Commit 75f7ee4b authored by Daniel Gerhardt's avatar Daniel Gerhardt

Improve authorization checking logic

* Remove redundant `isAuthenticated()` checks
* Move in-method checks to annotations where possible
parent 20b9753d
......@@ -71,7 +71,7 @@ public class CommentServiceImpl extends EntityService<Comment> implements Commen
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#commentId, 'comment', 'owner')")
@PreAuthorize("hasPermission(#commentId, 'comment', 'owner')")
public void delete(final String commentId) {
final Comment comment = commentRepository.findOne(commentId);
if (comment == null) {
......
......@@ -234,7 +234,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
/* FIXME: #content.getSessionKeyword() cannot be checked since keyword is no longer set for content. */
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#content.getSessionKeyword(), 'session', 'owner')")
@PreAuthorize("hasPermission(#content.getSessionKeyword(), 'session', 'owner')")
public Content save(final Content content) {
final Session session = sessionRepository.findByKeyword(content.getSessionKeyword());
content.setSessionId(session.getId());
......@@ -266,7 +266,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
/* TODO: Only evict cache entry for the content's session. This requires some refactoring. */
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#contentId, 'content', 'owner')")
@PreAuthorize("hasPermission(#contentId, 'content', 'owner')")
@Caching(evict = {
@CacheEvict("answers"),
@CacheEvict(value = "questions", key = "#contentId"),
......@@ -297,7 +297,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
this.publisher.publishEvent(event);
}
@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
@PreAuthorize("hasPermission(#session, 'owner')")
@Caching(evict = {
@CacheEvict(value = "questions", allEntries = true),
@CacheEvict(value = "skillquestions", key = "#session.getId()"),
......@@ -370,7 +370,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
public void startNewPiRoundDelayed(final String questionId, final int time) {
final ContentService contentService = this;
final User user = userService.getCurrentUser();
......@@ -395,7 +395,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
public void cancelPiRoundChange(final String questionId) {
final Content content = contentRepository.findOne(questionId);
final Session session = sessionRepository.findOne(content.getSessionId());
......@@ -426,7 +426,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
@CacheEvict("answers")
public void resetPiRoundState(final String questionId) {
final Content content = contentRepository.findOne(questionId);
......@@ -446,7 +446,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
public void setVotingAdmission(final String questionId, final boolean disableVoting) {
final Content content = contentRepository.findOne(questionId);
final Session session = sessionRepository.findOne(content.getSessionId());
......@@ -516,7 +516,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#questionId, 'content', 'owner')")
@PreAuthorize("hasPermission(#questionId, 'content', 'owner')")
public void deleteAnswers(final String questionId) {
final Content content = contentRepository.findOne(questionId);
content.resetQuestionState();
......@@ -1005,7 +1005,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
/* TODO: Only evict cache entry for the answer's question. This requires some refactoring. */
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
@CacheEvict(value = "answers", allEntries = true)
public void deleteAllPreparationAnswers(String sessionkey) {
final Session session = getSession(sessionkey);
......@@ -1020,7 +1020,7 @@ public class ContentServiceImpl extends EntityService<Content> implements Conten
/* TODO: Only evict cache entry for the answer's question. This requires some refactoring. */
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
@CacheEvict(value = "answers", allEntries = true)
public void deleteAllLectureAnswers(String sessionkey) {
final Session session = getSession(sessionkey);
......
......@@ -70,13 +70,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
@PreAuthorize("hasPermission('', 'motd', 'admin')")
public List<Motd> getAdminMotds() {
return motdRepository.findGlobalForAdmin();
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public List<Motd> getAllSessionMotds(final String sessionkey) {
return motdRepository.findBySessionKey(sessionkey);
}
......@@ -135,13 +135,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
@PreAuthorize("hasPermission('', 'motd', 'admin')")
public Motd save(final Motd motd) {
return createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public Motd save(final String sessionkey, final Motd motd) {
Session session = sessionService.getByKey(sessionkey);
motd.setSessionId(session.getId());
......@@ -150,13 +150,13 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
@PreAuthorize("hasPermission(1,'motd','admin')")
public Motd update(final Motd motd) {
return createOrUpdateMotd(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public Motd update(final String sessionkey, final Motd motd) {
return createOrUpdateMotd(motd);
}
......@@ -183,14 +183,14 @@ public class MotdServiceImpl extends EntityService<Motd> implements MotdService
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1,'motd','admin')")
@PreAuthorize("hasPermission('', 'motd', 'admin')")
@CacheEvict(cacheNames = "motds", key = "#motd.audience.concat(#motd.sessionkey)")
public void delete(Motd motd) {
motdRepository.delete(motd);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public void deleteBySessionKey(final String sessionkey, Motd motd) {
motdRepository.delete(motd);
}
......
