From 6e9ad8875669e56b2b14c9d6a84cce2b5a867082 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <paul-christian.volkmer@mni.thm.de>
Date: Wed, 28 May 2014 18:10:27 +0200
Subject: [PATCH] Add special handling for interposed questions

---
 .../ApplicationPermissionEvaluator.java       | 43 +++++++++++++------
 .../thm/arsnova/services/QuestionService.java |  2 +-
 2 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
index 0f072922..80be9eb3 100644
--- a/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
+++ b/src/main/java/de/thm/arsnova/security/ApplicationPermissionEvaluator.java
@@ -13,6 +13,7 @@ import org.springframework.security.core.Authentication;
 import com.github.leleuj.ss.oauth.client.authentication.OAuthAuthenticationToken;
 
 import de.thm.arsnova.dao.IDatabaseDao;
+import de.thm.arsnova.entities.InterposedQuestion;
 import de.thm.arsnova.entities.Question;
 import de.thm.arsnova.entities.Session;
 import de.thm.arsnova.entities.User;
@@ -25,8 +26,8 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 	private IDatabaseDao dao;
 
 	@Override
-	public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
-		String username = getUsername(authentication);
+	public boolean hasPermission(final Authentication authentication, final Object targetDomainObject, final Object permission) {
+		final String username = getUsername(authentication);
 
 		if (
 				targetDomainObject instanceof Session
@@ -38,29 +39,45 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 	}
 
 	@Override
-	public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission) {
-		String username = getUsername(authentication);
+	public boolean hasPermission(final Authentication authentication, final Serializable targetId, final String targetType, final Object permission) {
+		final String username = getUsername(authentication);
 
 		if ("session".equals(targetType) && ! checkSessionPermission(username, targetId, permission)) {
 			throw new ForbiddenException();
 		} else if ("question".equals(targetType) && ! checkQuestionPermission(username, targetId, permission)) {
 			throw new ForbiddenException();
+		} else if ("interposedquestion".equals(targetType) && ! checkInterposedQuestionPermission(username, targetId, permission)) {
+			throw new ForbiddenException();
 		}
 		return true;
 	}
 
-	private boolean checkSessionPermission(String username, Serializable targetId, Object permission) {
+	private boolean checkSessionPermission(final String username, final Serializable targetId, final Object permission) {
 		if (permission instanceof String && permission.equals("owner")) {
 			return dao.getSession(targetId.toString()).getCreator().equals(username);
 		}
 		return false;
 	}
 
-	private boolean checkQuestionPermission(String username, Serializable targetId, Object permission) {
+	private boolean checkQuestionPermission(final String username, final Serializable targetId, final Object permission) {
+		if (permission instanceof String && permission.equals("owner")) {
+			final Question question = dao.getQuestion(targetId.toString());
+			if (question != null) {
+				final Session session = dao.getSessionFromId(question.getSessionId());
+				if (session == null) {
+					return false;
+				}
+				return session.getCreator().equals(username);
+			}
+		}
+		return false;
+	}
+
+	private boolean checkInterposedQuestionPermission(final String username, final Serializable targetId, final Object permission) {
 		if (permission instanceof String && permission.equals("owner")) {
-			Question question = dao.getQuestion(targetId.toString());
+			final InterposedQuestion question = dao.getInterposedQuestion(targetId.toString());
 			if (question != null) {
-				Session session = dao.getSessionFromId(question.getSessionId());
+				final Session session = dao.getSessionFromId(question.getSessionId());
 				if (session == null) {
 					return false;
 				}
@@ -70,7 +87,7 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 		return false;
 	}
 
-	private String getUsername(Authentication authentication) {
+	private String getUsername(final Authentication authentication) {
 		if (authentication == null || authentication instanceof AnonymousAuthenticationToken) {
 			throw new UnauthorizedException();
 		}
@@ -78,15 +95,15 @@ public class ApplicationPermissionEvaluator implements PermissionEvaluator {
 		if (authentication instanceof OAuthAuthenticationToken) {
 			User user = null;
 
-			OAuthAuthenticationToken token = (OAuthAuthenticationToken) authentication;
+			final OAuthAuthenticationToken token = (OAuthAuthenticationToken) authentication;
 			if (token.getUserProfile() instanceof Google2Profile) {
-				Google2Profile profile = (Google2Profile) token.getUserProfile();
+				final Google2Profile profile = (Google2Profile) token.getUserProfile();
 				user = new User(profile);
 			} else if (token.getUserProfile() instanceof TwitterProfile) {
-				TwitterProfile profile = (TwitterProfile) token.getUserProfile();
+				final TwitterProfile profile = (TwitterProfile) token.getUserProfile();
 				user = new User(profile);
 			} else if (token.getUserProfile() instanceof FacebookProfile) {
-				FacebookProfile profile = (FacebookProfile) token.getUserProfile();
+				final FacebookProfile profile = (FacebookProfile) token.getUserProfile();
 				user = new User(profile);
 			}
 
diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index 6f3b68e8..74729acd 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -177,7 +177,7 @@ public class QuestionService implements IQuestionService {
 	}
 
 	@Override
-	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'question', 'owner')")
+	@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'interposedquestion', 'owner')")
 	public void deleteInterposedQuestion(final String questionId) {
 		final InterposedQuestion question = databaseDao.getInterposedQuestion(questionId);
 		if (question == null) {
-- 
GitLab