Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/CleanupPreviewLessonsController.java =================================================================== diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/CleanupPreviewLessonsController.java (.../CleanupPreviewLessonsController.java) (revision f2ad75cef0c507a64877942631fee13efbc6ed50) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/CleanupPreviewLessonsController.java (.../CleanupPreviewLessonsController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -67,8 +67,8 @@ @RequestMapping(path = "/start") public String unspecified(HttpServletRequest request, HttpServletResponse response) throws IOException { - - if (!securityService.isSysadmin(getUserID(), "display cleanup preview lessons", false)) { + + if (!securityService.isSysadmin(getUserID(), "display cleanup preview lessons")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a sysadmin"); return null; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java =================================================================== diff -u -r29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java (.../OrgManageController.java) (revision 29a37489a63e5a95f42a5ef5fd8a7daeb65c53c5) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java (.../OrgManageController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -98,7 +98,7 @@ if (!request.isUserInRole(Role.SYSADMIN) && !userManagementService.isUserGlobalGroupManager() && !(isRootOrganisation ? request.isUserInRole(Role.GROUP_MANAGER) : securityService.hasOrgRole(orgId, userId, new String[] { Role.GROUP_MANAGER }, - "manage courses", false))) { + "manage courses"))) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); return null; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgPasswordChangeController.java =================================================================== diff -u -r65ed3834599c7868a2f7948a02500b28b071b579 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgPasswordChangeController.java (.../OrgPasswordChangeController.java) (revision 65ed3834599c7868a2f7948a02500b28b071b579) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgPasswordChangeController.java (.../OrgPasswordChangeController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -114,9 +114,8 @@ UserDTO userDTO = getUserDTO(); Integer currentUserId = userDTO.getUserID(); - if (!securityService.isSysadmin(currentUserId, "get grid users for org password change", false)) { + if (!securityService.isSysadmin(currentUserId, "get grid users for org password change")) { String warning = "User " + currentUserId + " is not a sysadmin"; - log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); return null; } @@ -178,9 +177,8 @@ UserDTO userDTO = getUserDTO(); Integer currentUserId = userDTO.getUserID(); // security check - if (!securityService.isSysadmin(currentUserId, "org password change", false)) { + if (!securityService.isSysadmin(currentUserId, "org password change")) { String warning = "User " + currentUserId + " is not a sysadmin"; - log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); return null; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java =================================================================== diff -u -r351f9417a32d396911387eeef3117fd40be35b7c -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java (.../OrganisationController.java) (revision 351f9417a32d396911387eeef3117fd40be35b7c) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrganisationController.java (.../OrganisationController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -168,7 +168,7 @@ @RequestMapping(path = "/deleteAllLessonsInit") public String deleteAllLessonsInit(HttpServletRequest request, HttpServletResponse response) throws IOException { - if (!securityService.isSysadmin(getUserID(), "display cleanup preview lessons", false)) { + if (!securityService.isSysadmin(getUserID(), "display cleanup preview lessons")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a sysadmin"); return null; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/PortraitBatchUploadController.java =================================================================== diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/PortraitBatchUploadController.java (.../PortraitBatchUploadController.java) (revision f2ad75cef0c507a64877942631fee13efbc6ed50) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/PortraitBatchUploadController.java (.../PortraitBatchUploadController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -40,8 +40,6 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.ResponseBody; -import org.springframework.web.context.WebApplicationContext; -import org.springframework.web.context.support.WebApplicationContextUtils; /** * Looks for [login].png images in /tmp/portraits of user IDs within given range and starting with the given prefix @@ -59,7 +57,7 @@ @RequestMapping("/uploadPortraits") @ResponseBody public String execute(HttpServletRequest request, HttpServletResponse response) throws IOException { - if (!securityService.isSysadmin(getUserID(), "batch upload portraits", false)) { + if (!securityService.isSysadmin(getUserID(), "batch upload portraits")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a sysadmin"); return null; } Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java =================================================================== diff -u -r351f9417a32d396911387eeef3117fd40be35b7c -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java (.../UserSaveController.java) (revision 351f9417a32d396911387eeef3117fd40be35b7c) +++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java (.../UserSaveController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -296,7 +296,7 @@ Integer loggeduserId = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID(); // check if logged in User is Sysadmin - if (!securityService.isSysadmin(loggeduserId, "Change Password of User " + userId, true)) { + if (!securityService.isSysadmin(loggeduserId, "change password for user " + userId)) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "Only Sysadmin has edit permisions"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringController.java =================================================================== diff -u -re49f4ca2772f41c3e5dce498bc2d32a66b4f31ad -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringController.java (.../AuthoringController.java) (revision e49f4ca2772f41c3e5dce498bc2d32a66b4f31ad) +++ lams_central/src/java/org/lamsfoundation/lams/authoring/web/AuthoringController.java (.../AuthoringController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -309,7 +309,7 @@ } Integer userID = getUserId(); - if (!securityService.isGroupMonitor(organisationID, userID, "create single activity lesson", false)) { + if (!securityService.isGroupMonitor(organisationID, userID, "create single activity lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/comments/web/CommentController.java =================================================================== diff -u -r70a58e52215be36bba02d60d98eee77b372accf1 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/comments/web/CommentController.java (.../CommentController.java) (revision 70a58e52215be36bba02d60d98eee77b372accf1) +++ lams_central/src/java/org/lamsfoundation/lams/comments/web/CommentController.java (.../CommentController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -26,6 +26,7 @@ import java.util.Iterator; import java.util.List; +import javax.persistence.PersistenceException; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -153,7 +154,7 @@ Comment rootComment = commentService.createOrGetRoot(externalId, externalSecondaryId, externalType, externalSignature, user); sessionMap.put(CommentConstants.ATTR_ROOT_COMMENT_UID, rootComment.getUid()); - + prepareViewTopicData(request, sessionMap, pageSize, sortBy, true); return "comments/comments"; } @@ -182,7 +183,7 @@ .equals(WebUtil.getToolAccessMode((String) sessionMap.get(AttributeNames.ATTR_MODE)))) { GroupedToolSession toolSession = (GroupedToolSession) lamsCoreToolService.getToolSessionById(toolSessionId); return securityService.isLessonMonitor(toolSession.getLesson().getLessonId(), user.getUserId(), - "Comment Monitoring Tasks", false); + "Comment Monitoring Tasks"); } else { return false; } @@ -206,13 +207,13 @@ if (sortBy != null) { sessionMap.put(CommentConstants.ATTR_SORT_BY, sortBy); } - + prepareViewTopicData(request, sessionMap, pageSize, sortBy, sticky); return (sticky ? "comments/allviewwrapper" : "comments/topicviewwrapper"); } - private void prepareViewTopicData(HttpServletRequest request, SessionMap sessionMap, Integer pageSize, - Integer sortBy, boolean includeSticky) { + private void prepareViewTopicData(HttpServletRequest request, SessionMap sessionMap, + Integer pageSize, Integer sortBy, boolean includeSticky) { Long externalId = (Long) sessionMap.get(CommentConstants.ATTR_EXTERNAL_ID); Long externalSecondaryId = (Long) sessionMap.get(CommentConstants.ATTR_EXTERNAL_SECONDARY_ID); @@ -410,7 +411,7 @@ ObjectNode responseJSON; if (!validateText(commentText)) { responseJSON = getFailedValidationJSON(); - + } else { User user = getCurrentUser(request); Index: lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupController.java =================================================================== diff -u -r7b00deb3e9e0e67b79ab7d0a1ea247e9fedfbaf9 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupController.java (.../DisplayGroupController.java) (revision 7b00deb3e9e0e67b79ab7d0a1ea247e9fedfbaf9) +++ lams_central/src/java/org/lamsfoundation/lams/web/DisplayGroupController.java (.../DisplayGroupController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -88,8 +88,7 @@ if (org != null) { User user = getUser(request.getRemoteUser()); if (!securityService.hasOrgRole(orgId, user.getUserId(), - new String[] { Role.GROUP_MANAGER, Role.LEARNER, Role.MONITOR, Role.AUTHOR }, "display group", - false)) { + new String[] { Role.GROUP_MANAGER, Role.LEARNER, Role.MONITOR, Role.AUTHOR }, "display group")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a part of the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsController.java =================================================================== diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsController.java (.../FindUserLessonsController.java) (revision f2ad75cef0c507a64877942631fee13efbc6ed50) +++ lams_central/src/java/org/lamsfoundation/lams/web/FindUserLessonsController.java (.../FindUserLessonsController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -48,7 +48,7 @@ Integer courseID = WebUtil.readIntParam(request, "courseID"); User viewer = (User) userManagementService.findById(User.class, getUserId()); - if (!securityService.isGroupMonitor(courseID, viewer.getUserId(), "find user lessons", false)) { + if (!securityService.isGroupMonitor(courseID, viewer.getUserId(), "find user lessons")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -98,7 +98,7 @@ @RequestMapping("/autocomplete") public String autocomplete(HttpServletRequest request, HttpServletResponse response) throws Exception { Integer courseID = WebUtil.readIntParam(request, "courseID", true); - if (!securityService.isGroupMonitor(courseID, getUserId(), "autocomplete for find user lessons", false)) { + if (!securityService.isGroupMonitor(courseID, getUserId(), "autocomplete for find user lessons")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/HomeController.java =================================================================== diff -u -rd40c2f2f11ceb1086c32f47220853b58541a7100 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/HomeController.java (.../HomeController.java) (revision d40c2f2f11ceb1086c32f47220853b58541a7100) +++ lams_central/src/java/org/lamsfoundation/lams/web/HomeController.java (.../HomeController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -140,7 +140,7 @@ return "errorContent"; } - if (!securityService.isLessonLearner(lessonId, user.getUserID(), "access lesson", false)) { + if (!securityService.isLessonLearner(lessonId, user.getUserID(), "access lesson")) { res.