......@@ -262,7 +262,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
return this.getInternal(keyword, user);
}
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public Session getForAdmin(final String keyword) {
return sessionRepository.findByKeyword(keyword);
}
......@@ -331,7 +331,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1, 'motd', 'admin')")
@PreAuthorize("hasPermission('', 'motd', 'admin')")
public List<Session> getUserVisitedSessions(String username) {
return sessionRepository.findVisitedByUsername(username, 0, 0);
}
......@@ -343,7 +343,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated()")
@PreAuthorize("hasPermission('', 'session', 'create')")
@Caching(evict = @CacheEvict(cacheNames = "sessions", key = "#result.keyword"))
public Session save(final Session session) {
if (connectorClient != null && session.getCourseId() != null) {
......@@ -412,12 +412,9 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public Session setActive(final String sessionkey, final Boolean lock) {
final Session session = sessionRepository.findByKeyword(sessionkey);
final User user = userService.getCurrentUser();
if (!session.isCreator(user)) {
throw new ForbiddenException("User is not session creator.");
}
session.setActive(lock);
this.publisher.publishEvent(new StatusSessionEvent(this, session));
sessionRepository.save(session);
......@@ -426,7 +423,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
@PreAuthorize("hasPermission(#session, 'owner')")
@CachePut(value = "sessions", key = "#session")
public Session update(final String sessionkey, final Session session) {
final Session existingSession = sessionRepository.findByKeyword(sessionkey);
......@@ -455,7 +452,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(1, 'motd', 'admin')")
@PreAuthorize("hasPermission('', 'motd', 'admin')")
@Caching(evict = { @CacheEvict("sessions"), @CacheEvict(cacheNames = "sessions", key = "#sessionkey.keyword") })
public Session updateCreator(String sessionkey, String newCreator) {
final Session session = sessionRepository.findByKeyword(sessionkey);
......@@ -483,7 +480,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#session, 'owner')")
@PreAuthorize("hasPermission(#session, 'owner')")
@CacheEvict("sessions")
public int[] deleteCascading(final Session session) {
int[] count = new int[] {0, 0, 0};
......@@ -501,7 +498,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated()")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
public ScoreStatistics getLearningProgress(final String sessionkey, final String type, final String questionVariant) {
final Session session = sessionRepository.findByKeyword(sessionkey);
ScoreCalculator scoreCalculator = scoreCalculatorFactory.create(type, questionVariant);
......@@ -509,7 +506,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated()")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
public ScoreStatistics getMyLearningProgress(final String sessionkey, final String type, final String questionVariant) {
final Session session = sessionRepository.findByKeyword(sessionkey);
final User user = userService.getCurrentUser();
......@@ -518,7 +515,7 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated()")
@PreAuthorize("hasPermission('', 'session', 'create')")
public SessionInfo importSession(ImportExportSession importSession) {
final User user = userService.getCurrentUser();
final SessionInfo info = sessionRepository.importSession(user, importSession);
......@@ -529,13 +526,13 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public ImportExportSession exportSession(String sessionkey, Boolean withAnswerStatistics, Boolean withFeedbackQuestions) {
return sessionRepository.exportSession(sessionkey, withAnswerStatistics, withFeedbackQuestions);
}
@Override
@PreAuthorize("isAuthenticated() and hasPermission(#sessionkey, 'session', 'owner')")
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public SessionInfo copySessionToPublicPool(String sessionkey, de.thm.arsnova.entities.transport.ImportExportSession.PublicPool pp) {
ImportExportSession temp = sessionRepository.exportSession(sessionkey, false, false);
temp.getSession().setPublicPool(pp);
......@@ -550,17 +547,16 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("hasPermission(#sessionkey, 'session', 'read')")
public SessionFeature getFeatures(String sessionkey) {
return sessionRepository.findByKeyword(sessionkey).getFeatures();
}
@Override
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public SessionFeature updateFeatures(String sessionkey, SessionFeature features) {
final Session session = sessionRepository.findByKeyword(sessionkey);
final User user = userService.getCurrentUser();
if (!session.isCreator(user)) {
throw new UnauthorizedException("User is not session creator.");
}
session.setFeatures(features);
this.publisher.publishEvent(new FeatureChangeEvent(this, session));
sessionRepository.save(session);
......@@ -569,12 +565,10 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public boolean lockFeedbackInput(String sessionkey, Boolean lock) {
final Session session = sessionRepository.findByKeyword(sessionkey);
final User user = userService.getCurrentUser();
if (!session.isCreator(user)) {
throw new UnauthorizedException("User is not session creator.");
}
if (!lock) {
feedbackService.cleanFeedbackVotesBySessionKey(sessionkey, 0);
}
......@@ -587,12 +581,10 @@ public class SessionServiceImpl extends EntityService<Session> implements Sessio
}
@Override
@PreAuthorize("hasPermission(#sessionkey, 'session', 'owner')")
public boolean flipFlashcards(String sessionkey, Boolean flip) {
final Session session = sessionRepository.findByKeyword(sessionkey);
final User user = userService.getCurrentUser();
if (!session.isCreator(user)) {
throw new UnauthorizedException("User is not session creator.");
}
session.setFlipFlashcards(flip);
this.publisher.publishEvent(new FlipFlashcardsEvent(this, session));
sessionRepository.save(session);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment