Feature/role instructor (ls1intum#48)

* added new role ROLE_INSTRUCTOR for courses and review all REST endpoints for security aspects: now we check the role first and additionally evaluate if the user is instructor or TA in the particular course to determine if the user can invoke a request. * add course start and end date and boolean flag for online courses
AWS-BugBust-32 · Dec 30, 2017 · 8edf6bb · 8edf6bb
1 parent c4c0e46
commit 8edf6bb
Show file tree

Hide file tree

Showing 40 changed files with 670 additions and 368 deletions.
diff --git a/.jhipster/Course.json b/.jhipster/Course.json
@@ -20,11 +20,28 @@
         {
             "fieldName": "teachingAssistantGroupName",
             "fieldType": "String"
+        },
+        {
+            "fieldName": "instructorGroupName",
+            "fieldType": "String"
+        },
+        {
+            "fieldName": "startDate",
+            "fieldType": "ZonedDateTime"
+        },
+        {
+            "fieldName": "endDate",
+            "fieldType": "ZonedDateTime"
+        },
+        {
+            "fieldName": "onlineCourse",
+            "fieldType": "Boolean"
         }
     ],
     "changelogDate": "20160609093907",
     "entityTableName": "course",
     "dto": "no",
     "pagination": "no",
-    "service": "serviceClass"
+    "service": "serviceClass",
+    "jpaMetamodelFiltering": false
 }
diff --git a/.jhipster/Feedback.json b/.jhipster/Feedback.json
@@ -16,11 +16,17 @@
         {
             "fieldName": "detailText",
             "fieldType": "String"
+        },
+        {
+            "fieldName": "type",
+            "fieldType": "FeedbackType",
+            "fieldValues": "AUTOMATIC,MANUAL"
         }
     ],
     "changelogDate": "20170930120856",
     "entityTableName": "feedback",
     "dto": "no",
     "pagination": "no",
-    "service": "no"
+    "service": "no",
+    "jpaMetamodelFiltering": false
 }
diff --git a/exerciseapp.jh b/exerciseapp.jh
@@ -36,7 +36,11 @@ entity DropLocationCounter(dropLocationCounter){    //extends StatisticCounter
 entity Course (course) {
   title String,
   studentGroupName String,
-  teachingAssistantGroupName String
+  teachingAssistantGroupName String,
+  instructorGroupName String,
+  startDate ZonedDateTime,
+  endDate ZonedDateTime,
+  onlineCourse Boolean
 }
 
 entity Exercise (exercise) {        //abstract

diff --git a/src/main/java/de/tum/in/www1/exerciseapp/config/MethodSecurityConfig.java b/src/main/java/de/tum/in/www1/exerciseapp/config/MethodSecurityConfig.java
diff --git a/src/main/java/de/tum/in/www1/exerciseapp/domain/Course.java b/src/main/java/de/tum/in/www1/exerciseapp/domain/Course.java
@@ -6,6 +6,7 @@
 
 import javax.persistence.*;
 import java.io.Serializable;
+import java.time.ZonedDateTime;
 import java.util.HashSet;
 import java.util.Set;
 import java.util.Objects;
@@ -33,6 +34,18 @@ public class Course implements Serializable {
     @Column(name = "teaching_assistant_group_name")
     private String teachingAssistantGroupName;
 
+    @Column(name = "instructor_group_name")
+    private String instructorGroupName;
+
+    @Column(name = "start_date")
+    private ZonedDateTime startDate;
+
+    @Column(name = "end_date")
+    private ZonedDateTime endDate;
+
+    @Column(name = "online_course")
+    private Boolean onlineCourse;
+
     @OneToMany(mappedBy = "course")
     @JsonIgnore
     @Cache(usage = CacheConcurrencyStrategy.NONSTRICT_READ_WRITE)
@@ -86,6 +99,58 @@ public void setTeachingAssistantGroupName(String teachingAssistantGroupName) {
         this.teachingAssistantGroupName = teachingAssistantGroupName;
     }
 
