Fixed #11008: secured interposed questions

c3dfda62 · Christoph Thelen · c48e865a · c3dfda62 · c3dfda62 · c3dfda62
Commit c3dfda62 authored 10 years ago by Christoph Thelen
--- a/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java
+++ b/src/main/java/de/thm/arsnova/entities/InterposedQuestion.java
@@ -98,4 +98,8 @@ public class InterposedQuestion {
 	public void setCreator(String creator) {
 		this.creator = creator;
 	}
+
+	public boolean isCreator(User user) {
+		return user.getUsername().equals(creator);
+	}
 }
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -378,7 +378,9 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 			throw new NotFoundException();
 		}
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionId());
-
+		if (!question.isCreator(user) && !session.isCreator(user)) {
+			throw new UnauthorizedException();
+		}
 		if (session.isCreator(user)) {
 			databaseDao.markInterposedQuestionAsRead(question);
 		}

--- a/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java
+++ b/src/main/java/de/thm/arsnova/socket/ARSnovaSocketIOServer.java
@@ -37,7 +37,9 @@ import de.thm.arsnova.events.NewInterposedQuestionEvent;
 import de.thm.arsnova.events.NewQuestionEvent;
 import de.thm.arsnova.events.NovaEvent;
 import de.thm.arsnova.events.NovaEventVisitor;
+import de.thm.arsnova.exceptions.UnauthorizedException;
 import de.thm.arsnova.exceptions.NoContentException;
+import de.thm.arsnova.exceptions.NotFoundException;
 import de.thm.arsnova.services.IFeedbackService;
 import de.thm.arsnova.services.IQuestionService;
 import de.thm.arsnova.services.ISessionService;
@@ -161,7 +163,11 @@ public class ARSnovaSocketIOServer implements ApplicationListener<NovaEvent>, No
 					de.thm.arsnova.entities.transport.InterposedQuestion question,
 					AckRequest ackRequest) {
 				final User user = userService.getUser2SocketId(client.getSessionId());
-				questionService.readInterposedQuestionInternal(question.getId(), user);
+				try {
+					questionService.readInterposedQuestionInternal(question.getId(), user);
+				} catch (NotFoundException | UnauthorizedException e) {
+					LOGGER.error("Loading of question {} failed for user {} with exception {}", question.getId(), user, e.getMessage());
+				}
 			}
 		});