobDataMap.get(AttributeNames.PARAM_ORGANISATION_ID); - if ((jobOrganisationId == null) || (! organisationId.equals(jobOrganisationId))) { + if ((jobOrganisationId == null) || (!organisationId.equals(jobOrganisationId))) { continue; } } - + Date triggerDate = trigger.getNextFireTime(); String emailBody = WebUtil.convertNewlines((String) jobDataMap.get("emailBody")); int searchType = (Integer) jobDataMap.get("searchType"); @@ -206,7 +230,7 @@ scheduleList.add(emailScheduleJobDTO); } } - + request.setAttribute("scheduleList", scheduleList); request.setAttribute(AttributeNames.PARAM_LESSON_ID, lessonId); request.setAttribute(AttributeNames.PARAM_ORGANISATION_ID, organisationId); @@ -223,96 +247,110 @@ JSONObject JSONObject = new JSONObject(); IMonitoringService monitoringService = MonitoringServiceProxy.getMonitoringService(getServlet() .getServletContext()); - getEventNotificationService(); - + String emailBody = WebUtil.readStrParam(request, "emailBody"); Long scheduleDateParameter = WebUtil.readLongParam(request, "scheduleDate", true); - - //check if we send email instantly + + // check if we send email instantly if (scheduleDateParameter == null) { boolean isSuccessfullySent = true; String[] userIdStrs = request.getParameterValues("userId"); for (String userIdStr : userIdStrs) { int userId = Integer.parseInt(userIdStr); boolean isHtmlFormat = false; - isSuccessfullySent &= eventNotificationService.sendMessage(null, - userId, - IEventNotificationService.DELIVERY_METHOD_MAIL, - monitoringService.getMessageService().getMessage("event.emailnotifications.email.subject", - new Object[] {}), emailBody, isHtmlFormat); + isSuccessfullySent &= getEventNotificationService().sendMessage(null, userId, + IEventNotificationService.DELIVERY_METHOD_MAIL, monitoringService.getMessageService() + .getMessage("event.emailnotifications.email.subject", new Object[] {}), emailBody, + isHtmlFormat); } JSONObject.put("isSuccessfullySent", isSuccessfullySent); } else { try { Calendar now = Calendar.getInstance(); - + // calculate scheduleDate Date scheduleDateTeacherTimezone = new Date(scheduleDateParameter); HttpSession ss = SessionManager.getSession(); UserDTO teacher = (UserDTO) ss.getAttribute(AttributeNames.USER); TimeZone teacherTimeZone = teacher.getTimeZone(); Date scheduleDate = DateUtil.convertFromTimeZoneToDefault(teacherTimeZone, scheduleDateTeacherTimezone); - + JobDetail emailScheduleMessageJob = getEmailScheduleMessageJob(); emailScheduleMessageJob.setName("emailScheduleMessageJob:" + now.getTimeInMillis()); emailScheduleMessageJob.setDescription("schedule email message to user(s)"); emailScheduleMessageJob.getJobDataMap().put("emailBody", emailBody); - + copySearchParametersFromRequestToMap(request, emailScheduleMessageJob.getJobDataMap()); // create customized triggers - Trigger startLessonTrigger = new SimpleTrigger(TRIGGER_PREFIX_NAME + now.getTimeInMillis(), - Scheduler.DEFAULT_GROUP, scheduleDate); + Trigger startLessonTrigger = new SimpleTrigger(EmailNotificationsAction.TRIGGER_PREFIX_NAME + + now.getTimeInMillis(), Scheduler.DEFAULT_GROUP, scheduleDate); // start the scheduling job Scheduler scheduler = getScheduler(); scheduler.scheduleJob(emailScheduleMessageJob, startLessonTrigger); JSONObject.put("isSuccessfullyScheduled", true); - log.debug("Emails have been successfully scheduled to be sent on " + scheduleDate + " [search type is " + request.getParameter("searchType") + "]"); + LamsDispatchAction.log.debug("Emails have been successfully scheduled to be sent on " + scheduleDate + + " [search type is " + request.getParameter("searchType") + "]"); } catch (SchedulerException e) { - log.error("Error occurred at " + "[emailScheduleMessage]- fail to email scheduling", e); + LamsDispatchAction.log.error("Error