From 932f1eead0aefdf0f2eb3d61e9feaed545aa72ab Mon Sep 17 00:00:00 2001 From: George Pipkin Date: Fri, 25 Mar 2016 20:37:57 -0400 Subject: [PATCH] SAM-2622 - Access denied error when attempting to download all responses, can only downlload responses individually. --- .../ui/bean/authz/AuthorizationBean.java | 37 +++++++++++-------- .../delivery/DownloadAllMediaServlet.java | 5 ++- 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/authz/AuthorizationBean.java b/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/authz/AuthorizationBean.java index 2560b394c2be..5d61c07c5dcf 100644 --- a/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/authz/AuthorizationBean.java +++ b/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/authz/AuthorizationBean.java @@ -340,15 +340,14 @@ public boolean getDeleteOwnTemplate() { } public boolean getPrivilege(String functionName){ - String siteId = AgentFacade.getCurrentSiteId(); - boolean privilege = false; - Object o = map.get(functionName+"_"+siteId); - if (o!=null) - privilege = ((Boolean)o).booleanValue(); - return privilege; + return getPrivilege(functionName,null); } - public boolean getPrivilege(HttpServletRequest req, String functionName, String siteId){ + public boolean getPrivilege(final String functionName, String siteId){ + if (siteId == null) { + siteId = AgentFacade.getCurrentSiteId(); + } + boolean privilege = false; Object o = map.get(functionName+"_"+siteId); if (o != null) privilege = ((Boolean)o).booleanValue(); @@ -356,12 +355,12 @@ public boolean getPrivilege(HttpServletRequest req, String functionName, String } // added the follwoing for ShowMediaServlet - public boolean getGradeAnyAssessment(HttpServletRequest req, String siteId) { - return getPrivilege(req, "assessment.gradeAssessment.any", siteId); + public boolean getGradeAnyAssessment(String siteId) { + return getPrivilege("assessment.gradeAssessment.any", siteId); } - public boolean getGradeOwnAssessment(HttpServletRequest req, String siteId) { - return getPrivilege(req, "assessment.gradeAssessment.own", siteId); + public boolean getGradeOwnAssessment(String siteId) { + return getPrivilege("assessment.gradeAssessment.own", siteId); } public boolean isUserAllowedToPublishAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published) { @@ -380,15 +379,19 @@ else if (getPublishOwnAssessment()) { } public boolean isUserAllowedToGradeAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published) { - if (!isAssessmentInSite(assessmentId, published)) { + return isUserAllowedToGradeAssessment(assessmentId,assessmentOwnerId,published,null); + } + + public boolean isUserAllowedToGradeAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published, String currentSiteId) { + if (!isAssessmentInSite(assessmentId,currentSiteId,published)) { return false; } // Second check on the realm permissions - if (getGradeAnyAssessment()) { + if (getGradeAnyAssessment(currentSiteId)) { return true; } - else if (getGradeOwnAssessment()) { + else if (getGradeOwnAssessment(currentSiteId)) { final String loggedInUser = AgentFacade.getAgentString(); return StringUtils.equals(loggedInUser, assessmentOwnerId); } @@ -441,7 +444,11 @@ public boolean isUserAllowedToCreateAssessment() { } // Check whether the assessment belongs to the given site - public static boolean isAssessmentInSite(final String assessmentId, final String siteId, final boolean published) { + public static boolean isAssessmentInSite(final String assessmentId, String siteId, final boolean published) { + //Try to get the site Id + if (siteId == null) { + siteId = AgentFacade.getCurrentSiteId(); + } // get list of site that this published assessment has been released to List l = PersistenceService.getInstance().getAuthzQueriesFacade().getAuthorizationByFunctionAndQualifier(published ? "OWN_PUBLISHED_ASSESSMENT" : "EDIT_ASSESSMENT", assessmentId); diff --git a/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/servlet/delivery/DownloadAllMediaServlet.java b/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/servlet/delivery/DownloadAllMediaServlet.java index 3a3baa0b7c11..cd37fb4fa27a 100644 --- a/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/servlet/delivery/DownloadAllMediaServlet.java +++ b/samigo/samigo-app/src/java/org/sakaiproject/tool/assessment/ui/servlet/delivery/DownloadAllMediaServlet.java @@ -90,7 +90,8 @@ public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { String publishedItemId = req.getParameter("publishedItemId"); - log.debug("publishedItemId = " + publishedItemId); + String publishedId = req.getParameter("publishedId"); + log.debug("publishedItemId = " + publishedItemId + " publishedId = " + publishedId); // who can access the zip file? You can, // if you have a assessment.grade.any or assessment.grade.own permission @@ -110,7 +111,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse res) String assessmentCreatedBy = req.getParameter("createdBy"); AuthorizationBean authzBean = (AuthorizationBean) ContextUtil.lookupBeanFromExternalServlet("authorization", req, res); - if (authzBean.isUserAllowedToGradeAssessment(publishedItemId, assessmentCreatedBy, true)) { + if (authzBean.isUserAllowedToGradeAssessment(publishedId, assessmentCreatedBy, true, currentSiteId)) { accessDenied = false; }