+    public String getInstructorGroupName() {
+        return instructorGroupName;
+    }
+
+    public Course instructorGroupName(String instructorGroupName) {
+        this.instructorGroupName = instructorGroupName;
+        return this;
+    }
+
+    public void setInstructorGroupName(String instructorGroupName) {
+        this.instructorGroupName = instructorGroupName;
+    }
+
+    public ZonedDateTime getStartDate() {
+        return startDate;
+    }
+
+    public Course startDate(ZonedDateTime startDate) {
+        this.startDate = startDate;
+        return this;
+    }
+
+    public void setStartDate(ZonedDateTime startDate) {
+        this.startDate = startDate;
+    }
+
+    public ZonedDateTime getEndDate() {
+        return endDate;
+    }
+
+    public Course endDate(ZonedDateTime endDate) {
+        this.endDate = endDate;
+        return this;
+    }
+
+    public void setEndDate(ZonedDateTime endDate) {
+        this.endDate = endDate;
+    }
+
+    public Boolean isOnlineCourse() {
+        return onlineCourse;
+    }
+
+    public Course onlineCourse(Boolean onlineCourse) {
+        this.onlineCourse = onlineCourse;
+        return this;
+    }
+
+    public void setOnlineCourse(Boolean onlineCourse) {
+        this.onlineCourse = onlineCourse;
+    }
+
     public Set<Exercise> getExercises() {
         return exercises;
     }
@@ -139,6 +204,10 @@ public String toString() {
             ", title='" + getTitle() + "'" +
             ", studentGroupName='" + getStudentGroupName() + "'" +
             ", teachingAssistantGroupName='" + getTeachingAssistantGroupName() + "'" +
+            ", instructorGroupName='" + getInstructorGroupName() + "'" +
+            ", startDate='" + getStartDate() + "'" +
+            ", endDate='" + getEndDate() + "'" +
+            ", onlineCourse='" + isOnlineCourse() + "'" +
             "}";
     }
 }
diff --git a/src/main/java/de/tum/in/www1/exerciseapp/domain/Feedback.java b/src/main/java/de/tum/in/www1/exerciseapp/domain/Feedback.java
@@ -1,6 +1,5 @@
 package de.tum.in.www1.exerciseapp.domain;
 
-import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import org.hibernate.annotations.Cache;
 import org.hibernate.annotations.CacheConcurrencyStrategy;

diff --git a/src/main/java/de/tum/in/www1/exerciseapp/security/AuthoritiesConstants.java b/src/main/java/de/tum/in/www1/exerciseapp/security/AuthoritiesConstants.java
@@ -9,6 +9,8 @@ public final class AuthoritiesConstants {
 
     public static final String TEACHING_ASSISTANT = "ROLE_TA";
 
+    public static final String INSTRUCTOR = "ROLE_INSTRUCTOR";
+
     public static final String USER = "ROLE_USER";
 
     public static final String ANONYMOUS = "ROLE_ANONYMOUS";

