Index: lams_build/lib/lams/lams.jar =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea Binary files differ Index: lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java =================================================================== diff -u -rff01a6c237cefc4a5186889bf46041152cfc37ae -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java (.../AuthoringAction.java) (revision ff01a6c237cefc4a5186889bf46041152cfc37ae) +++ lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringAction.java (.../AuthoringAction.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -60,6 +60,9 @@ import org.lamsfoundation.lams.learningdesign.service.ILearningDesignService; import org.lamsfoundation.lams.lesson.Lesson; import org.lamsfoundation.lams.monitoring.service.IMonitoringService; +import org.lamsfoundation.lams.monitoring.web.MonitoringAction; +import org.lamsfoundation.lams.security.ISecurityService; +import org.lamsfoundation.lams.security.SecurityException; import org.lamsfoundation.lams.tool.IToolVO; import org.lamsfoundation.lams.tool.ToolContentManager; import org.lamsfoundation.lams.tool.ToolOutputDefinition; @@ -104,6 +107,7 @@ private static ILamsToolService toolService; private static IAuthoringService authoringService; private static ILearningDesignService learningDesignService; + private static ISecurityService securityService; private static int LEARNING_DESIGN_ACCESS_ENTRIES_LIMIT = 7; @@ -460,6 +464,15 @@ Long toolContentID = WebUtil.readLongParam(request, AttributeNames.PARAM_TOOL_CONTENT_ID); String contentFolderID = request.getParameter(AttributeNames.PARAM_CONTENT_FOLDER_ID); Integer organisationID = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); + Integer userID = getUserId(); + + try { + getSecurityService().hasOrgRole(organisationID, userID, Role.MONITOR); + } catch (SecurityException e) { + log.error("Cannot add a lesson", e); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the given lesson"); + return null; + } // get title from tool content IToolVO tool = getToolService().getToolByID(toolID); @@ -471,7 +484,6 @@ Long learningDesignID = authoringService.insertSingleActivityLearningDesign(title, toolID, toolContentID, contentFolderID, organisationID); if (learningDesignID != null) { - Integer userID = getUserId(); User user = (User) getUserManagementService().findById(User.class, userID); Lesson lesson = getMonitoringService().initializeLessonWithoutLDcopy(title, "", learningDesignID, user, null, false, false, true, false, false, true, true, false, null, null); @@ -696,4 +708,13 @@ } return AuthoringAction.learningDesignService; } + + private ISecurityService getSecurityService() { + if (securityService == null) { + WebApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(getServlet() + .getServletContext()); + securityService = (ISecurityService) ctx.getBean("securityService"); + } + return securityService; + } } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/security/ISecurityDAO.java =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_common/src/java/org/lamsfoundation/lams/security/ISecurityDAO.java (.../ISecurityDAO.java) (revision 38b5da8f9b986f835a4dde123bd09954a4b6e171) +++ lams_common/src/java/org/lamsfoundation/lams/security/ISecurityDAO.java (.../ISecurityDAO.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -33,7 +33,7 @@ boolean isLessonLearner(Long lessonId, Integer userId); - boolean isLessonMonitor(Long lessonId, Integer userId); + boolean isLessonMonitor(Long lessonId, Integer userId, boolean ownerAccepted, boolean groupManagerAccepted); boolean isSysadmin(Integer userId); } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision 38b5da8f9b986f835a4dde123bd09954a4b6e171) +++ lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -23,31 +23,37 @@ package org.lamsfoundation.lams.security; - public interface ISecurityService { - + /** * Checks if the user is a learner in the given lesson. */ void checkIsLessonLearner(Long lessonId, Integer userId) throws SecurityException; - + /** * Checks if the user is a staff member in the given lesson. */ void checkIsLessonMonitor(Long lessonId, Integer userId) throws SecurityException; - + /** + * Checks if the user is a staff member or optionally the owner of the given lesson, or a group manager of the + * organisation the lesson belongs to. + */ + void checkIsLessonMonitor(Long lessonId, Integer userId, boolean ownerAccepted, boolean groupManagerAccepted) + throws SecurityException; + + /** * Checks if the user is either a learner or a staff member in the given lesson. */ void checkIsLessonParticipant(Long