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the lesson"); return null; } @@ -258,7 +258,7 @@ public String addLesson(HttpServletRequest req, HttpServletResponse res, @RequestParam Integer organisationID) throws IOException, UserAccessDeniedException, RepositoryCheckedException { UserDTO userDTO = getUser(); - if (!securityService.isGroupMonitor(organisationID, userDTO.getUserID(), "add lesson", false)) { + if (!securityService.isGroupMonitor(organisationID, userDTO.getUserID(), "add lesson")) { res.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsController.java =================================================================== diff -u -ree2eb1711b99ac1eb975da1934ea4e78df57c89f -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsController.java (.../LessonConditionsController.java) (revision ee2eb1711b99ac1eb975da1934ea4e78df57c89f) +++ lams_central/src/java/org/lamsfoundation/lams/web/LessonConditionsController.java (.../LessonConditionsController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -105,7 +105,7 @@ public String getIndexLessonConditions(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); - if (!securityService.isLessonMonitor(lessonId, getUser().getUserID(), "show lesson conditions", false)) { + if (!securityService.isLessonMonitor(lessonId, getUser().getUserID(), "show lesson conditions")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -168,7 +168,7 @@ @RequestMapping(path = "/removeLessonDependency", method = RequestMethod.POST) public String removeLessonDependency(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); - if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "remove lesson dependency", false)) { + if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "remove lesson dependency")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); return null; } @@ -199,7 +199,7 @@ @RequestMapping(path = "/addLessonDependency", method = RequestMethod.POST) public String addLessonDependency(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); - if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "add lesson dependency", false)) { + if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "add lesson dependency")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); return null; } @@ -226,7 +226,7 @@ @RequestMapping(path = "/setDaysToLessonFinish", method = RequestMethod.POST) public String setDaysToLessonFinish(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, CentralConstants.PARAM_LESSON_ID, false); - if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "set days to lesson finish", false)) { + if (!securityService.isLessonOwner(lessonId, getUser().getUserID(), "set days to lesson finish")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not the owner of the lesson"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupController.java =================================================================== diff -u -ra5b247dd91cb3ffabf9de46cba029e5537fad087 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupController.java (.../OrganisationGroupController.java) (revision a5b247dd91cb3ffabf9de46cba029e5537fad087) +++ lams_central/src/java/org/lamsfoundation/lams/web/OrganisationGroupController.java (.../OrganisationGroupController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -131,7 +131,7 @@ // check if user is allowed to view and edit groupings if (!securityService.hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groupings", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groupings")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } @@ -206,7 +206,7 @@ // check if user is allowed to view and edit groups if (!securityService.hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groups", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groups")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } @@ -362,7 +362,7 @@ int organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); // check if user is allowed to save grouping if (!securityService.hasOrgRole(organisationId, userId, new String[] { Role.GROUP_MANAGER }, - "save organisation grouping", false)) { + "save organisation grouping")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); } @@ -431,7 +431,7 @@ Integer userId = getUserDTO().getUserID(); int organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); if (!securityService.hasOrgRole(organisationId, userId, new String[] { Role.GROUP_MANAGER }, - "remove organisation grouping", false)) { + "remove organisation grouping")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); return null; } Index: lams_central/src/java/org/lamsfoundation/lams/web/controller/LtiController.java =================================================================== diff -u -rf7be4ba0bcbfca19280812b0df58b3413d9c7a91 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/controller/LtiController.java (.../LtiController.java) (revision f7be4ba0bcbfca19280812b0df58b3413d9c7a91) +++ lams_central/src/java/org/lamsfoundation/lams/web/controller/LtiController.java (.../LtiController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -207,7 +207,7 @@ ExtCourseClassMap extCourse = integrationService.getExtCourseClassMap(extServer.getSid(), contextId); Integer organisationId = extCourse.getOrganisation().getOrganisationId(); //only monitors are allowed to create lesson - if (!securityService.isGroupMonitor(organisationId, userId, "add lesson", false)) { + if (!securityService.isGroupMonitor(organisationId, userId, "add lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -269,7 +269,7 @@ boolean enableLessonIntro = WebUtil.readBooleanParam(request, "enableLessonIntro", false); //only monitors are allowed to create lesson - if (!securityService.isGroupMonitor(organisationId, userId, "add lesson", false)) { + if (!securityService.isGroupMonitor(organisationId, userId, "add lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -488,7 +488,7 @@ request.setAttribute("description", lesson.getLessonDescription()); request.setAttribute("isDisplayDesignImage", lesson.isDisplayDesignImage()); // only teachers can see "Open monitor" link - boolean isMonitor = securityService.isLessonMonitor(lessonId, userId, null, false); + boolean isMonitor = securityService.isLessonMonitor(lessonId, userId, null); request.setAttribute("isMonitor", isMonitor); //get learnerProgressDto Index: lams_central/src/java/org/lamsfoundation/lams/web/outcome/OutcomeController.java =================================================================== diff -u -r8551e1e6e40eba3ea06fb591554e566d470f155b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/web/outcome/OutcomeController.java (.../OutcomeController.java) (revision 8551e1e6e40eba3ea06fb591554e566d470f155b) +++ lams_central/src/java/org/lamsfoundation/lams/web/outcome/OutcomeController.java (.../OutcomeController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -28,7 +28,6 @@ import java.util.Set; import javax.servlet.ServletOutputStream; -import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -94,7 +93,7 @@ @RequestMapping("/outcomeManage") public String outcomeManage(HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "import outcomes", true); + securityService.ensureSysadmin(user.getUserID(), "import outcomes"); List outcomes = outcomeService.getOutcomes(); request.setAttribute("outcomes", outcomes); @@ -105,7 +104,7 @@ public String outcomeEdit(@ModelAttribute OutcomeForm outcomeForm, HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "import outcomes", true); + securityService.ensureSysadmin(user.getUserID(), "import outcomes"); Long outcomeId = WebUtil.readLongParam(request, "outcomeId", true); Outcome outcome = outcomeId == null ? null : (Outcome) userManagementService.findById(Outcome.class, outcomeId); @@ -177,7 +176,7 @@ @RequestMapping(path = "/outcomeRemove", method = RequestMethod.POST) public String outcomeRemove(HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "import outcomes", true); + securityService.ensureSysadmin(user.getUserID(), "import outcomes"); Long outcomeId = WebUtil.readLongParam(request, "outcomeId", false); Outcome outcome = (Outcome) userManagementService.findById(Outcome.class, outcomeId); @@ -330,7 +329,7 @@ lessonId = lessonService.getLessonByToolContentId(outcomeMapping.getToolContentId()).getLessonId(); } Integer userId = OutcomeController.getUserDTO().getUserID(); - securityService.isLessonMonitor(lessonId, userId, "set outcome result", true); + securityService.ensureLessonMonitor(lessonId, userId, "set outcome result"); OutcomeResult result = outcomeService.getOutcomeResult(userId, mappingId); if (result == null) { @@ -380,7 +379,7 @@ @RequestMapping("/outcomeExport") public void outcomeExport(HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "export outcomes", true); + securityService.ensureSysadmin(user.getUserID(), "export outcomes"); List sheets = outcomeService.exportOutcomes(); @@ -402,7 +401,7 @@ public String outcomeImport(@RequestParam("file") MultipartFile file, HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "import outcomes", true); + securityService.ensureSysadmin(user.getUserID(), "import outcomes"); try { int importCount = outcomeService.importOutcomes(file); @@ -550,7 +549,7 @@ @RequestMapping("/scaleExport") public void scaleExport(HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "export outcome scales", true); + securityService.ensureSysadmin(user.getUserID(), "export outcome scales"); List sheets = outcomeService.exportScales(); @@ -572,7 +571,7 @@ public String scaleImport(@RequestParam("file") MultipartFile file, HttpServletRequest request, HttpServletResponse response) throws Exception { UserDTO user = OutcomeController.getUserDTO(); - securityService.isSysadmin(user.getUserID(), "import outcome scales", true); + securityService.ensureSysadmin(user.getUserID(), "import outcome scales"); try { int importCount = outcomeService.importScales(file); Index: lams_central/src/java/org/lamsfoundation/lams/webservice/UserRoleServlet.java =================================================================== diff -u -ra4cac24066ba39701ad51a8dd4c512b6e4100873 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/webservice/UserRoleServlet.java (.../UserRoleServlet.java) (revision a4cac24066ba39701ad51a8dd4c512b6e4100873) +++ lams_central/src/java/org/lamsfoundation/lams/webservice/UserRoleServlet.java (.../UserRoleServlet.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -69,7 +69,7 @@ return; } ExtUserUseridMap sysadminUserMap = integrationService.getExtUserUseridMap(extServer, username); - if (!securityService.isSysadmin(sysadminUserMap.getUser().getUserId(), "set user role", false)) { + if (!securityService.isSysadmin(sysadminUserMap.getUser().getUserId(), "set user role")) { log.error("Sysadmin role check failed while trying to set role for user: " + targetUsername); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication failed, user is not sysadmin"); return; Index: lams_central/src/java/org/lamsfoundation/lams/webservice/xml/LessonManagerServlet.java =================================================================== diff -u -rb89b4282be5db1310440d337d16c232e4e1a46d6 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_central/src/java/org/lamsfoundation/lams/webservice/xml/LessonManagerServlet.java (.../LessonManagerServlet.java) (revision b89b4282be5db1310440d337d16c232e4e1a46d6) +++ lams_central/src/java/org/lamsfoundation/lams/webservice/xml/LessonManagerServlet.java (.../LessonManagerServlet.