From 86c669a6d998492c9eab28aab66c89ac44c86351 Mon Sep 17 00:00:00 2001
From: agrt56 <andreas.gaertner@mni.thm.de>
Date: Tue, 28 Apr 2015 16:36:31 +0200
Subject: [PATCH] Task #15666: Change request method of piRound mapping to
 POST.

---
 .../arsnova/controller/LecturerQuestionController.java    | 8 ++++----
 .../java/de/thm/arsnova/services/QuestionService.java     | 4 ++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/controller/LecturerQuestionController.java b/src/main/java/de/thm/arsnova/controller/LecturerQuestionController.java
index 90b82a793..79106208f 100644
--- a/src/main/java/de/thm/arsnova/controller/LecturerQuestionController.java
+++ b/src/main/java/de/thm/arsnova/controller/LecturerQuestionController.java
@@ -84,7 +84,7 @@ public class LecturerQuestionController extends AbstractController {
 		}
 	}
 
-	@RequestMapping(value = "/{questionId}/startNewPiRound", method = RequestMethod.GET)
+	@RequestMapping(value = "/{questionId}/startNewPiRound", method = RequestMethod.POST)
 	public void startPiRound(
 			@PathVariable final String questionId,
 			@RequestParam(value = "time", defaultValue = "0", required = false) final int time
@@ -97,21 +97,21 @@ public class LecturerQuestionController extends AbstractController {
 		}
 	}
 
-	@RequestMapping(value = "/{questionId}/cancelDelayedPiRound", method = RequestMethod.GET)
+	@RequestMapping(value = "/{questionId}/cancelDelayedPiRound", method = RequestMethod.POST)
 	public void cancelPiRound(
 			@PathVariable final String questionId
 			) {
 		questionService.cancelPiRoundChange(questionId);
 	}
 
-	@RequestMapping(value = "/{questionId}/resetPiRoundState", method = RequestMethod.GET)
+	@RequestMapping(value = "/{questionId}/resetPiRoundState", method = RequestMethod.POST)
 	public void resetPiQuestion(
 			@PathVariable final String questionId
 			) {
 		questionService.resetPiRoundState(questionId);
 	}
 
-	@RequestMapping(value = "/{questionId}/disableVoting", method = RequestMethod.GET)
+	@RequestMapping(value = "/{questionId}/disableVoting", method = RequestMethod.POST)
 	public void setVotingAdmission(
 			@PathVariable final String questionId,
 			@RequestParam(required = true) final Boolean disable
diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index edaea7c95..066e83095 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -236,6 +236,7 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 	}
 
 	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'question', 'owner')")
 	public void startNewPiRound(final String questionId, User user) {
 		final Question question = databaseDao.getQuestion(questionId);
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionKeyword());
@@ -280,6 +281,7 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 	}
 
 	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'question', 'owner')")
 	public void cancelPiRoundChange(final String questionId) {
 		final Question question = databaseDao.getQuestion(questionId);
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionKeyword());
@@ -310,6 +312,7 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 	}
 
 	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'question', 'owner')")
 	public void resetPiRoundState(final String questionId) {
 		final Question question = databaseDao.getQuestion(questionId);
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionKeyword());
@@ -323,6 +326,7 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 	}
 
 	@Override
+	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'question', 'owner')")
 	public void setVotingAdmission(final String questionId, final boolean disable) {
 		final Question question = databaseDao.getQuestion(questionId);
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionKeyword());
-- 
GitLab