From c9bb2c9beee70d132ef49d65102d09d562cd79c5 Mon Sep 17 00:00:00 2001
From: tekay <tom.kaesler@mni.thm.de>
Date: Fri, 8 Apr 2016 13:39:38 +0200
Subject: [PATCH] add admin check to both permission evaluation functions

---
 .../ApplicationPermissionEvaluator.java       | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
index 2706e32d6..6239be2ca 100644
--- a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
+++ b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
@@ -58,8 +58,9 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 			final Object permission
 			) {
 		final String username = getUsername(authentication);
-
-		if (
+		if (checkAdminPermission(username)) {
+			return true;
+		} else if (
 				targetDomainObject instanceof Session
 				&& checkSessionPermission(username, ((Session) targetDomainObject).getKeyword(), permission)
 				) {
@@ -75,14 +76,10 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 			final String targetType,
 			final Object permission
 			) {
-		/** TODO only allow accounts from arsnova db **/
 		final String username = getUsername(authentication);
-		String[] splittedAdminNames = adminAccounts.split(",");
-		if (Arrays.asList(splittedAdminNames).contains(username)) {
+		if (checkAdminPermission(username)) {
 			return true;
-		}
-
-		if (
+		} else if (
 				"session".equals(targetType)
 				&& checkSessionPermission(username, targetId, permission)) {
 			return true;
@@ -100,6 +97,15 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 		return false;
 	}
 
+	private boolean checkAdminPermission(final String username) {
+		/** TODO only allow accounts from arsnova db **/
+		String[] splittedAdminNames = adminAccounts.split(",");
+		if (Arrays.asList(splittedAdminNames).contains(username)) {
+			return true;
+		}
+		return false;
+	}
+
 	private boolean checkSessionPermission(
 			final String username,
 			final Serializable targetId,
-- 
GitLab