diff --git a/src/main/java/de/tum/in/www1/exerciseapp/security/CustomPermissionEvaluator.java b/src/main/java/de/tum/in/www1/exerciseapp/security/CustomPermissionEvaluator.java
diff --git a/src/main/java/de/tum/in/www1/exerciseapp/service/AuthorizationCheckService.java b/src/main/java/de/tum/in/www1/exerciseapp/service/AuthorizationCheckService.java
@@ -0,0 +1,81 @@
+package de.tum.in.www1.exerciseapp.service;
+
+import de.tum.in.www1.exerciseapp.domain.*;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+
+/**
+ * Service used to check whether user is authorized to perform actions on the entity.
+ */
+@Service
+public class AuthorizationCheckService {
+
+    private final Logger log = LoggerFactory.getLogger(AuthorizationCheckService.class);
+
+    private final UserService userService;
+    private Authority adminAuthority;
+
+    public AuthorizationCheckService(UserService userService) {
+        this.userService = userService;
+        adminAuthority = new Authority();
+        adminAuthority.setName("ROLE_ADMIN");
+    }
+
+    /**
+     * Method used to check whether the current logged in user is authorized to view this course
+     * @param course course to check the rights for
+     * @return true, if user is authorized to view this course, otherwise false
+     */
+    public boolean isAuthorizedForCourse(Course course) {
+        log.debug("Request to check access rights to course with id: {}", course.getId());
+        if(course == null) {
+            return true;
+        }
+        User user = userService.getUserWithGroupsAndAuthorities();
+        if(user.getGroups().contains(course.getStudentGroupName())
+            || user.getGroups().contains(course.getTeachingAssistantGroupName())
+            || user.getGroups().contains(course.getInstructorGroupName())
+            || user.getAuthorities().contains(adminAuthority)) {
+            return true;
+        }
+        return false;
+    }
+
+
+    /**
+     * Method used to check whether the current logged in user is authorized to view this exercise
+     * @param exercise exercise to check the rights for
+     * @return true, if user is authorized to view this exercise, otherwise false
+     */
+    public boolean isAuthorizedForExercise(Exercise exercise) {
+        log.debug("Request to check access rights to exercise with id: {}", exercise.getId());
+        if(exercise == null) {
+            return true;
+        }
+        Course correspondingCourse = exercise.getCourse();
+        return isAuthorizedForCourse(correspondingCourse);
+    }
+
+    /**
+     * Method used to check whether the current logged in user is authorized to view this participation
+     * @param participation participation to check the rights for
+     * @return true, if user is authorized to view this participation, otherwise false
+     */
+    public boolean isAuthorizedForParticipation(Participation participation) {
+        log.debug("Request to check access rights to participation with id: {}", participation.getId());
+        if(participation == null) {
+            return true;
+        }
+        User user = userService.getUserWithGroupsAndAuthorities();
+        Course course = participation.getExercise().getCourse();
+        if(participation.getStudent().getLogin().equals(user.getLogin())
+            || user.getGroups().contains(course.getTeachingAssistantGroupName())
+            || user.getGroups().contains(course.getInstructorGroupName())
+            || user.getAuthorities().contains(adminAuthority)) {
+            return true;
+        }
+        return false;
+    }
+
+}
diff --git a/src/main/java/de/tum/in/www1/exerciseapp/service/CourseService.java b/src/main/java/de/tum/in/www1/exerciseapp/service/CourseService.java
@@ -48,19 +48,7 @@ public Course save(Course course) {
     @Transactional(readOnly = true)
     public List<Course> findAll() {
         log.debug("Request to get all Courses");
-        List<Course> result = courseRepository.findAll();
-        User user = userService.getUserWithGroupsAndAuthorities();
-        Authority adminAuthority = new Authority();
-        adminAuthority.setName("ROLE_ADMIN");
-        Authority taAuthority = new Authority();
-        taAuthority.setName("ROLE_TA");
-        Stream<Course> userCourses = result.stream().filter(
-            course -> user.getGroups().contains(course.getStudentGroupName())
-                || user.getGroups().contains(course.getTeachingAssistantGroupName())
-                || user.getAuthorities().contains(adminAuthority)
-        );
-        List<Course> userAuthorizedCourses = userCourses.collect(Collectors.toList());
-        return userAuthorizedCourses;
+        return courseRepository.findAll();
     }
 
     /**

diff --git a/src/main/java/de/tum/in/www1/exerciseapp/service/ExerciseService.java b/src/main/java/de/tum/in/www1/exerciseapp/service/ExerciseService.java
@@ -138,11 +138,6 @@ public void reset(Exercise exercise) {
     @Transactional
     public void delete(Long id) {
         log.debug("Request to delete Exercise : {}", id);
-        Exercise exercise = exerciseRepository.findOne(id);
-
-        if (Optional.ofNullable(exercise).isPresent()) {
-            reset(exercise);
-        }
         exerciseRepository.delete(id);
     }