Commit 6fc9870b authored by Bruno Nocera Zanette's avatar Bruno Nocera Zanette

Updated rules to fix bugs

Updated rules to fix some bugs.
Also the permission analyzer method has been changed.
Now there is only one method that verifies all the requested IDs, based on the requested type argument.
Signed-off-by: Bruno Nocera Zanette's avatarBruno Nocera Zanette <brunonzanette@gmail.com>
parent 281f88ab
package br.ufpr.c3sl.sapos.models.util;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.lang.String;
......@@ -31,16 +32,8 @@ public class PermissionProvider {
return KerberosAuthProvider.getPersonAuth();
}
private static String personUsername(){
return KerberosAuthProvider.getPersonUsername();
}
private static String idFromLoggedInStudent(){
return KerberosAuthProvider.getIdFromLoggedInStudent();
}
private static String idFromLoggedInProfessor(){
return KerberosAuthProvider.getIdFromLoggedInProfessor();
private static String idFromLoggedInUser(){
return KerberosAuthProvider.getIdFromLoggedInUser();
}
// ------------------------------------------------------------------------------------------ //
......@@ -62,109 +55,142 @@ public class PermissionProvider {
}
return null;
}
@SuppressWarnings("unchecked")
private static List<Object> getRegistrationsIdFromLoggedInStudent(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT id FROM registration"+
" WHERE student = "+"'"+idFromLoggedInUser()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getTranscriptsIdFromLoggedInStudent(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT t.id from transcript t, registration r"+
" WHERE t.student = r.id"+
" and r.student = "+"'"+idFromLoggedInUser()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getStudentgrantsIdFromLoggedInStudent(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT s.id from student_grant s, registration r"+
" WHERE s.registration = r.id"+
" and r.student="+"'"+idFromLoggedInUser()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getStudentsIdFromLoggedInProfessor(){
private static List<Object> getRegistrationsIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT r.id FROM registration r, person p"+
" WHERE r.advisor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
"SELECT id FROM registration"+
" WHERE advisor = "+"'"+idFromLoggedInUser()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getCoursesIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT c.course FROM section_pos c, person p"+
" WHERE c.professor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
"SELECT course FROM section_pos"+
" WHERE professor = "+"'"+idFromLoggedInUser()+"'").getResultList();
}
@SuppressWarnings("unchecked")
private static List<Object> getSectionposIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT c.id FROM section_pos c, person p"+
" WHERE c.professor = p.id"+
" and p.user_name="+"'"+personUsername()+"'").getResultList();
"SELECT id FROM section_pos"+
" WHERE professor = "+"'"+idFromLoggedInUser()+"'").getResultList();
}
// ------------------------------------------------------------------------------------------ //
// Check permission to view Student informations
public boolean hasPermissionToViewPerson(String idPrefix, String url){
System.out.println("Executando hasPermissionToView(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewPerson(getIdElement(idPrefix,url));
@SuppressWarnings("unchecked")
private static List<Object> getTranscriptsIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT t.id from transcript t, registration r"+
" WHERE t.student = r.id"+
" and r.advisor="+"'"+idFromLoggedInUser()+"'").getResultList();
}
public boolean hasPermissionToViewPerson(String id){
@SuppressWarnings("unchecked")
private static List<Object> getStudentgrantsIdFromLoggedInProfessor(){
return (List<Object>) Registration.entityManager().createNativeQuery(
"SELECT s.id from student_grant s, registration r"+
" WHERE s.registration = r.id"+
" and r.advisor="+"'"+idFromLoggedInUser()+"'").getResultList();
}
System.out.println("Executando hasPermissionToView(1) com o parametro: "+id);
if (id == null)
return false;
if (personAuth().equals(Aluno))
return (idFromLoggedInStudent().equals(id));
if (personAuth().equals(Professor))
return (idFromLoggedInProfessor().equals(id)
|| getStudentsIdFromLoggedInProfessor().contains(castToBigInt(id)));