lessonId, Integer userId) throws SecurityException; - + /** * Checks if the user has a global role of SYSADMIN. */ void checkIsSysadmin(Integer userId); - + /** - * Checks if the user has any of the given roles in the given organisation. + * Checks if the user has any of the given roles in the given organisation. */ void hasOrgRole(Integer orgId, Integer userId, String... roles) throws SecurityException; } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityDAO.java =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_common/src/java/org/lamsfoundation/lams/security/SecurityDAO.java (.../SecurityDAO.java) (revision 38b5da8f9b986f835a4dde123bd09954a4b6e171) +++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityDAO.java (.../SecurityDAO.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -28,6 +28,8 @@ import org.hibernate.Query; import org.hibernate.SQLQuery; import org.lamsfoundation.lams.lesson.Lesson; +import org.lamsfoundation.lams.usermanagement.Organisation; +import org.lamsfoundation.lams.usermanagement.OrganisationType; import org.lamsfoundation.lams.usermanagement.Role; import org.lamsfoundation.lams.usermanagement.UserOrganisation; import org.springframework.orm.hibernate3.support.HibernateDaoSupport; @@ -91,9 +93,27 @@ } @Override - public boolean isLessonMonitor(Long lessonId, Integer userId) { - return !getHibernateTemplate().find(SecurityDAO.CHECK_LESSON_MONITOR, new Object[] { lessonId, userId }) - .isEmpty(); + public boolean isLessonMonitor(Long lessonId, Integer userId, boolean ownerAccepted, boolean groupManagerAccepted) { + boolean result = !getHibernateTemplate().find(SecurityDAO.CHECK_LESSON_MONITOR, + new Object[] { lessonId, userId }).isEmpty(); + Lesson lesson = null; + if (!result && ownerAccepted) { + lesson = (Lesson) find(Lesson.class, lessonId); + result = lesson != null && userId.equals(lesson.getUser().equals(userId)); + } + if (!result && groupManagerAccepted) { + if (lesson == null) { + lesson = (Lesson) find(Lesson.class, lessonId); + } + if (lesson != null) { + Organisation organisation = lesson.getOrganisation(); + if (OrganisationType.CLASS_TYPE.equals(organisation.getOrganisationType().getOrganisationTypeId())) { + organisation = organisation.getParentOrganisation(); + } + result = hasOrgRole(organisation.getOrganisationId(), userId, Role.GROUP_MANAGER); + } + } + return result; } @Override Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision 38b5da8f9b986f835a4dde123bd09954a4b6e171) +++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -58,6 +58,12 @@ @Override public void checkIsLessonMonitor(Long lessonId, Integer userId) throws SecurityException { + checkIsLessonMonitor(lessonId, userId, false, false); + } + + @Override + public void checkIsLessonMonitor(Long lessonId, Integer userId, boolean ownerAccepted, boolean groupManagerAccepted) + throws SecurityException { if (lessonId == null) { throw new SecurityException("Lesson ID is NULL"); } @@ -72,7 +78,8 @@ hasOrgRole(lesson.getOrganisation().getOrganisationId(), userId, Role.MONITOR, Role.GROUP_MANAGER); - if (!securityDAO.isSysadmin(userId) && !securityDAO.isLessonMonitor(lessonId, userId)) { + if (!securityDAO.isSysadmin(userId) + && !securityDAO.isLessonMonitor(lessonId, userId, ownerAccepted, groupManagerAccepted)) { throw new SecurityException("User with ID: " + userId + " is not a monitor in lesson with ID: " + lessonId); } } @@ -94,7 +101,7 @@ hasOrgRole(lesson.getOrganisation().getOrganisationId(), userId, Role.LEARNER, Role.MONITOR, Role.GROUP_MANAGER); if (!securityDAO.isSysadmin(userId) && !securityDAO.isLessonLearner(lessonId, userId) - && !securityDAO.isLessonMonitor(lessonId, userId)) { + && !securityDAO.isLessonMonitor(lessonId, userId, true, false)) { throw new SecurityException("User with ID: " + userId + " is not a learner in lesson with ID: " + lessonId); } } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/monitoringApplicationContext.xml =================================================================== diff -u -rd927914e80c12ea4cf2612788663209520c008c1 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/monitoringApplicationContext.xml (.../monitoringApplicationContext.xml) (revision d927914e80c12ea4cf2612788663209520c008c1) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/monitoringApplicationContext.xml (.../monitoringApplicationContext.xml) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -44,7 +44,8 @@ - + + Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java =================================================================== diff -u -r936a8e08dcd4329b32c5c9820cf0f8756fc232bc -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java (.../MonitoringService.java) (revision 936a8e08dcd4329b32c5c9820cf0f8756fc232bc) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java (.../MonitoringService.