From f0c17488995b8537bed340b45168ba4b45ddaabb Mon Sep 17 00:00:00 2001
From: Christoph Thelen <christoph.thelen@mni.thm.de>
Date: Wed, 14 Jan 2015 16:09:31 +0100
Subject: [PATCH] Create proper anonymized copy of Session object

Changing the Session object the way it was done previously
interferes with the new caching mechanism. The objects are
now long-lived so any direct changes to it which are not
in the spirit of its use case have to be removed. In this
case, changing the creator information invalidated many
of the isCreator checks sprinkled through the code, as
the new creator's name would have been the string
"not visible to you."
---
 .../arsnova/controller/SessionController.java |  9 +-------
 .../java/de/thm/arsnova/entities/Session.java | 21 +++++++++++++++++++
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/controller/SessionController.java b/src/main/java/de/thm/arsnova/controller/SessionController.java
index 86eebf0d..e03e2cab 100644
--- a/src/main/java/de/thm/arsnova/controller/SessionController.java
+++ b/src/main/java/de/thm/arsnova/controller/SessionController.java
@@ -32,7 +32,6 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
-import org.springframework.security.core.token.Sha512DigestUtils;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -67,13 +66,7 @@ public class SessionController extends AbstractController {
 
 	@RequestMapping(value = "/{sessionkey}", method = RequestMethod.GET)
 	public final Session joinSession(@PathVariable final String sessionkey) {
-		final Session session = sessionService.getSession(sessionkey);
-		if (!session.isCreator(userService.getCurrentUser())) {
-			session.setCreator("NOT VISIBLE TO YOU");
-		} else {
-			session.setCreator(Sha512DigestUtils.shaHex(session.getCreator()));
-		}
-		return session;
+		return Session.anonymizedCopy(sessionService.getSession(sessionkey));
 	}
 
 	@RequestMapping(value = "/{sessionkey}", method = RequestMethod.DELETE)
diff --git a/src/main/java/de/thm/arsnova/entities/Session.java b/src/main/java/de/thm/arsnova/entities/Session.java
index 85b80977..f9a7d46d 100644
--- a/src/main/java/de/thm/arsnova/entities/Session.java
+++ b/src/main/java/de/thm/arsnova/entities/Session.java
@@ -52,6 +52,27 @@ public class Session implements Serializable {
 	private String _id;
 	private String _rev;
 
+	/**
+	 * Returns a copy of the given session without any information that identifies a person.
+	 * @param original The session to create a anonymized copy of
+	 * @return
+	 */
+	public static Session anonymizedCopy(final Session original) {
+		final Session copy = new Session();
+		copy.type = original.type;
+		copy.name = original.name;
+		copy.shortName = original.shortName;
+		copy.keyword = original.keyword;
+		copy.creator = ""; // anonymous
+		copy.active = original.active;
+		copy.lastOwnerActivity = original.lastOwnerActivity;
+		copy.courseType = original.courseType;
+		copy.courseId = original.courseId;
+		copy._id = original._id;
+		copy._rev = original._rev;
+		return copy;
+	}
+
 	public String getType() {
 		return type;
 	}
-- 
GitLab