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
private static List<Object> getRequestedIDListFromStudent(String requestType){
if (requestType.equals("registration"))
return getRegistrationsIdFromLoggedInStudent();
return false;
if (requestType.equals("transcript"))
return getTranscriptsIdFromLoggedInStudent();
}
// ------------------------------------------------------------------------------------------ //
// ------------------------------------------------------------------------------------------ //
// Check permission to view Course informations
public boolean hasPermissionToViewCourse(String idPrefix, String url){
System.out.println("Executando hasPermissionToViewCourse(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewCourse(getIdElement(idPrefix, url));
if (requestType.equals("studentgrant"))
return getStudentgrantsIdFromLoggedInStudent();
//Return an empty list
return new ArrayList<Object>();
}
public boolean hasPermissionToViewCourse(String id){
private static List<Object> getRequestedIDListFromProfessor(String requestType){
if (requestType.equals("registration"))
return getRegistrationsIdFromLoggedInProfessor();
System.out.println("Executando hasPermissionToViewCourse(1) com o parametro: "+id);
if (id == null)
return false;
if (requestType.equals("course"))
return getCoursesIdFromLoggedInProfessor();
if (personAuth().equals(Aluno))
return false;
if (personAuth().equals(Professor))
return (getCoursesIdFromLoggedInProfessor().contains(castToBigInt(id)));
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
if (requestType.equals("sectionpos"))
return getSectionposIdFromLoggedInProfessor();
if (requestType.equals("transcript"))
return getTranscriptsIdFromLoggedInProfessor();
if (requestType.equals("studentgrant"))
return getStudentgrantsIdFromLoggedInProfessor();
return false;
//Return an empty list
return new ArrayList<Object>();
}
// ------------------------------------------------------------------------------------------ //
// ------------------------------------------------------------------------------------------ //
// Check permission to view SectionPos informations
public boolean hasPermissionToViewSectionpos(String idPrefix, String url){
System.out.println("Executando hasPermissionToViewSectionpos(2) com o parametro: "+idPrefix+"+"+url);
return hasPermissionToViewSectionpos(getIdElement(idPrefix, url));
// Check permission to view requested information
//Parameters:
// - idPrefix = String that comes right before the ID on the URL
// - url = complete URL
// - requestType = String containing the type of the requested ID.
public boolean hasPermissionToView(String idPrefix, String url, String requestType){
System.out.println("Executando hasPermissionToView(2): '"+requestType+"', com o parametro:"+idPrefix+"+"+url);
return hasPermissionToView(getIdElement(idPrefix, url), requestType);
}
public boolean hasPermissionToViewSectionpos(String id){
//Parameters:
// - id = requested ID
// - requestType = String containing the type of the requested ID.
public boolean hasPermissionToView(String id, String requestType){
System.out.println("Executando hasPermissionToViewSectionpos(1) com o parametro: "+id);
System.out.println("Executando hasPermissionToView(1): '"+requestType+"', com o parametro: "+id);
if (id == null)
//Checks if requests are valid to avoid unforeseen problems
if (id == null || requestType == null)
return false;
if (personAuth().equals(Aluno))
return false;
if (personAuth().equals(Professor))
return (getSectionposIdFromLoggedInProfessor().contains(castToBigInt(id)));
//If logged-in user have administrator authority always return true.
if (personAuth().equals(Funcionario) || personAuth().equals(Administrador))
return true;
//If logged-in user is a Student, verify if the requested ID belongs to the student.
if (personAuth().equals(Aluno))
return getRequestedIDListFromStudent(requestType).contains(castToBigInt(id));
//If logged-in user is a Professor, if the requested ID is a professor's ID verify
//if it is equal to logged-in professor's ID. Else, verify if the ID belongs
//to one of the Professor's students or one of the Professor's courses.
if (personAuth().equals(Professor)){
if (requestType.equals("professor"))
return idFromLoggedInUser().equals(id);
else
return getRequestedIDListFromProfessor(requestType).contains(castToBigInt(id));
}
return false;
}
......
