Skip to content

Commit

Permalink
fix gatekeeper logic
Browse files Browse the repository at this point in the history
  • Loading branch information
@cedricongjh
cedricongjh committed Feb 27, 2024
1 parent 2dad48b commit cf75ae9
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 16 deletions.
20 changes: 20 additions & 0 deletions src/main/java/teammates/ui/webapi/BasicFeedbackSubmissionAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,26 @@ void checkAccessControlForInstructorFeedbackResult(
}
}

/**
* Checks the access control for instructor feedback result.
*/
void checkAccessControlForInstructorFeedbackResult(
Instructor instructor, FeedbackSession feedbackSession) throws UnauthorizedAccessException {
if (instructor == null) {
throw new UnauthorizedAccessException("Trying to access system using a non-existent instructor entity");
}

String previewAsPerson = getRequestParamValue(Const.ParamsNames.PREVIEWAS);

if (StringHelper.isEmpty(previewAsPerson)) {
gateKeeper.verifyAccessible(instructor, feedbackSession,
Const.InstructorPermissions.CAN_VIEW_SESSION_IN_SECTIONS);
verifyMatchingGoogleId(instructor.getGoogleId());
} else {
checkAccessControlForPreview(feedbackSession, true);
}
}

private void verifyMatchingGoogleId(String googleId) throws UnauthorizedAccessException {
if (!StringHelper.isEmpty(googleId)) {
if (userInfo == null) {
Expand Down
16 changes: 8 additions & 8 deletions src/main/java/teammates/ui/webapi/GetFeedbackQuestionsAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,12 @@ void checkSpecificAccessControl() throws UnauthorizedAccessException {
checkAccessControlForInstructorFeedbackSubmission(instructor, feedbackSession);
break;
case INSTRUCTOR_RESULT:
gateKeeper.verifyLoggedInUserPrivileges(userInfo);
gateKeeper.verifyAccessible(sqlLogic.getInstructorByGoogleId(courseId, userInfo.getId()),
feedbackSession, Const.InstructorPermissions.CAN_VIEW_SESSION_IN_SECTIONS);
instructor = getSqlInstructorOfCourseFromRequest(courseId);
checkAccessControlForInstructorFeedbackResult(instructor, feedbackSession);
break;
case STUDENT_RESULT:
gateKeeper.verifyAccessible(getSqlStudentOfCourseFromRequest(courseId), feedbackSession);
student = getSqlStudentOfCourseFromRequest(courseId);
checkAccessControlForStudentFeedbackResult(student, feedbackSession);
break;
default:
throw new InvalidHttpParameterException("Unknown intent " + intent);
Expand All @@ -75,12 +75,12 @@ void checkSpecificAccessControl() throws UnauthorizedAccessException {
checkAccessControlForInstructorFeedbackSubmission(instructorAttributes, feedbackSession);
break;
case INSTRUCTOR_RESULT:
gateKeeper.verifyLoggedInUserPrivileges(userInfo);
gateKeeper.verifyAccessible(logic.getInstructorForGoogleId(courseId, userInfo.getId()),
feedbackSession, Const.InstructorPermissions.CAN_VIEW_SESSION_IN_SECTIONS);
instructorAttributes = getInstructorOfCourseFromRequest(courseId);
checkAccessControlForInstructorFeedbackResult(instructorAttributes, feedbackSession);
break;
case STUDENT_RESULT:
gateKeeper.verifyAccessible(getStudentOfCourseFromRequest(courseId), feedbackSession);
studentAttributes = getStudentOfCourseFromRequest(courseId);
checkAccessControlForStudentFeedbackResult(studentAttributes, feedbackSession);
break;
default:
throw new InvalidHttpParameterException("Unknown intent " + intent);
Expand Down
13 changes: 5 additions & 8 deletions src/main/java/teammates/ui/webapi/GetSessionResultsAction.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,20 +53,18 @@ private void checkSpecificAccessControlDatastore(
gateKeeper.verifyAccessible(instructor, feedbackSession);
break;
case INSTRUCTOR_RESULT:
instructor = getPossiblyUnregisteredInstructor(courseId);
gateKeeper.verifyAccessible(instructor, feedbackSession);
if (!isPreviewResults && !feedbackSession.isPublished()) {
throw new UnauthorizedAccessException("This feedback session is not yet published.", true);
}
instructor = getInstructorOfCourseFromRequest(courseId);
checkAccessControlForInstructorFeedbackResult(instructor, feedbackSession);
break;
case STUDENT_RESULT:
StudentAttributes student = getPossiblyUnregisteredStudent(courseId);
gateKeeper.verifyAccessible(student, feedbackSession);
if (!isPreviewResults && !feedbackSession.isPublished()) {
throw new UnauthorizedAccessException("This feedback session is not yet published.", true);
}
StudentAttributes student = getStudentOfCourseFromRequest(courseId);
checkAccessControlForStudentFeedbackResult(student, feedbackSession);
break;
case INSTRUCTOR_SUBMISSION:
case STUDENT_SUBMISSION:
Expand All @@ -88,18 +86,17 @@ private void checkSpecificAccessControlSql(
gateKeeper.verifyAccessible(instructor, feedbackSession);
break;
case INSTRUCTOR_RESULT:
instructor = getPossiblyUnregisteredSqlInstructor(courseId);
gateKeeper.verifyAccessible(instructor, feedbackSession);
if (!isPreviewResults && !feedbackSession.isPublished()) {
throw new UnauthorizedAccessException("This feedback session is not yet published.", true);
}
instructor = getSqlInstructorOfCourseFromRequest(courseId);
checkAccessControlForInstructorFeedbackResult(instructor, feedbackSession);
break;
case STUDENT_RESULT:
Student student = getPossiblyUnregisteredSqlStudent(courseId);
gateKeeper.verifyAccessible(student, feedbackSession);
if (!isPreviewResults && !feedbackSession.isPublished()) {
throw new UnauthorizedAccessException("This feedback session is not yet published.", true);
}
Student student = getSqlStudentOfCourseFromRequest(courseId);
checkAccessControlForStudentFeedbackResult(student, feedbackSession);
break;
case INSTRUCTOR_SUBMISSION:
Expand Down

0 comments on commit cf75ae9

Please sign in to comment.