SAK-49672 Gradebook provide permission denied error instead of stackt…

…race (sakaiproject#12310)
stetsche · Jan 31, 2024 · 5e190e4 · 5e190e4
1 parent 1c7b133
commit 5e190e4
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 15 deletions.
diff --git a/gradebookng/api/src/main/java/org/sakaiproject/grading/api/GradingService.java b/gradebookng/api/src/main/java/org/sakaiproject/grading/api/GradingService.java
@@ -145,6 +145,13 @@ public int compare(String o1, String o2) {
         }
     };
 
+    /**
+     * Check to see if the current user is allowed to view the list of gradebook assignments.
+     *
+     * @param gradebookUid
+     */
+    public boolean isUserAbleToViewAssignments(String gradebookUid);
+
     /**
      * Check to see if the current user is allowed to grade the given item for the given student in the given gradebook. This will give
      * clients a chance to avoid a security exception.

diff --git a/gradebookng/impl/src/main/java/org/sakaiproject/grading/impl/GradingServiceImpl.java b/gradebookng/impl/src/main/java/org/sakaiproject/grading/impl/GradingServiceImpl.java
@@ -171,7 +171,8 @@ public boolean isAssignmentDefined(String gradebookUid, String assignmentName) {
         return getAssignmentWithoutStats(gradebookUid, assignmentName) != null;
     }
 
-    private boolean isUserAbleToViewAssignments(String gradebookUid) {
+    @Override
+    public boolean isUserAbleToViewAssignments(String gradebookUid) {
 
         return (gradingAuthz.isUserAbleToEditAssessments(gradebookUid) || gradingAuthz.isUserAbleToGrade(gradebookUid));
     }

diff --git a/...ookng/tool/src/java/org/sakaiproject/gradebookng/business/GradebookNgBusinessService.java b/...ookng/tool/src/java/org/sakaiproject/gradebookng/business/GradebookNgBusinessService.java
@@ -1297,6 +1297,9 @@ public void putCourseGradesInMatrix(Map<String, GbStudentGradeInfo> matrix, List
 		// Get the course grades
 		final Map<String, CourseGradeTransferBean> courseGrades = getCourseGrades(studentUuids);
 
+		// Return quickly if it is empty (maybe failed permission checks)
+		if (courseGrades == null || courseGrades.isEmpty()) return;
+
 		// Setup the course grade formatter
 		// TODO we want the override except in certain cases. Can we hard code this?
 		final CourseGradeFormatter courseGradeFormatter = Application.exists() ?
@@ -3064,15 +3067,7 @@ public boolean isUserRoleSwapped() {
 	 * @return true if yes, false if no.
 	 */
 	public boolean isUserAbleToEditAssessments(){
-		String siteRef;
-
-		try {
-			siteRef = this.siteService.getSite(getCurrentSiteId()).getReference();
-		} catch (final IdUnusedException e) {
-			throw new GbException(e);
-		}
-
-		return this.securityService.unlock("gradebook.editAssignments", siteRef);
+		return gradingService.currentUserHasEditPerm(getCurrentSiteId());
 	}
 
 	/**

diff --git a/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/model/GbGradebookData.java b/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/model/GbGradebookData.java
@@ -463,17 +463,20 @@ public int compare(final String a, final String b) {
 	 */
 	public static String[] getCourseGradeData(CourseGradeTransferBean courseGrade, Map<String, Double> courseGradeMap) {
 		final String[] gradeData = new String[3];
-		gradeData[0] = courseGrade.getDisplayString();
-		gradeData[2] = "0";
 
 		if (courseGrade == null) {
+			gradeData[0] = "";
 			gradeData[1] = "";
+			gradeData[2] = "0";
 		} else if (StringUtils.isNotBlank(courseGrade.getEnteredGrade())) {
 			Double mappedGrade = courseGradeMap.get(courseGrade.getEnteredGrade());
+			gradeData[0] = courseGrade.getDisplayString();
 			gradeData[1] = FormatHelper.formatGradeForDisplay(mappedGrade);
 			gradeData[2] = "1";
 		} else {
+			gradeData[0] = courseGrade.getDisplayString();
 			gradeData[1] = FormatHelper.formatGradeForDisplay(courseGrade.getCalculatedGrade());
+			gradeData[2] = "0";
 		}
 
 		return gradeData;

diff --git a/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/pages/BasePage.java b/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/pages/BasePage.java
@@ -309,13 +309,11 @@ protected final void defaultRoleChecksForInstructorOnlyPage()
 				break;
 			case STUDENT:
 				throw new RestartResponseException(StudentPage.class);
-			case TA:
+			default:
 				if(businessService.isUserAbleToEditAssessments()) {
 					break;
 				}
 				throw new RestartResponseException(GradebookPage.class);
-			default:
-				break;
 		}
 	}
 }
diff --git a/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/pages/GradebookPage.java b/gradebookng/tool/src/java/org/sakaiproject/gradebookng/tool/pages/GradebookPage.java
@@ -160,6 +160,10 @@ public GradebookPage() {
 				sendToAccessDeniedPage(getString("ta.nopermission"));
 			}
 		}
+		// This is not a Student or TA, so it is either custom role or an Instructor.
+		else if (!this.businessService.isUserAbleToEditAssessments()) {
+			sendToAccessDeniedPage(getString("ta.nopermission"));
+		}
 
 		final GbStopWatch stopwatch = new GbStopWatch();
 		stopwatch.start();