From d82dfbeca862216a0c7d291317e520b714d73f97 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer <paul-christian.volkmer@mni.thm.de>
Date: Tue, 10 Dec 2013 11:44:29 +0100
Subject: [PATCH] Check if user is in speaker role and is session owner

---
 .../thm/arsnova/services/QuestionService.java | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index bd9d8ad3..c6cbb98d 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -35,6 +35,7 @@ import de.thm.arsnova.entities.InterposedReadingCount;
 import de.thm.arsnova.entities.Question;
 import de.thm.arsnova.entities.Session;
 import de.thm.arsnova.entities.User;
+import de.thm.arsnova.exceptions.ForbiddenException;
 import de.thm.arsnova.exceptions.NoContentException;
 import de.thm.arsnova.exceptions.NotFoundException;
 import de.thm.arsnova.exceptions.UnauthorizedException;
@@ -79,6 +80,12 @@ public class QuestionService implements IQuestionService {
 		Session session = this.databaseDao.getSessionFromKeyword(question.getSessionKeyword());
 		question.setSessionId(session.get_id());
 
+		User user = userService.getCurrentUser();
+
+		if (! user.hasRole(UserSessionService.Role.SPEAKER) || session.isCreator(user)) {
+			throw new ForbiddenException();
+		}
+
 		if ("freetext".equals(question.getQuestionType())) {
 			question.setPiRound(0);
 		} else if (question.getPiRound() < 1 || question.getPiRound() > 2) {
@@ -97,6 +104,12 @@ public class QuestionService implements IQuestionService {
 		Session session = this.databaseDao.getSessionFromKeyword(question.getSessionId());
 		InterposedQuestion result = this.databaseDao.saveQuestion(session, question);
 
+		User user = userService.getCurrentUser();
+
+		if (! user.hasRole(UserSessionService.Role.SPEAKER) || session.isCreator(user)) {
+			throw new ForbiddenException();
+		}
+
 		if (null != result) {
 			socketIoServer.reportAudienceQuestionAvailable(result.getSessionId(), result.get_id());
 
@@ -142,7 +155,7 @@ public class QuestionService implements IQuestionService {
 
 		User user = userService.getCurrentUser();
 		Session session = databaseDao.getSession(question.getSessionKeyword());
-		if (user == null || session == null || !session.isCreator(user)) {
+		if (user == null || session == null || ! session.isCreator(user)) {
 			throw new UnauthorizedException();
 		}
 		databaseDao.deleteQuestionWithAnswers(question);
@@ -153,7 +166,7 @@ public class QuestionService implements IQuestionService {
 	public void deleteAllQuestions(String sessionKeyword) {
 		User user = userService.getCurrentUser();
 		Session session = databaseDao.getSession(sessionKeyword);
-		if (user == null || session == null || !session.isCreator(user)) {
+		if (user == null || session == null || ! session.isCreator(user)) {
 			throw new UnauthorizedException();
 		}
 		databaseDao.deleteAllQuestionsWithAnswers(session);
@@ -168,7 +181,7 @@ public class QuestionService implements IQuestionService {
 		}
 		User user = userService.getCurrentUser();
 		Session session = databaseDao.getSessionFromKeyword(question.getSessionId());
-		if (user == null || session == null || !session.isCreator(user)) {
+		if (user == null || session == null || ! session.isCreator(user)) {
 			throw new UnauthorizedException();
 		}
 		databaseDao.deleteInterposedQuestion(question);
@@ -184,7 +197,7 @@ public class QuestionService implements IQuestionService {
 
 		User user = userService.getCurrentUser();
 		Session session = databaseDao.getSession(question.getSessionKeyword());
-		if (user == null || session == null || !session.isCreator(user)) {
+		if (user == null || session == null || ! session.isCreator(user)) {
 			throw new UnauthorizedException();
 		}
 		databaseDao.deleteAnswers(question);
-- 
GitLab