Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,8 @@ public class BatchStudentChangePasswordParameters extends ChangePasswordParamete
@Getter
@Setter
private Long groupId;

@Getter
@Setter
private Long runId;
}
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,14 @@ public class BatchStudentChangePasswordController {
@RequestMapping(method = RequestMethod.GET)
public String initializeForm(ModelMap model, HttpServletRequest request) throws Exception {
User user = ControllerUtil.getSignedInUser();
Run run = runService.retrieveById(Long.parseLong(request.getParameter("runId")));
Long runId = Long.parseLong(request.getParameter("runId"));
Run run = runService.retrieveById(runId);

if (user.isAdmin() ||
aclService.hasPermission(run, BasePermission.ADMINISTRATION, user) ||
aclService.hasPermission(run, BasePermission.WRITE, user)) {
BatchStudentChangePasswordParameters params = new BatchStudentChangePasswordParameters();
params.setRunId(runId);
params.setGroupId(Long.parseLong(request.getParameter(GROUPID_PARAM_NAME)));
params.setTeacherUser(user);
model.addAttribute("batchStudentChangePasswordParameters", params);
Expand All @@ -116,7 +118,7 @@ public String initializeForm(ModelMap model, HttpServletRequest request) throws
protected String onSubmit(
@ModelAttribute("batchStudentChangePasswordParameters") BatchStudentChangePasswordParameters batchStudentChangePasswordParameters,
BindingResult bindingResult,
SessionStatus sessionStatus) {
SessionStatus sessionStatus) throws NotAuthorizedException {
String view = "";
try {
changePasswordParametersValidator.validate(batchStudentChangePasswordParameters, bindingResult);
Expand All @@ -125,6 +127,7 @@ protected String onSubmit(
view = formView;
} else {
Long groupId = batchStudentChangePasswordParameters.getGroupId();
assertCanChangeGroupPasswords(batchStudentChangePasswordParameters.getRunId(), groupId);
Group group = groupService.retrieveById(groupId);
Iterator<User> membersIter = group.getMembers().iterator();
User member;
Expand All @@ -143,4 +146,27 @@ protected String onSubmit(
}
return view;
}

/**
* Verify that the signed-in teacher may change the passwords of the students in the
* given group. The teacher must own the run and the group must be one of that run's
* periods, so a teacher cannot reset the passwords of another teacher's students by
* submitting a group id that belongs to a run they do not own.
*/
private void assertCanChangeGroupPasswords(Long runId, Long groupId)
throws ObjectNotFoundException, NotAuthorizedException {
if (runId == null || groupId == null) {
throw new NotAuthorizedException("You are not authorized to change these passwords.");
}
User teacher = ControllerUtil.getSignedInUser();
Run run = runService.retrieveById(runId);
boolean canManageRun = teacher.isAdmin()
|| aclService.hasPermission(run, BasePermission.ADMINISTRATION, teacher)
|| aclService.hasPermission(run, BasePermission.WRITE, teacher);
boolean groupBelongsToRun = run.getPeriods().stream()
.anyMatch(period -> groupId.equals(period.getId()));
if (!canManageRun || !groupBelongsToRun) {
throw new NotAuthorizedException("You are not authorized to change these passwords.");
}
}
}