From c179b366af9ef7cb058f55ac6da4c41cd88e3fe8 Mon Sep 17 00:00:00 2001
From: Daniel Gerhardt <code@dgerhardt.net>
Date: Tue, 10 Feb 2015 15:33:22 +0100
Subject: [PATCH] Make API resource for interposed read statistics stateless

The resource by default now includes the total stats. A user parameter
has been added to request user specific data.

This change intends to restore compatibility with ARSnova Overlay.
---
 .../controller/AudienceQuestionController.java      |  4 ++--
 .../de/thm/arsnova/services/IQuestionService.java   |  2 +-
 .../de/thm/arsnova/services/QuestionService.java    | 13 +++++++++----
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/controller/AudienceQuestionController.java b/src/main/java/de/thm/arsnova/controller/AudienceQuestionController.java
index 32ee01d84..6b5a2bc09 100644
--- a/src/main/java/de/thm/arsnova/controller/AudienceQuestionController.java
+++ b/src/main/java/de/thm/arsnova/controller/AudienceQuestionController.java
@@ -54,8 +54,8 @@ public class AudienceQuestionController extends AbstractController {
 
 	@RequestMapping(value = "/readcount", method = RequestMethod.GET)
 	@DeprecatedApi
-	public final InterposedReadingCount getUnreadInterposedCount(@RequestParam("sessionkey") final String sessionkey) {
-		return questionService.getInterposedReadingCount(sessionkey);
+	public final InterposedReadingCount getUnreadInterposedCount(@RequestParam("sessionkey") final String sessionkey, String user) {
+		return questionService.getInterposedReadingCount(sessionkey, user);
 	}
 
 	@RequestMapping(value = "/", method = RequestMethod.GET)
diff --git a/src/main/java/de/thm/arsnova/services/IQuestionService.java b/src/main/java/de/thm/arsnova/services/IQuestionService.java
index 6d9ca0618..00df66a12 100644
--- a/src/main/java/de/thm/arsnova/services/IQuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/IQuestionService.java
@@ -59,7 +59,7 @@ public interface IQuestionService {
 
 	int getInterposedCount(String sessionKey);
 
-	InterposedReadingCount getInterposedReadingCount(String sessionKey);
+	InterposedReadingCount getInterposedReadingCount(String sessionKey, String username);
 
 	List<InterposedQuestion> getInterposedQuestions(String sessionKey);
 
diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index 1f812123d..cb09d6127 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -25,6 +25,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.AbstractMap.SimpleEntry;
 
+import de.thm.arsnova.exceptions.ForbiddenException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -339,16 +340,20 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 
 	@Override
 	@PreAuthorize("isAuthenticated()")
-	public InterposedReadingCount getInterposedReadingCount(final String sessionKey) {
+	public InterposedReadingCount getInterposedReadingCount(final String sessionKey, String username) {
 		final Session session = databaseDao.getSessionFromKeyword(sessionKey);
-		final User user = getCurrentUser();
 		if (session == null) {
 			throw new NotFoundException();
 		}
-		if (session.isCreator(user)) {
+		if (username == null) {
 			return databaseDao.getInterposedReadingCount(session);
 		} else {
-			return databaseDao.getInterposedReadingCount(session, user);
+			User currentUser = userService.getCurrentUser();
+			if (!currentUser.getUsername().equals(username)) {
+				throw new ForbiddenException();
+			}
+
+			return databaseDao.getInterposedReadingCount(session, currentUser);
 		}
 	}
 
-- 
GitLab