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -681,7 +681,7 @@ // check is user monitor ExtUserUseridMap monitorMap = integrationService.getExtUserUseridMap(extServer, username); - securityService.isLessonMonitor(lsId, monitorMap.getUser().getUserId(), "remove user", true); + securityService.ensureLessonMonitor(lsId, monitorMap.getUser().getUserId(), "remove user"); // remove requested user String[] extUsernames = (userIds != null) ? userIds.split(",") : new String[0]; @@ -715,7 +715,7 @@ // check is user monitor ExtUserUseridMap monitorMap = integrationService.getExtUserUseridMap(extServer, username); - securityService.isLessonMonitor(lsId, monitorMap.getUser().getUserId(), "remove all users", true); + securityService.ensureLessonMonitor(lsId, monitorMap.getUser().getUserId(), "remove all users"); // remove all users from the specified lesson Lesson lesson = lessonService.getLesson(lsId); Index: lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java =================================================================== diff -u -ra95da9a25304bdc449188c818764e1a40a982042 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision a95da9a25304bdc449188c818764e1a40a982042) +++ lams_common/src/java/org/lamsfoundation/lams/security/ISecurityService.java (.../ISecurityService.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -29,43 +29,64 @@ * Checks if the is a manager or monitor in the organisation. This is just a convenience method for hasOrgRole() * with MONITOR and GROUP_MANAGER. */ - boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean escalate) throws SecurityException; + boolean isGroupMonitor(Integer orgId, Integer userId, String action); + boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean skipLog); + + boolean ensureGroupMonitor(Integer orgId, Integer userId, String action) throws SecurityException; + /** * Checks if the user is a learner in the given lesson. */ - boolean isLessonLearner(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException; + boolean isLessonLearner(Long lessonId, Integer userId, String action); + boolean isLessonLearner(Long lessonId, Integer userId, String action, boolean skipLog); + + boolean ensureLessonLearner(Long lessonId, Integer userId, String action) throws SecurityException; + /** * Checks if the user is a monitor or owner of the given lesson, or a group manager of the organisation. - * - * @param lessonId - * @param userId - * @param action describes action that was requested and is used for logging. If this value is null, no logging will be done. - * @param escalate */ - boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException; + boolean isLessonMonitor(Long lessonId, Integer userId, String action); + boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean skipLog); + + boolean ensureLessonMonitor(Long lessonId, Integer userId, String action) throws SecurityException; + /** * Checks if the user is the owner of the given lesson. */ - boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean escalate) throws SecurityException; + boolean isLessonOwner(Long lessonId, Integer userId, String action); + boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean skipLog); + + boolean ensureLessonOwner(Long lessonId, Integer userId, String action) throws SecurityException; + /** * Checks if the user is either a learner or a staff member in the given lesson. */ - boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean escalate) - throws SecurityException; + boolean isLessonParticipant(Long lessonId, Integer userId, String action); + boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean skipLog); + + boolean ensureLessonParticipant(Long lessonId, Integer userId, String action) throws SecurityException; + /** * Checks if the user has a global role of SYSADMIN. */ - boolean isSysadmin(Integer userId, String action, boolean escalate); + boolean isSysadmin(Integer userId, String action); + boolean isSysadmin(Integer userId, String action, boolean skipLog); + + boolean ensureSysadmin(Integer userId, String action) throws SecurityException; + /** - * Checks if the user has any of the given roles in the given organisation. If GROUP_MANAGER and/or GROUP_ADMIN are + * Checks if the user has any of the given roles in the given organisation. If GROUP_MANAGER is * given for class type organisation, their parent organisations are checked. */ - boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean escalate) - throws SecurityException; + boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action); + + boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean skipLog); + + boolean ensureOrgRole(Integer orgId, Integer userId, String[] roles, String action) throws SecurityException; } \ No newline at end of file Index: lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java =================================================================== diff -u -r351f9417a32d396911387eeef3117fd40be35b7c -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision 351f9417a32d396911387eeef3117fd40be35b7c) +++ lams_common/src/java/org/lamsfoundation/lams/security/SecurityService.java (.../SecurityService.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -27,6 +27,7 @@ import java.util.Arrays; import java.util.List; +import org.apache.commons.lang.StringUtils; import org.apache.log4j.Logger; import org.lamsfoundation.lams.lesson.Lesson; import org.lamsfoundation.lams.logevent.LogEvent; @@ -51,45 +52,38 @@ private ILogEventService logEventService; @Override - public boolean isLessonLearner(Long lessonId, Integer userId, String action, boolean escalate) + public boolean isLessonLearner(Long lessonId, Integer userId, String action) { + return isLessonLearner(lessonId, userId, action, false); + } + + @Override + public boolean isLessonLearner(Long lessonId, Integer userId, String action, boolean skipLog) { + return isLessonLearner(lessonId, userId, action, skipLog, false); + } + + @Override + public boolean ensureLessonLearner(Long lessonId, Integer userId, String action) { + return isLessonLearner(lessonId, userId, action, false, true); + } + + private boolean isLessonLearner(Long lessonId, Integer userId, String action, boolean skipLog, boolean escalate) throws SecurityException { if (lessonId == null) { String error = "Missing lesson ID when checking if user " + userId + " is learner and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (userId == null) { String error = "Missing user ID when checking if is learner in lesson " + lessonId + " and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); if (lesson == null) { String error = "Could not find lesson " + lessonId + " when checking if user " + userId + " is learner and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Organisation org = lesson.getOrganisation(); @@ -100,59 +94,45 @@ if (!hasSysadminRole && !(hasOrgRole && securityDAO.isLessonLearner(lessonId, userId))) { String error = "User " + userId + " is not learner in lesson " + lessonId + " and can not \"" + action + "\""; - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } return true; } @Override - public boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean escalate) + public boolean isLessonMonitor(Long lessonId, Integer userId, String action) { + return isLessonMonitor(lessonId, userId, action, false); + } + + @Override + public boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean skipLog) { + return isLessonMonitor(lessonId, userId, action, skipLog, false); + } + + @Override + public boolean ensureLessonMonitor(Long lessonId, Integer userId, String action) { + return isLessonMonitor(lessonId, userId, action, false, true); + } + + private boolean isLessonMonitor(Long lessonId, Integer userId, String action, boolean skipLog, boolean escalate) throws SecurityException { if (lessonId == null) { String error = "Missing lesson ID when checking if user " + userId + " is monitor and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (userId == null) { String error = "Missing user ID when checking if is monitor in lesson " + lessonId + " and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); if (lesson == null) { String error = "Could not find lesson " + lessonId + " when checking if user " + userId + " is monitor and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Organisation org = lesson.getOrganisation(); @@ -165,118 +145,87 @@ if (!hasGroupManagerRole && !(hasMonitorRole && securityDAO.isLessonMonitor(lessonId, userId, true))) { String error = "User " + userId + " is not monitor in lesson " + lessonId + " and can not \"" + action + "\""; - //no logging needed, if action parameter is empty - if (action != null) { - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - } - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } return true; } @Override - public boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean escalate) + public boolean isLessonOwner(Long lessonId, Integer userId, String action) { + return isLessonOwner(lessonId, userId, action, false); + } + + @Override + public boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean skipLog) { + return isLessonOwner(lessonId, userId, action, skipLog, false); + } + + @Override + public boolean ensureLessonOwner(Long lessonId, Integer userId, String action) { + return isLessonOwner(lessonId, userId, action, false, true); + } + + private boolean isLessonOwner(Long lessonId, Integer userId, String action, boolean skipLog, boolean escalate) throws SecurityException { if (lessonId == null) { String error = "Missing lesson ID when checking if user " + userId + " is owner and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (userId == null) { String error = "Missing user ID when checking if is owner of lesson " + lessonId + " and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); if (lesson == null) { String error = "Could not find lesson " + lessonId + " when checking if user " + userId + " is owner and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (!lesson.getUser().getUserId().equals(userId)) { String error = "User " + userId + " is not owner of lesson " + lessonId + " and can not \"" + action + "\""; - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } return true; } @Override - public boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean escalate) + public boolean isLessonParticipant(Long lessonId, Integer userId, String action) { + return isLessonParticipant(lessonId, userId, action, false); + } + + @Override + public boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean skipLog) { + return isLessonParticipant(lessonId, userId, action, skipLog, false); + } + + @Override + public boolean ensureLessonParticipant(Long lessonId, Integer userId, String action) { + return isLessonParticipant(lessonId, userId, action, false, true); + } + + private boolean isLessonParticipant(Long lessonId, Integer userId, String action, boolean skipLog, boolean escalate) throws SecurityException { if (lessonId == null) { String error = "Missing lesson ID when checking if user " + userId + " is participant and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (userId == null) { String error = "Missing user ID when checking if is participant in lesson " + lessonId + " and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Lesson lesson = (Lesson) securityDAO.find(Lesson.class, lessonId); if (lesson == null) { String error = "Could not find lesson " + lessonId + " when checking if user " + userId + " is participant and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } Organisation org = lesson.getOrganisation(); @@ -290,72 +239,88 @@ || securityDAO.isLessonMonitor(lessonId, userId, true)))) { String error = "User " + userId + " is not participant in lesson " + lessonId + " and can not \"" + action + "\""; - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, lessonId, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } return true; } @Override - public boolean isSysadmin(Integer userId, String action, boolean escalate) { + public boolean isSysadmin(Integer userId, String action) { + return isSysadmin(userId, action, false); + } + + @Override + public boolean isSysadmin(Integer userId, String action, boolean skipLog) { + return isSysadmin(userId, action, skipLog, false); + } + + @Override + public boolean ensureSysadmin(Integer userId, String action) { + return isSysadmin(userId, action, false, true); + } + + private boolean isSysadmin(Integer userId, String action, boolean skipLog, boolean escalate) { if (userId == null) { String error = "Missing user ID when checking if is sysadmin and can \"" + action + "\""; - SecurityService.log.error(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error); - logAuditRoleFailure(userId, error); - throw new SecurityException(error); + return processCheckFailure(userId, error, skipLog, escalate); } if (!securityDAO.isSysadmin(userId)) { String error = "User " + userId + " is not sysadmin and can not \"" + action + "\""; - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error); - logAuditRoleFailure(userId, error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } return true; + } @Override - public boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean escalate) - throws SecurityException { - return hasOrgRole(orgId, userId, SecurityService.GROUP_MONITOR_ROLES, action, escalate); + public boolean isGroupMonitor(Integer orgId, Integer userId, String action) { + return isGroupMonitor(orgId, userId, action, false); } @Override - public boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean escalate) + public boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean skipLog) { + return isGroupMonitor(orgId, userId, action, skipLog, false); + } + + @Override + public boolean ensureGroupMonitor(Integer orgId, Integer userId, String action) { + return isGroupMonitor(orgId, userId, action, false, true); + } + + private boolean isGroupMonitor(Integer orgId, Integer userId, String action, boolean skipLog, boolean escalate) throws SecurityException { + return hasOrgRole(orgId, userId, SecurityService.GROUP_MONITOR_ROLES, action, skipLog, escalate); + } + + @Override + public boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action) { + return hasOrgRole(orgId, userId, roles, action, false); + } + + @Override + public boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean skipLog) { + return hasOrgRole(orgId, userId, roles, action, skipLog, false); + } + + @Override + public boolean ensureOrgRole(Integer orgId, Integer userId, String[] roles, String action) { + return hasOrgRole(orgId, userId, roles, action, false, true); + } + + private boolean hasOrgRole(Integer orgId, Integer userId, String[] roles, String action, boolean skipLog, + boolean escalate) throws SecurityException { if (orgId == null) { String error = "Missing organisation ID when checking if user " + userId + " has any of " + Arrays.toString(roles) + " roles in organisation " + orgId + " and can \"" + action + "\""; - SecurityService.log.error(error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } if (userId == null) { String error = "Missing user ID when checking if has any of " + Arrays.toString(roles) + " roles in organisation " + orgId + " and can \"" + action + "\""; - SecurityService.log.error(error); - if (escalate) { - throw new SecurityException(error); - } else { - return false; - } + return processCheckFailure(userId, error, skipLog, escalate); } try { @@ -382,22 +347,28 @@ String error = "User " + userId + " does not have any of " + Arrays.toString(roles) + " roles in organisation " + orgId + " and can not \"" + action + "\""; - SecurityService.log.debug(error); - logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error); - logAuditRoleFailure(userId, error); + return processCheckFailure(userId, error, skipLog, escalate); + } + + private boolean processCheckFailure(Integer userId, String error, boolean skipLog, boolean escalate) { + // always log if an exception is going to be thrown + skipLog |= escalate; + skipLog &= StringUtils.isNotBlank(error); + + if (!skipLog) { + SecurityService.log.warn(error); + logEventService.logEvent(LogEvent.TYPE_ROLE_FAILURE, userId, userId, null, null, error); + + User user = (User) securityDAO.find(User.class, userId); + AuditLogFilter.log(user.getUserDTO(), AuditLogFilter.ROLE_CHECK_ACTION, + "failed role check with message: " + error); + } if (escalate) { throw new SecurityException(error); - } else { - return false; } + return false; } - private void logAuditRoleFailure(Integer userId, String message) { - User user = (User) securityDAO.find(User.class, userId); - AuditLogFilter.log(user.getUserDTO(), AuditLogFilter.ROLE_CHECK_ACTION, - "failed role check with message: " + message); - } - public void setSecurityDAO(ISecurityDAO securityDAO) { this.securityDAO = securityDAO; } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookController.java =================================================================== diff -u -r965cb99dc76cd2c6cecce276ef9e004a2384c3fd -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookController.java (.../GradebookController.java) (revision 965cb99dc76cd2c6cecce276ef9e004a2384c3fd) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookController.java (.../GradebookController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -118,8 +118,7 @@ GBGridView view = GradebookUtil.readGBGridViewParam(request, GradebookConstants.PARAM_VIEW, false); Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonParticipant(lessonID, getUser().getUserID(), "get activity gradebook data", - false)) { + if (!securityService.isLessonParticipant(lessonID, getUser().getUserID(), "get activity gradebook data")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the lesson"); return null; } @@ -166,8 +165,7 @@ Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); Long activityID = WebUtil.readLongParam(request, AttributeNames.PARAM_ACTIVITY_ID); - if (!securityService.isLessonParticipant(lessonID, getUser().getUserID(), "get activity archive gradebook data", - false)) { + if (!securityService.isLessonParticipant(lessonID, getUser().getUserID(), "get activity archive gradebook data")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the lesson"); return null; } @@ -207,7 +205,7 @@ Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); UserDTO currentUserDTO = getUser(); Integer userId = currentUserDTO.getUserID(); - if (!securityService.isLessonParticipant(lessonId, userId, "get lesson complete gradebook data", false)) { + if (!securityService.isLessonParticipant(lessonId, userId, "get lesson complete gradebook data")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the lesson"); } @@ -316,7 +314,7 @@ int totalUsers = 0; // if leesonID is specified show results based on lesson if (lessonID != null) { - if (!securityService.isLessonMonitor(lessonID, user.getUserID(), "get gradebook", false)) { + if (!securityService.isLessonMonitor(lessonID, user.getUserID(), "get gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -370,7 +368,7 @@ // 2nd table of gradebook course monitor // if organisationID is specified (but not lessonID) then show results for organisation } else if (organisationID != null) { - if (!securityService.isGroupMonitor(organisationID, user.getUserID(), "get gradebook", false)) { + if (!securityService.isGroupMonitor(organisationID, user.getUserID(), "get gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -454,7 +452,7 @@ //permission check if (view == GBGridView.MON_USER) { - if (!securityService.isGroupMonitor(courseID, viewer.getUserId(), "get course gradebook", false)) { + if (!securityService.isGroupMonitor(courseID, viewer.getUserId(), "get course gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -466,15 +464,15 @@ organisation.getParentOrganisation()); } if (!isGroupManager && !securityService.hasOrgRole(courseID, viewer.getUserId(), - new String[] { Role.MONITOR }, "get course gradebook", false)) { + new String[] { Role.MONITOR }, "get course gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a group manager or monitor in the organisation"); return null; } } else if (view == GBGridView.LRN_COURSE) { if (!securityService.hasOrgRole(courseID, viewer.getUserId(), new String[] { Role.LEARNER }, - "get course gradebook for learner", false)) { + "get course gradebook for learner")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a learner in the organisation"); return null; } @@ -517,12 +515,12 @@ Integer userID = WebUtil.readIntParam(request, GradebookConstants.PARAM_USERID); if (getUser().getUserID().equals(userID)) { - if (!securityService.isLessonParticipant(lessonID, userID, "get lesson mark aggregate", false)) { + if (!securityService.isLessonParticipant(lessonID, userID, "get lesson mark aggregate")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the lesson"); return null; } } else { - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "get lesson mark aggregate", false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "get lesson mark aggregate")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -573,7 +571,7 @@ } Integer userID = getUser().getUserID(); for (Lesson lesson : activity.getLearningDesign().getLessons()) { - if (!securityService.isLessonMonitor(lesson.getLessonId(), userID, "get activity mark average", false)) { + if (!securityService.isLessonMonitor(lesson.getLessonId(), userID, "get activity mark average")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -596,7 +594,7 @@ @ResponseBody public String getAverageMarkForLesson(HttpServletRequest request, HttpServletResponse response) throws Exception { Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "get lesson mark average", false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "get lesson mark average")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookLearningController.java =================================================================== diff -u -rca79baf0ed380e5f7892841f7088325ea9664f35 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookLearningController.java (.../GradebookLearningController.java) (revision ca79baf0ed380e5f7892841f7088325ea9664f35) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookLearningController.java (.../GradebookLearningController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -71,8 +71,7 @@ return "error"; } if (!securityService.hasOrgRole(oranisationID, user.getUserID(), - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "get course gradebook for learner", - false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "get course gradebook for learner")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } Index: lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookMonitoringController.java =================================================================== diff -u -r53b1f5c6dcfb9e0d74e56c9647da69f07b889a55 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookMonitoringController.java (.../GradebookMonitoringController.java) (revision 53b1f5c6dcfb9e0d74e56c9647da69f07b889a55) +++ lams_gradebook/src/java/org/lamsfoundation/lams/gradebook/web/controller/GradebookMonitoringController.java (.../GradebookMonitoringController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -35,7 +35,6 @@ import java.util.Set; import javax.servlet.ServletOutputStream; -import javax.servlet.http.Cookie; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; @@ -116,7 +115,7 @@ log.error("User missing from session. "); return "error"; } - if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "get lesson gradebook", false)) { + if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "get lesson gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -148,7 +147,7 @@ return "error"; } if (!securityService.hasOrgRole(organisationID, user.getUserID(), - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "get course gradebook page", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "get course gradebook page")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a course manager in the organisation"); return null; } @@ -167,7 +166,7 @@ public void updateUserLessonGradebookData(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "update lesson gradebook", false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "update lesson gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); } @@ -198,7 +197,7 @@ public void updateUserActivityGradebookData(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "update activity gradebook", false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "update activity