From c3dfda6224062b39e09821bb2ec68a8b24ccf6e4 Mon Sep 17 00:00:00 2001
From: Christoph Thelen <christoph.thelen@mni.thm.de>
Date: Tue, 18 Nov 2014 12:34:01 +0100
Subject: [PATCH] Fixed #11008: secured interposed questions

---
 .../java/de/thm/arsnova/entities/InterposedQuestion.java  | 4 ++++
 .../java/de/thm/arsnova/services/QuestionService.java     | 4 +++-
 .../java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java | 8 +++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java b/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java
index a08b136a..11653526 100644
--- a/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java
+++ b/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java
@@ -98,4 +98,8 @@ public class InterposedQuestion {
 	public void setCreator(String creator) {
 		this.creator = creator;
 	}
+
+	public boolean isCreator(User user) {
+		return user.getUsername().equals(creator);
+	}
 }
diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index 2224949f..406be88d 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -378,7 +378,9 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 			throw new NotFoundException();
 		}
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionId());
-
+		if (!question.isCreator(user) && !session.isCreator(user)) {
+			throw new UnauthorizedException();
+		}
 		if (session.isCreator(user)) {
 			databaseDao.markInterposedQuestionAsRead(question);
 		}
diff --git a/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java b/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java
index 4f20db3e..b7dbfd3c 100644
--- a/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java
+++ b/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java
@@ -37,7 +37,9 @@ import de.thm.arsnova.events.NewInterposedQuestionEvent;
 import de.thm.arsnova.events.NewQuestionEvent;
 import de.thm.arsnova.events.NovaEvent;
 import de.thm.arsnova.events.NovaEventVisitor;
+import de.thm.arsnova.exceptions.UnauthorizedException;
 import de.thm.arsnova.exceptions.NoContentException;
+import de.thm.arsnova.exceptions.NotFoundException;
 import de.thm.arsnova.services.IFeedbackService;
 import de.thm.arsnova.services.IQuestionService;
 import de.thm.arsnova.services.ISessionService;
@@ -161,7 +163,11 @@ public class ARSnovaSocketIOServer implements ApplicationListener<NovaEvent>, No
 					de.thm.arsnova.entities.transport.InterposedQuestion question,
 					AckRequest ackRequest) {
 				final User user = userService.getUser2SocketId(client.getSessionId());
-				questionService.readInterposedQuestionInternal(question.getId(), user);
+				try {
+					questionService.readInterposedQuestionInternal(question.getId(), user);
+				} catch (NotFoundException | UnauthorizedException e) {
+					LOGGER.error("Loading of question {} failed for user {} with exception {}", question.getId(), user, e.getMessage());
+				}
 			}
 		});
 
-- 
GitLab