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -88,6 +88,7 @@ import org.lamsfoundation.lams.logevent.service.ILogEventService; import org.lamsfoundation.lams.monitoring.MonitoringConstants; import org.lamsfoundation.lams.monitoring.dto.ContributeActivityDTO; +import org.lamsfoundation.lams.security.ISecurityService; import org.lamsfoundation.lams.tool.ToolSession; import org.lamsfoundation.lams.tool.exception.LamsToolServiceException; import org.lamsfoundation.lams.tool.exception.ToolException; @@ -180,6 +181,8 @@ private ILamsCoreToolService lamsCoreToolService; private IUserManagementService userManagementService; + + private ISecurityService securityService; private Scheduler scheduler; @@ -228,6 +231,10 @@ public void setUserManagementService(IUserManagementService userManagementService) { this.userManagementService = userManagementService; } + + public void setSecurityService(ISecurityService securityService) { + this.securityService = securityService; + } /** * @param learningDesignDAO @@ -388,6 +395,8 @@ Boolean learnerImAvailable, Boolean liveEditEnabled, Boolean enableLessonNotifications, Boolean learnerRestart, Integer scheduledNumberDaysToLessonFinish, Long precedingLessonId) { + securityService.hasOrgRole(organisationId, userID, Role.MONITOR); + LearningDesign originalLearningDesign = authoringService.getLearningDesign(new Long(learningDesignId)); if (originalLearningDesign == null) { throw new MonitoringServiceException("Learning design for id=" + learningDesignId @@ -441,7 +450,7 @@ + " is missing. Unable to initialize lesson."); } User user = userID != null ? (User) baseDAO.find(User.class, userID) : null; - + return initializeLesson(lessonName, lessonDescription, originalLearningDesign, user, null, LearningDesign.COPY_TYPE_PREVIEW, customCSV, false, false, false, learnerPresenceAvailable, learnerImAvailable, liveEditEnabled, true, false, null, null); @@ -472,7 +481,6 @@ Boolean displayDesignImage, Boolean learnerExportAvailable, Boolean learnerPresenceAvailable, Boolean learnerImAvailable, Boolean liveEditEnabled, Boolean enableLessonNotifications, Boolean learnerRestart, Integer scheduledNumberDaysToLessonFinish, Lesson precedingLesson) { - // copy the current learning design LearningDesign copiedLearningDesign = authoringService.copyLearningDesign(originalLearningDesign, new Integer( copyType), user, workspaceFolder, true, null, customCSV); @@ -554,7 +562,6 @@ } @Override - @SuppressWarnings("unchecked") public Lesson createLessonClassForLesson(long lessonId, Organisation organisation, String learnerGroupName, List organizationUsers, String staffGroupName, List staffs, Integer userId) { Lesson newLesson = lessonDAO.getLesson(new Long(lessonId)); Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java =================================================================== diff -u -r38b5da8f9b986f835a4dde123bd09954a4b6e171 -r9234cb75efd86c137c56366bc5b0e2f93aad05ea --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java (.../MonitoringAction.java) (revision 38b5da8f9b986f835a4dde123bd09954a4b6e171) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringAction.java (.../MonitoringAction.java) (revision 9234cb75efd86c137c56366bc5b0e2f93aad05ea) @@ -370,10 +370,18 @@ + (splitNumberLessons == null ? "" : "(" + lessonIndex + "/" + splitNumberLessons + ") ") + "\"" + lessonInstanceName + "\""); } - Lesson lesson = monitoringService.initializeLesson(lessonInstanceName, introDescription, ldId, - organisationId, userId, null, introEnable, introImage, portfolioEnable, presenceEnable, imEnable, - enableLiveEdit, notificationsEnable, learnerRestart, timeLimitIndividual, precedingLessonId); + Lesson lesson = null; + try { + lesson = monitoringService.initializeLesson(lessonInstanceName, introDescription, ldId, organisationId, + userId, null, introEnable, introImage, portfolioEnable, presenceEnable, imEnable, + enableLiveEdit, notificationsEnable, learnerRestart, timeLimitIndividual, precedingLessonId); + } catch (SecurityException e) { + log.error("Cannot add a lesson for LD: " + ldId, e); + response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the given lesson"); + return null; + } + monitoringService.createLessonClassForLesson(lesson.getLessonId(), organisation, learnerGroupInstanceName, lessonInstanceLearners, staffGroupInstanceName, staff, userId);