gradebook")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); } @@ -262,7 +261,7 @@ @RequestMapping(path = "/toggleReleaseMarks", method = RequestMethod.POST) @ResponseBody public String toggleReleaseMarks(@RequestParam long lessonID, HttpServletResponse response) throws IOException { - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "toggle release marks", false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "toggle release marks")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); } @@ -368,8 +367,7 @@ public void exportExcelLessonGradebook(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "export lesson gradebook spreadsheet", - false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "export lesson gradebook spreadsheet")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); } @@ -403,7 +401,7 @@ Integer organisationID = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); UserDTO user = getUser(); if (!securityService.hasOrgRole(organisationID, user.getUserID(), new String[] { Role.GROUP_MANAGER }, - "get course gradebook spreadsheet", false)) { + "get course gradebook spreadsheet")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); } @@ -437,7 +435,7 @@ Integer organisationID = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); UserDTO user = getUser(); if (!securityService.isGroupMonitor(organisationID, user.getUserID(), - "export selected lessons gradebook spreadsheet", false)) { + "export selected lessons gradebook spreadsheet")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); } @@ -473,8 +471,7 @@ @ResponseBody public String getMarkChartData(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonID = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "export lesson gradebook spreadsheet", - false)) { + if (!securityService.isLessonMonitor(lessonID, getUser().getUserID(), "export lesson gradebook spreadsheet")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); } Index: lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveController.java =================================================================== diff -u -r53b1f5c6dcfb9e0d74e56c9647da69f07b889a55 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveController.java (.../KumaliveController.java) (revision 53b1f5c6dcfb9e0d74e56c9647da69f07b889a55) +++ lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveController.java (.../KumaliveController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -64,7 +64,7 @@ return null; } if (!securityService.hasOrgRole(organisationId, currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get rubrics", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get rubrics")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisationId; log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); @@ -93,7 +93,7 @@ return null; } if (!securityService.hasOrgRole(organisationId, currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisationId; log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); @@ -117,7 +117,7 @@ return null; } if (!securityService.hasOrgRole(organisationId, currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report organisation data", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report organisation data")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisationId; log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); @@ -151,7 +151,7 @@ return null; } if (!securityService.hasOrgRole(organisation.getOrganisationId(), currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report kumalive rubrics", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report kumalive rubrics")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisation.getOrganisationId(); log.warn(warning); @@ -185,7 +185,7 @@ return null; } if (!securityService.hasOrgRole(organisation.getOrganisationId(), currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report kumalive data", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report kumalive data")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisation.getOrganisationId(); log.warn(warning); @@ -217,7 +217,7 @@ return null; } if (!securityService.hasOrgRole(organisation.getOrganisationId(), currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report user data", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive get report user data")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisation.getOrganisationId(); log.warn(warning); @@ -256,7 +256,7 @@ response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); } if (!securityService.hasOrgRole(organisationId, currentUserId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive export", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive export")) { String warning = "User " + currentUserId + " is not a monitor of organisation " + organisationId; log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); @@ -291,7 +291,7 @@ response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); } if (!securityService.hasOrgRole(organisationId, userId, new String[] { Role.GROUP_MANAGER, Role.MONITOR }, - "kumalive get rubrics", false)) { + "kumalive get rubrics")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; log.warn(warning); response.sendError(HttpServletResponse.SC_FORBIDDEN, warning); Index: lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveWebsocketServer.java =================================================================== diff -u -rcd4af70336301a4c551cf28afbfc5534e3e6e7c9 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveWebsocketServer.java (.../KumaliveWebsocketServer.java) (revision cd4af70336301a4c551cf28afbfc5534e3e6e7c9) +++ lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/KumaliveWebsocketServer.java (.../KumaliveWebsocketServer.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -134,7 +134,7 @@ .valueOf(websocket.getRequestParameterMap().get(AttributeNames.PARAM_ORGANISATION_ID).get(0)); Integer userId = getUser(websocket).getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "register on kumalive", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "register on kumalive")) { // prevent unauthorised user from accessing Kumalive String warning = "User " + userId + " is not a monitor nor a learner of organisation " + organisationId; logger.warn(warning); @@ -178,10 +178,7 @@ logger.warn("Kumalives are disabled"); return; } - if (StringUtils.isBlank(input)) { - return; - } - if (input.equalsIgnoreCase("ping")) { + if (StringUtils.isBlank(input) || input.equalsIgnoreCase("ping")) { // just a ping every few minutes return; } @@ -469,7 +466,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive raise hand prompt", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive raise hand prompt")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -494,7 +491,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive down hand prompt", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive down hand prompt")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -520,7 +517,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "kumalive raise hand", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "kumalive raise hand")) { String warning = "User " + userId + " is not a monitor nor a learner of organisation " + organisationId; logger.warn(warning); return; @@ -556,7 +553,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "kumalive down hand", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.LEARNER }, "kumalive down hand")) { String warning = "User " + userId + " is not a monitor nor a learner of organisation " + organisationId; logger.warn(warning); return; @@ -587,7 +584,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive speak", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive speak")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -609,7 +606,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive score", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive score")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -640,7 +637,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -677,7 +674,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.LEARNER }, "kumalive poll vote", false)) { + new String[] { Role.LEARNER }, "kumalive poll vote")) { String warning = "User " + userId + " is not a learner of organisation " + organisationId; logger.warn(warning); return; @@ -719,7 +716,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll release results", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll release results")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -753,7 +750,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -780,7 +777,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive poll start")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; @@ -806,7 +803,7 @@ Integer userId = user.getUserId(); if (!KumaliveWebsocketServer.getSecurityService().hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive finish", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR }, "kumalive finish")) { String warning = "User " + userId + " is not a monitor of organisation " + organisationId; logger.warn(warning); return; Index: lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/service/KumaliveService.java =================================================================== diff -u -ra5b247dd91cb3ffabf9de46cba029e5537fad087 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/service/KumaliveService.java (.../KumaliveService.java) (revision a5b247dd91cb3ffabf9de46cba029e5537fad087) +++ lams_learning/src/java/org/lamsfoundation/lams/learning/kumalive/service/KumaliveService.java (.../KumaliveService.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -57,7 +57,6 @@ import org.lamsfoundation.lams.util.CommonConstants; import org.lamsfoundation.lams.util.FileUtil; import org.lamsfoundation.lams.util.MessageService; -import org.lamsfoundation.lams.util.excel.ExcelCell; import org.lamsfoundation.lams.util.excel.ExcelRow; import org.lamsfoundation.lams.util.excel.ExcelSheet; @@ -82,7 +81,7 @@ @Override public Kumalive getKumalive(Long id) { - return (Kumalive) kumaliveDAO.find(Kumalive.class, id); + return kumaliveDAO.find(Kumalive.class, id); } @Override @@ -97,7 +96,7 @@ public Kumalive startKumalive(Integer organisationId, Integer userId, String name, ArrayNode rubricsJSON, boolean isTeacher) { if (isTeacher) { - securityService.isGroupMonitor(organisationId, userId, "start kumalive", true); + securityService.ensureGroupMonitor(organisationId, userId, "start kumalive"); } Kumalive kumalive = getKumaliveByOrganisation(organisationId); if (kumalive == null) { @@ -108,8 +107,8 @@ return kumalive; } - Organisation organisation = (Organisation) kumaliveDAO.find(Organisation.class, organisationId); - User createdBy = (User) kumaliveDAO.find(User.class, userId); + Organisation organisation = kumaliveDAO.find(Organisation.class, organisationId); + User createdBy = kumaliveDAO.find(User.class, userId); kumalive = new Kumalive(organisation, createdBy, name); kumaliveDAO.insert(kumalive); @@ -141,7 +140,7 @@ */ @Override public void finishKumalive(Long id) { - Kumalive kumalive = (Kumalive) kumaliveDAO.find(Kumalive.class, id); + Kumalive kumalive = kumaliveDAO.find(Kumalive.class, id); kumalive.setFinished(true); kumaliveDAO.update(kumalive); } @@ -151,8 +150,8 @@ */ @Override public void scoreKumalive(Long rubricId, Integer userId, Long batch, Short score) { - KumaliveRubric rubric = (KumaliveRubric) kumaliveDAO.find(KumaliveRubric.class, rubricId); - User user = (User) kumaliveDAO.find(User.class, userId); + KumaliveRubric rubric = kumaliveDAO.find(KumaliveRubric.class, rubricId); + User user = kumaliveDAO.find(User.class, userId); KumaliveScore kumaliveScore = new KumaliveScore(rubric, user, batch, score); kumaliveDAO.insert(kumaliveScore); } @@ -164,7 +163,7 @@ @Override public void saveRubrics(Integer organisationId, ArrayNode rubricsJSON) { - Organisation organisation = (Organisation) kumaliveDAO.find(Organisation.class, organisationId); + Organisation organisation = kumaliveDAO.find(Organisation.class, organisationId); kumaliveDAO.deleteByProperty(KumaliveRubric.class, "organisation", organisation); for (Short rubricIndex = 0; rubricIndex < rubricsJSON.size(); rubricIndex++) { String name = rubricsJSON.get(rubricIndex.intValue()).asText(); @@ -237,7 +236,7 @@ @Override public ObjectNode getReportKumaliveData(Long kumaliveId, boolean isAscending) { Kumalive kumalive = getKumalive(kumaliveId); - List rubrics = new LinkedList(); + List rubrics = new LinkedList<>(); for (KumaliveRubric rubric : kumalive.getRubrics()) { rubrics.add(rubric.getRubricId()); } @@ -291,7 +290,7 @@ @Override public ObjectNode getReportUserData(Long kumaliveId, Integer userId) { Kumalive kumalive = getKumalive(kumaliveId); - List rubrics = new LinkedList(); + List rubrics = new LinkedList<>(); for (KumaliveRubric rubric : kumalive.getRubrics()) { rubrics.add(rubric.getRubricId()); } @@ -381,8 +380,7 @@ // mapping user (sorted by name) -> batch (i.e. question ID) -> rubric -> score TreeMap>> scores = kumaliveDAO .findKumaliveScore(kumalive.getKumaliveId(), true).stream() - .collect(Collectors.groupingBy(KumaliveScore::getUser, - () -> new TreeMap>>(USER_COMPARATOR), + .collect(Collectors.groupingBy(KumaliveScore::getUser, () -> new TreeMap<>(USER_COMPARATOR), Collectors.groupingBy(KumaliveScore::getBatch, TreeMap::new, Collectors .toMap(score -> score.getRubric().getRubricId(), KumaliveScore::getScore)))); @@ -461,12 +459,12 @@ // populate data for learners sheet Map> learnerSummary = learnerSummaries.get(learner); if (learnerSummary == null) { - learnerSummary = new HashMap>(); + learnerSummary = new HashMap<>(); learnerSummaries.put(learner, learnerSummary); } Map learnerKumaliveSummary = learnerSummary.get(kumalive.getName()); if (learnerKumaliveSummary == null) { - learnerKumaliveSummary = new HashMap(); + learnerKumaliveSummary = new HashMap<>(); learnerSummary.put(kumalive.getName(), learnerKumaliveSummary); } learnerKumaliveSummary.put(rubricIds[rubricIndex], average); @@ -493,7 +491,7 @@ kumaliveNameRow.addCell(kumalive.getName(), true, 1); kumaliveNameRow.addEmptyCells(kumalive.getRubrics().size() - 1); } - + ExcelRow userHeaderRow = sheet.initRow(); userHeaderRow.addCell(messageService.getMessage("label.kumalive.report.last.name"), true); userHeaderRow.addCell(messageService.getMessage("label.kumalive.report.first.name"), true); @@ -513,18 +511,19 @@ userRow.addCell(learner.getFirstName(), false); userRow.addCell(learner.getLastName(), false); userRow.addCell(learner.getLogin(), false); - + for (Kumalive kumalive : kumalives) { Map learnerKumaliveSummary = learnerSummary.getValue().get(kumalive.getName()); boolean border = true; for (KumaliveRubric rubric : kumalive.getRubrics()) { - Double average = learnerKumaliveSummary == null ? null : learnerKumaliveSummary.get(rubric.getRubricId()); + Double average = learnerKumaliveSummary == null ? null + : learnerKumaliveSummary.get(rubric.getRubricId()); border = false; if (average != null) { userRow.addCell(average, false, border ? 1 : 0); } else { userRow.addEmptyCell(); - } + } } } } @@ -571,7 +570,7 @@ */ @Override public void saveVote(Long answerId, Integer userId) { - KumalivePollAnswer answer = (KumalivePollAnswer) kumaliveDAO.find(KumalivePollAnswer.class, answerId); + KumalivePollAnswer answer = kumaliveDAO.find(KumalivePollAnswer.class, answerId); if (answer.getVotes().containsKey(userId)) { logger.warn("Learner " + userId + " tried to vote for answer ID " + answerId + " but he already voted"); return; @@ -589,7 +588,7 @@ */ @Override public void releasePollResults(Long pollId, boolean votesReleased, boolean votersReleased) { - KumalivePoll poll = (KumalivePoll) kumaliveDAO.find(KumalivePoll.class, pollId); + KumalivePoll poll = kumaliveDAO.find(KumalivePoll.class, pollId); poll.setVotesReleased(votesReleased || votersReleased); poll.setVotersReleased(votersReleased); kumaliveDAO.update(poll); @@ -600,7 +599,7 @@ */ @Override public void finishPoll(Long pollId) { - KumalivePoll poll = (KumalivePoll) kumaliveDAO.find(KumalivePoll.class, pollId); + KumalivePoll poll = kumaliveDAO.find(KumalivePoll.class, pollId); if (poll.getFinishDate() != null) { logger.warn("Trying to finish poll " + pollId + " which is already finished"); return; Index: lams_learning/src/java/org/lamsfoundation/lams/learning/presence/PresenceWebsocketServer.java =================================================================== diff -u -rcd4af70336301a4c551cf28afbfc5534e3e6e7c9 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_learning/src/java/org/lamsfoundation/lams/learning/presence/PresenceWebsocketServer.java (.../PresenceWebsocketServer.java) (revision cd4af70336301a4c551cf28afbfc5534e3e6e7c9) +++ lams_learning/src/java/org/lamsfoundation/lams/learning/presence/PresenceWebsocketServer.java (.../PresenceWebsocketServer.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -238,8 +238,8 @@ websocket.getUserProperties().put(PARAM_NICKNAME, nickname); websocket.getUserProperties().put(AttributeNames.PARAM_LESSON_ID, lessonId); - PresenceWebsocketServer.getSecurityService().isLessonParticipant(lessonId, user.getUserId(), "join lesson chat", - true); + PresenceWebsocketServer.getSecurityService().ensureLessonParticipant(lessonId, user.getUserId(), + "join lesson chat"); Set lessonWebsockets = PresenceWebsocketServer.websockets.get(lessonId); if (lessonWebsockets == null) { @@ -301,10 +301,7 @@ */ @OnMessage public void receiveRequest(String input, Session websocket) throws IOException { - if (StringUtils.isBlank(input)) { - return; - } - if (input.equalsIgnoreCase("ping")) { + if (StringUtils.isBlank(input) || input.equalsIgnoreCase("ping")) { // just a ping every few minutes return; } Index: lams_learning/src/java/org/lamsfoundation/lams/learning/web/controller/NotebookController.java =================================================================== diff -u -r9c090b4d913dd7feae46711e898babbef79427e9 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_learning/src/java/org/lamsfoundation/lams/learning/web/controller/NotebookController.java (.../NotebookController.java) (revision 9c090b4d913dd7feae46711e898babbef79427e9) +++ lams_learning/src/java/org/lamsfoundation/lams/learning/web/controller/NotebookController.java (.../NotebookController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -96,7 +96,7 @@ Long lessonID = notebookForm.getLessonID(); Lesson lesson = learnerService.getLesson(lessonID); - if (!securityService.isLessonMonitor(lessonID, userID, "view all journals", false)) { + if (!securityService.isLessonMonitor(lessonID, userID, "view all journals")) { throw new UserAccessDeniedException( "User " + userID + " may not retrieve journal entries for lesson " + lessonID); } @@ -129,7 +129,7 @@ if (entry.getUser() != null && !entry.getUser().getUserId().equals(user.getUserId())) { // wants to look at someone else's entry - check they are a teacher - if (!securityService.isLessonMonitor(currentLessonID, userID, "view notebook entry", false)) { + if (!securityService.isLessonMonitor(currentLessonID, userID, "view notebook entry")) { throw new UserAccessDeniedException( "User " + userID + " may not retrieve journal entries for lesson " + currentLessonID); } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java =================================================================== diff -u -r1213a02c3a110a9e55863857574a7703263c6d5f -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java (.../MonitoringService.java) (revision 1213a02c3a110a9e55863857574a7703263c6d5f) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/service/MonitoringService.java (.../MonitoringService.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -368,7 +368,7 @@ Boolean allowLearnerRestart, Boolean gradebookOnComplete, Integer scheduledNumberDaysToLessonFinish, Long precedingLessonId) { - securityService.isGroupMonitor(organisationId, userID, "intializeLesson", true); + securityService.ensureGroupMonitor(organisationId, userID, "intializeLesson"); LearningDesign originalLearningDesign = learningDesignDAO.getLearningDesignById(new Long(learningDesignId)); if (originalLearningDesign == null) { @@ -477,15 +477,15 @@ // if lesson isn't started recreate the lesson class if (newLesson.isLessonStarted()) { - securityService.isLessonMonitor(lessonId, userId, "create class for lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "create class for lesson"); lessonService.updateLearners(newLesson, organizationUsers); lessonService.updateStaffMembers(newLesson, staffs); } else { if (organisation != null) { // security check needs organisation to be set // it is not set for lesson preview, so it still needs improvement newLesson.setOrganisation(organisation); - securityService.isLessonMonitor(lessonId, userId, "create class for lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "create class for lesson"); } LessonClass oldLessonClass = newLesson.getLessonClass(); @@ -504,7 +504,7 @@ @Override public void startLessonOnSchedule(long lessonId, Date startDate, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "start lesson on schedule", true); + securityService.ensureLessonMonitor(lessonId, userId, "start lesson on schedule"); // we get the lesson just created Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); @@ -572,7 +572,7 @@ @Override public void finishLessonOnSchedule(long lessonId, Date userEnteredEndDate, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "finish lesson on schedule", true); + securityService.ensureLessonMonitor(lessonId, userId, "finish lesson on schedule"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); if (requestedLesson == null) { String error = "Unable to schedule lesson end as lesson is missing. Lesson Id " + lessonId; @@ -660,7 +660,7 @@ @Override public void finishLessonOnSchedule(long lessonId, int scheduledNumberDaysToLessonFinish, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "finish lesson on schedule", true); + securityService.ensureLessonMonitor(lessonId, userId, "finish lesson on schedule"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); if (requestedLesson == null) { @@ -703,7 +703,7 @@ Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); if (requestedLesson.getOrganisation() != null) { // preview does not have organisation set, so this security check still needs improvement - securityService.isLessonMonitor(lessonId, userId, "start lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "start lesson"); } if (requestedLesson.isLessonStarted()) { MonitoringService.log.warn("Lesson " + lessonId @@ -957,7 +957,7 @@ @Override public void archiveLesson(long lessonId, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "archive lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "archive lesson"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); Integer lessonState = requestedLesson.getLessonStateId(); @@ -976,7 +976,7 @@ @Override public void unarchiveLesson(long lessonId, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "unarchive lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "unarchive lesson"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); // remove any triggers waiting to suspend the lesson removeScheduleDisableTrigger(requestedLesson); @@ -985,7 +985,7 @@ @Override public void suspendLesson(long lessonId, Integer userId, boolean clearScheduleDetails) { - securityService.isLessonMonitor(lessonId, userId, "suspend lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "suspend lesson"); Lesson lesson = lessonDAO.getLesson(new Long(lessonId)); if (!Lesson.SUSPENDED_STATE.equals(lesson.getLessonStateId()) && !Lesson.REMOVED_STATE.equals(lesson.getLessonStateId())) { @@ -1008,7 +1008,7 @@ @Override public void unsuspendLesson(long lessonId, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "unsuspend lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "unsuspend lesson"); Lesson lesson = lessonDAO.getLesson(new Long(lessonId)); Integer state = lesson.getLessonStateId(); // only suspend started lesson @@ -1130,7 +1130,7 @@ @Override public void removeLesson(long lessonId, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "remove lesson", true); + securityService.ensureLessonMonitor(lessonId, userId, "remove lesson"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); // remove any triggers waiting to suspend the lesson removeScheduleDisableTrigger(requestedLesson); @@ -1145,7 +1145,7 @@ // on the Lesson object. If you only access the lesson id then it will work. You can still load the Organisation, // but do not load the Lesson collection in the Organisation public void removeLessonPermanently(long lessonId, Integer userId) { - securityService.isLessonMonitor(lessonId, userId, "remove lesson permanently", true); + securityService.ensureLessonMonitor(lessonId, userId, "remove lesson permanently"); Lesson lesson = lessonDAO.getLesson(lessonId); LearningDesign learningDesign = lesson.getLearningDesign(); @@ -1227,7 +1227,7 @@ @Override public Boolean togglePresenceAvailable(long lessonId, Integer userId, Boolean presenceAvailable) { - securityService.isLessonMonitor(lessonId, userId, "set presence available", true); + securityService.ensureLessonMonitor(lessonId, userId, "set presence available"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); requestedLesson.setLearnerPresenceAvailable(presenceAvailable != null ? presenceAvailable : Boolean.FALSE); lessonDAO.updateLesson(requestedLesson); @@ -1236,7 +1236,7 @@ @Override public Boolean togglePresenceImAvailable(long lessonId, Integer userId, Boolean presenceImAvailable) { - securityService.isLessonMonitor(lessonId, userId, "set presence instant messaging available", true); + securityService.ensureLessonMonitor(lessonId, userId, "set presence instant messaging available"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); requestedLesson.setLearnerImAvailable(presenceImAvailable != null ? presenceImAvailable : Boolean.FALSE); lessonDAO.updateLesson(requestedLesson); @@ -1245,7 +1245,7 @@ @Override public Boolean toggleGradebookOnComplete(long lessonId, Integer userId, Boolean gradebookOnComplete) { - securityService.isLessonMonitor(lessonId, userId, "set gradebook on complete", true); + securityService.ensureLessonMonitor(lessonId, userId, "set gradebook on complete"); Lesson requestedLesson = lessonDAO.getLesson(new Long(lessonId)); requestedLesson.setGradebookOnComplete(gradebookOnComplete != null ? gradebookOnComplete : Boolean.FALSE); lessonDAO.updateLesson(requestedLesson); @@ -1303,9 +1303,9 @@ public String forceCompleteActivitiesByUser(Integer learnerId, Integer requesterId, long lessonId, Long activityId, boolean removeLearnerContent) { if (requesterId.equals(learnerId)) { - securityService.isLessonLearner(lessonId, requesterId, "force complete", true); + securityService.ensureLessonLearner(lessonId, requesterId, "force complete"); } else { - securityService.isLessonMonitor(lessonId, requesterId, "force complete", true); + securityService.ensureLessonMonitor(lessonId, requesterId, "force complete"); } Lesson lesson = lessonDAO.getLesson(Long.valueOf(lessonId)); User learner = baseDAO.find(User.class, learnerId); @@ -2039,7 +2039,7 @@ @Override public String getLearnerActivityURL(Long lessonID, Long activityID, Integer learnerUserID, Integer requestingUserId) throws IOException, LamsToolServiceException { - securityService.isLessonMonitor(lessonID, requestingUserId, "get learner activity URL", true); + securityService.ensureLessonMonitor(lessonID, requestingUserId, "get learner activity URL"); Lesson lesson = lessonDAO.getLesson(lessonID); Activity activity = activityDAO.getActivityByActivityId(activityID); @@ -2065,7 +2065,7 @@ @Override public String getActivityMonitorURL(Long lessonID, Long activityID, String contentFolderID, Integer userID) throws IOException, LamsToolServiceException { - securityService.isLessonMonitor(lessonID, userID, "get activity monitor URL", true); + securityService.ensureLessonMonitor(lessonID, userID, "get activity monitor URL"); Activity activity = activityDAO.getActivityByActivityId(activityID); @@ -2820,7 +2820,7 @@ String[] staffIds, String[] learnerIds, Organisation group, boolean log) { Lesson newLesson = null; - securityService.isGroupMonitor(group.getOrganisationId(), creatorId, "cloneLesson", true); + securityService.ensureGroupMonitor(group.getOrganisationId(), creatorId, "cloneLesson"); Lesson lesson = lessonService.getLesson(lessonId); if (lesson != null) { Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java =================================================================== diff -u -r328b2d5068eb7b9c271f43e55b3f19a05733312b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java (.../EmailNotificationsController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailNotificationsController.java (.../EmailNotificationsController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -29,7 +29,6 @@ import java.util.Date; import java.util.HashMap; import java.util.HashSet; -import java.util.LinkedHashMap; import java.util.List; import java.util.Map; import java.util.Set; @@ -66,7 +65,6 @@ import org.lamsfoundation.lams.util.DateUtil; import org.lamsfoundation.lams.util.FileUtil; import org.lamsfoundation.lams.util.WebUtil; -import org.lamsfoundation.lams.util.excel.ExcelCell; import org.lamsfoundation.lams.util.excel.ExcelSheet; import org.lamsfoundation.lams.util.excel.ExcelUtil; import org.lamsfoundation.lams.web.session.SessionManager; @@ -86,8 +84,8 @@ import org.springframework.stereotype.Controller; import org.springframework.util.Assert; import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.ResponseBody; import org.springframework.web.bind.annotation.ResponseStatus; import com.fasterxml.jackson.databind.node.ArrayNode; @@ -138,8 +136,8 @@ public String getLessonView(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), "show lesson email notifications", - false)) { + if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), + "show lesson email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -166,8 +164,7 @@ public String getCourseView(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { int orgId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID); - if (!securityService.isGroupMonitor(orgId, getCurrentUser().getUserID(), "show course email notifications", - false)) { + if (!securityService.isGroupMonitor(orgId, getCurrentUser().getUserID(), "show course email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the organisation"); return null; } @@ -176,7 +173,7 @@ Organisation org = (Organisation) userManagementService.findById(Organisation.class, orgId); boolean isGroupMonitor = securityService.hasOrgRole(orgId, getCurrentUser().getUserID(), - new String[] { Role.GROUP_MANAGER }, "show course email notifications", false); + new String[] { Role.GROUP_MANAGER }, "show course email notifications"); Integer userRole = isGroupMonitor ? Role.ROLE_GROUP_MANAGER : Role.ROLE_MONITOR; Map staffMap = lessonService .getLessonsByOrgAndUserWithCompletedFlag(getCurrentUser().getUserID(), orgId, userRole); @@ -212,13 +209,13 @@ Integer organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID, true); if (isLessonNotifications) { if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), - "show scheduled lesson email notifications", false)) { + "show scheduled lesson email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); return null; } } else { if (!securityService.isGroupMonitor(organisationId, getCurrentUser().getUserID(), - "show scheduled course email notifications", false)) { + "show scheduled course email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); return null; } @@ -277,7 +274,7 @@ Integer organisationId = WebUtil.readIntParam(request, AttributeNames.PARAM_ORGANISATION_ID, true); if (isLessonNotifications) { if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), - "show archived lesson email notifications", false)) { + "show archived lesson email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); return null; } @@ -286,7 +283,7 @@ request.setAttribute("notifications", notifications); } else { if (!securityService.isGroupMonitor(organisationId, getCurrentUser().getUserID(), - "show archived course email notifications", false)) { + "show archived course email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); return null; } @@ -315,13 +312,13 @@ // check if the user is allowed to fetch this data if (isLessonNotifications) { if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), - "show archived lesson email notification participants", false)) { + "show archived lesson email notification participants")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); return null; } } else { if (!securityService.isGroupMonitor(organisationId, getCurrentUser().getUserID(), - "show archived course email notification participants", false)) { + "show archived course email notification participants")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); return null; } @@ -381,13 +378,12 @@ try { // if this method throws an Exception, there will be no deleteNotification=true in the JSON reply if (isLessonNotifications) { - if (!securityService.isLessonMonitor(lessonId, userId, "show scheduled lesson email notifications", - false)) { + if (!securityService.isLessonMonitor(lessonId, userId, "show scheduled lesson email notifications")) { error = "Unable to delete notification: the user is not a monitor in the lesson"; } } else { if (!securityService.isGroupMonitor(organisationId, userId, - "show scheduled course course email notifications", false)) { + "show scheduled course course email notifications")) { error = "Unable to delete notification: the user is not a monitor in the organisation"; } } @@ -445,13 +441,13 @@ // check if the user is allowed to fetch this data if (isLessonNotifications) { if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), - "export archived lesson email notification", false)) { + "export archived lesson email notification")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); return; } } else { if (!securityService.isGroupMonitor(organisationId, getCurrentUser().getUserID(), - "export archived course email notification", false)) { + "export archived course email notification")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); return; } @@ -578,13 +574,13 @@ if (lessonId != null) { if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), - "get users for lesson email notifications", false)) { + "get users for lesson email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the lesson"); return null; } } else if (orgId != null) { if (!securityService.isGroupMonitor(orgId, getCurrentUser().getUserID(), - "get users for course email notifications", false)) { + "get users for course email notifications")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "The user is not a monitor in the organisation"); return null; } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java =================================================================== diff -u -r328b2d5068eb7b9c271f43e55b3f19a05733312b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java (.../EmailProgressController.java) (revision 328b2d5068eb7b9c271f43e55b3f19a05733312b) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/EmailProgressController.java (.../EmailProgressController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -98,7 +98,7 @@ public String getEmailProgressDates(HttpServletRequest request, HttpServletResponse response) throws IOException, SchedulerException { Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), "get class members", false)) { + if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), "get class members")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -175,7 +175,7 @@ @ResponseBody public String updateEmailProgressDate(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), "get class members", false)) { + if (!securityService.isLessonMonitor(lessonId, getCurrentUser().getUserID(), "get class members")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -253,7 +253,7 @@ Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); Integer monitorUserId = getCurrentUser().getUserID(); - if (!securityService.isLessonMonitor(lessonId, monitorUserId, "get lesson progress", false)) { + if (!securityService.isLessonMonitor(lessonId, monitorUserId, "get lesson progress")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingAJAXController.java =================================================================== diff -u -r40de3afab4e8d589660daffb6efd6e568e87f8fa -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingAJAXController.java (.../GroupingAJAXController.java) (revision 40de3afab4e8d589660daffb6efd6e568e87f8fa) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingAJAXController.java (.../GroupingAJAXController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -312,7 +312,7 @@ // check if user is allowed to view and edit groupings if (!securityService.hasOrgRole(organisationId, userId, new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, - "view organisation groupings", false)) { + "view organisation groupings")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return null; } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingUploadAJAXController.java =================================================================== diff -u -r2a7214f47da4e3caccae6d93586410878e6e818b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingUploadAJAXController.java (.../GroupingUploadAJAXController.java) (revision 2a7214f47da4e3caccae6d93586410878e6e818b) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/GroupingUploadAJAXController.java (.../GroupingUploadAJAXController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -143,7 +143,7 @@ // check if user is allowed to view and edit groups if (!securityService.hasOrgRole(organisationId, userId, - new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groups", false)) { + new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, "view organisation groups")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a participant in the organisation"); return; } @@ -279,7 +279,7 @@ // check if user is allowed to save grouping if (!securityService.hasOrgRole(organisationId, userId, new String[] { Role.GROUP_MANAGER, Role.MONITOR, Role.AUTHOR }, - "save organisation grouping from spreadsheet", false)) { + "save organisation grouping from spreadsheet")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation"); return null; } @@ -341,7 +341,7 @@ //Check user is a part of the organisation } else if (!securityService.hasOrgRole(organisation.getOrganisationId(), learner.getUserId(), new String[] { Role.GROUP_MANAGER, Role.LEARNER, Role.MONITOR, Role.AUTHOR }, - "be added to grouping", false)) { + "be added to grouping", true)) { totalUsersSkipped++; @@ -421,7 +421,6 @@ } else if (!securityService.isLessonLearner(lessonId, learner.getUserId(), "be added to grouping", false)) { - //log.warn("Unable to add learner " + login + " to lesson grouping as learner doesn't belong to the lesson."); totalUsersSkipped++; iter.remove(); } Index: lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java =================================================================== diff -u -rf6247c953cc7bf9a17d4025ea8e8728ae55c11ed -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java (.../MonitoringController.java) (revision f6247c953cc7bf9a17d4025ea8e8728ae55c11ed) +++ lams_monitoring/src/java/org/lamsfoundation/lams/monitoring/web/MonitoringController.java (.../MonitoringController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -242,7 +242,7 @@ HttpSession ss = SessionManager.getSession(); UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER); - if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "rename lesson", false)) { + if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "rename lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -436,7 +436,7 @@ public void addAllOrganisationLearnersToLesson(HttpServletRequest request, HttpServletResponse response) throws IOException { Long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "add all lesson learners to lesson", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "add all lesson learners to lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return; } @@ -660,7 +660,7 @@ public String getLessonLearners(HttpServletRequest request, HttpServletResponse response) throws IOException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "get lesson learners", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "get lesson learners")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -697,7 +697,7 @@ public String getClassMembers(HttpServletRequest request, HttpServletResponse response) throws IOException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "get class members", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "get class members")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -762,7 +762,7 @@ Long activityId = WebUtil.readLongParam(request, AttributeNames.PARAM_ACTIVITY_ID, true); if (activityId == null) { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "get lesson completed learners", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "get lesson completed learners")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -778,7 +778,7 @@ } else { Activity activity = monitoringService.getActivityById(activityId); Lesson lesson = activity.getLearningDesign().getLessons().iterator().next(); - if (!securityService.isLessonMonitor(lesson.getLessonId(), getUserId(), "get activity learners", false)) { + if (!securityService.isLessonMonitor(lesson.getLessonId(), getUserId(), "get activity learners")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -809,7 +809,7 @@ @RequestMapping(path = "/updateLessonClass", method = RequestMethod.POST) public void updateLessonClass(HttpServletRequest request, HttpServletResponse response) throws IOException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "update lesson class", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "update lesson class")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return; } @@ -946,7 +946,7 @@ // prepare encoded lessonId for shortened learner URL lessonDTO.setEncodedLessonID(WebUtil.encodeLessonId(lessonId)); - if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "monitor lesson", false)) { + if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "monitor lesson")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -982,7 +982,7 @@ @ResponseBody public String getLearnerProgressPage(HttpServletRequest request, HttpServletResponse response) throws IOException { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "get learner progress page", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "get learner progress page")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -1021,7 +1021,7 @@ HttpSession ss = SessionManager.getSession(); UserDTO user = (UserDTO) ss.getAttribute(AttributeNames.USER); - if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "get lesson details", false)) { + if (!securityService.isLessonMonitor(lessonId, user.getUserID(), "get lesson details")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -1108,7 +1108,7 @@ long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); Integer monitorUserId = getUserId(); - if (!securityService.isLessonMonitor(lessonId, monitorUserId, "get lesson progress", false)) { + if (!securityService.isLessonMonitor(lessonId, monitorUserId, "get lesson progress")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -1313,7 +1313,7 @@ public String autocomplete(HttpServletRequest request, HttpServletResponse response) throws Exception { long lessonId = WebUtil.readLongParam(request, AttributeNames.PARAM_LESSON_ID); - if (!securityService.isLessonMonitor(lessonId, getUserId(), "autocomplete in monitoring", false)) { + if (!securityService.isLessonMonitor(lessonId, getUserId(), "autocomplete in monitoring")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } @@ -1439,8 +1439,7 @@ } Integer organisationID = learningDesign.getLessons().iterator().next().getOrganisation().getOrganisationId(); Integer userID = getUserId(); - if (!securityService.hasOrgRole(organisationID, userID, new String[] { Role.AUTHOR }, "start live edit", - false)) { + if (!securityService.hasOrgRole(organisationID, userID, new String[] { Role.AUTHOR }, "start live edit")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not an author in the organisation"); return null; } @@ -1522,7 +1521,7 @@ long lessonID = WebUtil.readLongParam(request, "lessonID"); // check monitor privledges - if (!securityService.isLessonMonitor(lessonID, getUserId(), "open time chart", false)) { + if (!securityService.isLessonMonitor(lessonID, getUserId(), "open time chart")) { response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a monitor in the lesson"); return null; } Index: lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/LearningController.java =================================================================== diff -u -rbfeb7dd59aa544d49b9c985904aade7628ddc733 -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/LearningController.java (.../LearningController.java) (revision bfeb7dd59aa544d49b9c985904aade7628ddc733) +++ lams_tool_assessment/src/java/org/lamsfoundation/lams/tool/assessment/web/controller/LearningController.java (.../LearningController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -1254,8 +1254,8 @@ UserDTO user = LearningController.getCurrentUser(); Lesson lesson = lessonService.getLessonByToolContentId(toolContentId); - securityService.isLessonMonitor(lesson.getLessonId(), user.getUserID(), "show Assessment results for teacher", - true); + securityService.ensureLessonMonitor(lesson.getLessonId(), user.getUserID(), + "show Assessment results for teacher"); // initialize Session Map Index: lams_tool_doku/src/java/org/lamsfoundation/lams/tool/dokumaran/web/controller/MonitoringController.java =================================================================== diff -u -r5563dc18a8b8d19478fb804c8beef31e63bd249b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_tool_doku/src/java/org/lamsfoundation/lams/tool/dokumaran/web/controller/MonitoringController.java (.../MonitoringController.java) (revision 5563dc18a8b8d19478fb804c8beef31e63bd249b) +++ lams_tool_doku/src/java/org/lamsfoundation/lams/tool/dokumaran/web/controller/MonitoringController.java (.../MonitoringController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -249,7 +249,7 @@ @RequestParam Double mark) { ToolSession toolSession = toolService.getToolSessionById(toolSessionId); long lessonId = toolSession.getLesson().getLessonId(); - securityService.isLessonMonitor(lessonId, getUserId(), "update Doku learner mark", true); + securityService.ensureLessonMonitor(lessonId, getUserId(), "update Doku learner mark"); gradebookService.updateGradebookUserActivityMark(mark, null, userId, toolSessionId, true); Index: lams_tool_whiteboard/src/java/org/lamsfoundation/lams/tool/whiteboard/web/controller/MonitoringController.java =================================================================== diff -u -r5563dc18a8b8d19478fb804c8beef31e63bd249b -rf3e44aee5373a1233080ea5acd1cb5959bb46544 --- lams_tool_whiteboard/src/java/org/lamsfoundation/lams/tool/whiteboard/web/controller/MonitoringController.java (.../MonitoringController.java) (revision 5563dc18a8b8d19478fb804c8beef31e63bd249b) +++ lams_tool_whiteboard/src/java/org/lamsfoundation/lams/tool/whiteboard/web/controller/MonitoringController.java (.../MonitoringController.java) (revision f3e44aee5373a1233080ea5acd1cb5959bb46544) @@ -239,7 +239,7 @@ @RequestParam Double mark) { ToolSession toolSession = toolService.getToolSessionById(toolSessionId); long lessonId = toolSession.getLesson().getLessonId(); - securityService.isLessonMonitor(lessonId, getUserId(), "update Whiteboard learner mark", true); + securityService.ensureLessonMonitor(lessonId, getUserId(), "update Whiteboard learner mark"); gradebookService.updateGradebookUserActivityMark(mark, null, userId, toolSessionId, true);