......@@ -41,17 +41,17 @@
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/professors.*\?professor=[0-9]?.*$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('professor'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('professor'),'professor')"/>
<!-- INGRESSOS - Show -->
<intercept-url pattern="^/registrations/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson('registrations', request.getRequestURI())"/>
and @permissionProvider.hasPermissionToView('registrations', request.getRequestURI(),'registration')"/>
<!-- INGRESSOS - Show -->
<intercept-url pattern="^/registrations/studentinfo\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('registration'),'registration')"/>
<!-- INGRESSOS - Listar Ingressos" -->
<intercept-url pattern="^/registrations(/list\?.*)?$"
......@@ -70,33 +70,38 @@
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/registrations/registrationsstatementpdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('registration'),'registration')"/>
<!-- INGRESSOS - Declaracao de aceitacao -->
<intercept-url pattern="^/registrations/acceptancestatement$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/registrations/acceptancestatementpdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('registration'),'registration')"/>
<!-- AVALIACAO - Show -->
<intercept-url pattern="^/transcripts/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToView('transcripts',request.getRequestURI(),'transcript')"/>
<!-- AVALIACAO - Declaracao disciplinas -->
<intercept-url pattern="^/transcripts/transcriptsstatement$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')"/>
<intercept-url pattern="^/transcripts/transcriptsstatement(list|pdf)\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('registration'),'registration')"/>
<!-- AVALIACAO - Historico -->
<intercept-url pattern="^/transcripts/transcriptshistory$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')"/>
<intercept-url pattern="^/transcripts/transcriptshistorypdf\?registration=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('registration'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('registration'),'registration')"/>
<!-- BOLSA DISCENTE - Show -->
<intercept-url pattern="^/studentgrants/[0-9]+?$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewPerson('studentgrants', request.getRequestURI())"/>
and @permissionProvider.hasPermissionToView('studentgrants', request.getRequestURI(),'studentgrant')"/>
<!-- BOLSA DISCENTE - Listar por bolsa -->
<intercept-url pattern="^/studentgrants/grantsperkind(list\?grant=[0-9]+)?$"
......@@ -107,17 +112,17 @@
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')"/>
<intercept-url pattern="^/studentgrants/statementgrantpdf\?studentgrant=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Aluno')
and @permissionProvider.hasPermissionToViewPerson(request.getParameter('studentgrant'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('studentgrant'),'studentgrant')"/>
<!-- TURMA - Show -->
<intercept-url pattern="^/courses/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewCourse('courses', request.getRequestURI())"/>
and @permissionProvider.hasPermissionToView('courses', request.getRequestURI(),'course')"/>
<!-- AVALIACAO - Show -->
<intercept-url pattern="^/sectionposes/[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewSectionpos('sectionposes', request.getRequestURI())"/>
and @permissionProvider.hasPermissionToView('sectionposes', request.getRequestURI(),'sectionpos')"/>
<!-- TURMA - Listar turmas pos -->
<intercept-url pattern="^/sectionposes(/list\?year=[0-9]+)?$"
......@@ -128,10 +133,10 @@
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')" />
<intercept-url pattern="^/sectionposes/sectionsselect\?.*professor=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewSectionpos(request.getParameter('professor'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('professor'),'professor')"/>
<intercept-url pattern="^/transcripts/transcriptspersectionlist\?sectionpos=[0-9]+$"
access="hasAnyRole('Administrador', 'Funcionario', 'Professor')
and @permissionProvider.hasPermissionToViewSectionpos(request.getParameter('sectionpos'))"/>
and @permissionProvider.hasPermissionToView(request.getParameter('sectionpos'),'sectionpos')"/>
<!-- DISCIPLINA - Listar disciplinas -->
<intercept-url pattern="^/courses$"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment