Skip to content

Commit

Permalink
SAM-2622 - Access denied error when attempting to download all
Browse files Browse the repository at this point in the history 
responses, can only downlload responses individually.
  • Loading branch information
@gpp8p @jonespm
gpp8p authored and jonespm committed Mar 26, 2016
1 parent 074aed7 commit 932f1ee
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 17 deletions.
37 changes: 22 additions & 15 deletions ...samigo-app/src/java/org/sakaiproject/tool/assessment/ui/bean/authz/AuthorizationBean.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,28 +340,27 @@ public boolean getDeleteOwnTemplate() {
}

public boolean getPrivilege(String functionName){
String siteId = AgentFacade.getCurrentSiteId();
boolean privilege = false;
Object o = map.get(functionName+"_"+siteId);
if (o!=null)
privilege = ((Boolean)o).booleanValue();
return privilege;
return getPrivilege(functionName,null);
}

public boolean getPrivilege(HttpServletRequest req, String functionName, String siteId){
public boolean getPrivilege(final String functionName, String siteId){
if (siteId == null) {
siteId = AgentFacade.getCurrentSiteId();
}

boolean privilege = false;
Object o = map.get(functionName+"_"+siteId);
if (o != null) privilege = ((Boolean)o).booleanValue();
return privilege;
}

// added the follwoing for ShowMediaServlet
public boolean getGradeAnyAssessment(HttpServletRequest req, String siteId) {
return getPrivilege(req, "assessment.gradeAssessment.any", siteId);
public boolean getGradeAnyAssessment(String siteId) {
return getPrivilege("assessment.gradeAssessment.any", siteId);
}

public boolean getGradeOwnAssessment(HttpServletRequest req, String siteId) {
return getPrivilege(req, "assessment.gradeAssessment.own", siteId);
public boolean getGradeOwnAssessment(String siteId) {
return getPrivilege("assessment.gradeAssessment.own", siteId);
}

public boolean isUserAllowedToPublishAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published) {
Expand All @@ -380,15 +379,19 @@ else if (getPublishOwnAssessment()) {
}

public boolean isUserAllowedToGradeAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published) {
if (!isAssessmentInSite(assessmentId, published)) {
return isUserAllowedToGradeAssessment(assessmentId,assessmentOwnerId,published,null);
}

public boolean isUserAllowedToGradeAssessment(final String assessmentId, final String assessmentOwnerId, final boolean published, String currentSiteId) {
if (!isAssessmentInSite(assessmentId,currentSiteId,published)) {
return false;
}

// Second check on the realm permissions
if (getGradeAnyAssessment()) {
if (getGradeAnyAssessment(currentSiteId)) {
return true;
}
else if (getGradeOwnAssessment()) {
else if (getGradeOwnAssessment(currentSiteId)) {
final String loggedInUser = AgentFacade.getAgentString();
return StringUtils.equals(loggedInUser, assessmentOwnerId);
}
Expand Down Expand Up @@ -441,7 +444,11 @@ public boolean isUserAllowedToCreateAssessment() {
}

// Check whether the assessment belongs to the given site
public static boolean isAssessmentInSite(final String assessmentId, final String siteId, final boolean published) {
public static boolean isAssessmentInSite(final String assessmentId, String siteId, final boolean published) {
//Try to get the site Id
if (siteId == null) {
siteId = AgentFacade.getCurrentSiteId();
}
// get list of site that this published assessment has been released to
List<AuthorizationData> l = PersistenceService.getInstance().getAuthzQueriesFacade().getAuthorizationByFunctionAndQualifier(published ? "OWN_PUBLISHED_ASSESSMENT" : "EDIT_ASSESSMENT", assessmentId);

Expand Down
5 changes: 3 additions & 2 deletions ...rc/java/org/sakaiproject/tool/assessment/ui/servlet/delivery/DownloadAllMediaServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,8 @@ public void doPost(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException
{
String publishedItemId = req.getParameter("publishedItemId");
log.debug("publishedItemId = " + publishedItemId);
String publishedId = req.getParameter("publishedId");
log.debug("publishedItemId = " + publishedItemId + " publishedId = " + publishedId);

// who can access the zip file? You can,
// if you have a assessment.grade.any or assessment.grade.own permission
Expand All @@ -110,7 +111,7 @@ public void doPost(HttpServletRequest req, HttpServletResponse res)
String assessmentCreatedBy = req.getParameter("createdBy");

AuthorizationBean authzBean = (AuthorizationBean) ContextUtil.lookupBeanFromExternalServlet("authorization", req, res);
if (authzBean.isUserAllowedToGradeAssessment(publishedItemId, assessmentCreatedBy, true)) {
if (authzBean.isUserAllowedToGradeAssessment(publishedId, assessmentCreatedBy, true, currentSiteId)) {
accessDenied = false;
}

Expand Down

0 comments on commit 932f1ee

Please sign in to comment.