occurred at " + "[emailScheduleMessage]- fail to email scheduling", + e); } } response.setContentType("application/json;charset=utf-8"); response.getWriter().print(JSONObject); return null; } - + /** * Refreshes user list. */ public ActionForward getUsers(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException, JSONException { - IMonitoringService monitoringService = MonitoringServiceProxy.getMonitoringService(getServlet() - .getServletContext()); - ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet() - .getServletContext()); - - //TODO check checkOwnerOrStaffMember - Map map = new HashMap(); copySearchParametersFromRequestToMap(request, map); - - int searchType = (Integer) map.get("searchType"); Long lessonId = (Long) map.get(AttributeNames.PARAM_LESSON_ID); Integer orgId = (Integer) map.get(AttributeNames.PARAM_ORGANISATION_ID); + + if (lessonId != null) { + if (!getSecurityService().isLessonMonitor(lessonId, getUser().getUserID(), + "get users for lesson email notifications", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); + return null; + } + } else if (orgId != null) { + if (!getSecurityService().isGroupMonitor(orgId, getUser().getUserID(), + "get users for course email notifications", false)) { + response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); + return null; + } + } + + IMonitoringService monitoringService = MonitoringServiceProxy.getMonitoringService(getServlet() + .getServletContext()); + ICoreLearnerService learnerService = MonitoringServiceProxy.getLearnerService(getServlet().getServletContext()); + + int searchType = (Integer) map.get("searchType"); Long activityId = (Long) map.get(AttributeNames.PARAM_ACTIVITY_ID); Integer xDaystoFinish = (Integer) map.get("daysToDeadline"); String[] lessonIds = (String[]) map.get("lessonIDs"); - Collection users = monitoringService.getUsersByEmailNotificationSearchType(searchType, lessonId, lessonIds, activityId, xDaystoFinish, orgId); - + Collection users = monitoringService.getUsersByEmailNotificationSearchType(searchType, lessonId, + lessonIds, activityId, xDaystoFinish, orgId); + JSONArray cellarray = new JSONArray(); JSONObject responcedata = new JSONObject(); responcedata.put("total", "" + users.size()); responcedata.put("page", "" + 1); responcedata.put("records", "" + users.size()); - + for (User user : users) { - JSONArray cell=new JSONArray(); - cell.put(StringEscapeUtils.escapeHtml(user.getFirstName()) + " " + StringEscapeUtils.escapeHtml(user.getLastName()) + " [" + StringEscapeUtils.escapeHtml(user.getLogin()) + "]"); - + JSONArray cell = new JSONArray(); + cell.put(StringEscapeUtils.escapeHtml(user.getFirstName()) + " " + + StringEscapeUtils.escapeHtml(user.getLastName()) + " [" + + StringEscapeUtils.escapeHtml(user.getLogin()) + "]"); + JSONObject cellobj = new JSONObject(); cellobj.put("id", "" + user.getUserId()); cellobj.put("cell", cell); @@ -322,19 +360,19 @@ response.setContentType("application/json;charset=utf-8"); response.getWriter().print(new String(responcedata.toString())); return null; - } - + } + /** * Copies search parameters from request to specified map. Validates parameters along the way. * * @param request - * @param map specified map + * @param map + * specified map */ private void copySearchParametersFromRequestToMap(HttpServletRequest request, Map map) { int searchType = WebUtil.readIntParam(request, "searchType"); - Assert.notNull(searchType); map.put("searchType", searchType); - + switch (searchType) { case MonitoringConstants.LESSON_TYPE_ASSIGNED_TO_LESSON: case MonitoringConstants.LESSON_TYPE_HAVENT_FINISHED_LESSON: @@ -343,7 +381,7 @@ case MonitoringConstants.LESSON_TYPE_HAVE_STARTED_LESSON: case MonitoringConstants.LESSON_TYPE_HAVENT_REACHED_PARTICULAR_ACTIVITY: case MonitoringConstants.LESSON_TYPE_LESS_THAN_X_DAYS_TO_DEADLINE: - Long lessonId = (Long) WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); + Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); Assert.notNull(lessonId); map.put(AttributeNames.PARAM_LESSON_ID, lessonId); break; @@ -358,14 +396,14 @@ map.put(AttributeNames.PARAM_ORGANISATION_ID, organisationId); break; } - + switch (searchType) { case MonitoringConstants.LESSON_TYPE_HAVENT_REACHED_PARTICULAR_ACTIVITY: Long activityId = WebUtil.readLongParam(request, AttributeNames.PARAM_ACTIVITY_ID); Assert.notNull(activityId); map.put(AttributeNames.PARAM_ACTIVITY_ID, activityId); break; - + case MonitoringConstants.LESSON_TYPE_LESS_THAN_X_DAYS_TO_DEADLINE: Integer xDaystoFinish = WebUtil.readIntParam(request, "daysToDeadline"); Assert.notNull(xDaystoFinish); @@ -374,38 +412,64 @@ case MonitoringConstants.COURSE_TYPE_HAVE_FINISHED_PARTICULAR_LESSON: case MonitoringConstants.COURSE_TYPE_HAVENT_STARTED_PARTICULAR_LESSON: - Long lessonId = (Long) WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); + Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); Assert.notNull(lessonId); map.put(AttributeNames.PARAM_LESSON_ID, lessonId); break; case MonitoringConstants.COURSE_TYPE_HAVE_FINISHED_THESE_LESSONS: case MonitoringConstants.COURSE_TYPE_HAVENT_FINISHED_THESE_LESSONS: - String[] lessonIds = request.getParameterValues(AttributeNames.PARAM_LESSON_ID); + String[] lessonIds = request.getParameterValues(AttributeNames.PARAM_LESSON_ID); Assert.notNull(lessonIds); map.put("lessonIDs", lessonIds); break; } } - + + private UserDTO getUser() { + HttpSession ss = SessionManager.getSession(); + return (UserDTO) ss.getAttribute(AttributeNames.USER); + } + private IEventNotificationService getEventNotificationService() { - if (eventNotificationService == null) { + if (EmailNotificationsAction.eventNotificationService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - eventNotificationService = (IEventNotificationService) ctx.getBean("eventNotificationService"); + EmailNotificationsAction.eventNotificationService = (IEventNotificationService) ctx + .getBean("eventNotificationService"); } - return eventNotificationService; + return EmailNotificationsAction.eventNotificationService; } - + private IUserManagementService getUserManagementService() { - if (userManagementService == null) { + if (EmailNotificationsAction.userManagementService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() .getServletContext()); - userManagementService = (IUserManagementService) ctx.getBean("userManagementService"); + EmailNotificationsAction.userManagementService = (IUserManagementService) ctx + .getBean("userManagementService"); } - return userManagementService; + return EmailNotificationsAction.userManagementService; } - + + private IAuditService getAuditService() { + if (EmailNotificationsAction.auditService == null) { + WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + .getServletContext()); + EmailNotificationsAction.auditService = (IAuditService) ctx.getBean("auditService"); + } + return EmailNotificationsAction.auditService; + } + + private ISecurityService getSecurityService() { + if (EmailNotificationsAction.securityService == null) { + WebApplicationContext webContext = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + .getServletContext()); + EmailNotificationsAction.securityService = (ISecurityService) webContext.getBean("securityService"); + } + + return EmailNotificationsAction.securityService; + } + /** * * @return the bean that defines emailScheduleMessageJob. @@ -415,7 +479,7 @@ .getServletContext()); return (JobDetail) ctx.getBean(MonitoringConstants.JOB_EMAIL_MESSAGE); } - + /** * * @return the bean that defines Scheduler.