FIX: Null pointer in shiro authorizationInfo permission

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/configure/realm/ShiroRealm.java

@@ -56,39 +56,49 @@ public class ShiroRealm extends AuthorizingRealm {
     @Autowired
     private PermissionService permissionService;
 
-    private Logger LOG= LoggerFactory.getLogger(getClass());
+    private Logger LOG = LoggerFactory.getLogger(getClass());
+
     @Override
     protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
 
         String username = (String) principals.getPrimaryPrincipal();
-        LOG.info("username + "+System.currentTimeMillis());
         Long userId = userService.findByUsername(username).getId();
-        LOG.info("userId + "+System.currentTimeMillis());
         List<Role> roles = roleService.getRolesOfUser(username);
-        LOG.info("roles + "+System.currentTimeMillis());
         SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
         info.setRoles(roles.stream().map(Role::getName).collect(Collectors.toSet()));
-        LOG.info("setRoles + "+System.currentTimeMillis());
 
         Set<String> permissions = new HashSet<>();
         permissions.addAll(getRolePermissions(roles));
-        LOG.info("rolePermissions + "+System.currentTimeMillis());
-        permissions.addAll(getTaskPermissions(userId));
-        LOG.info("taskPermissions + "+System.currentTimeMillis());
-        permissions.addAll(getGroupPermissions(userId));
-        LOG.info("GroupPermissions + "+System.currentTimeMillis());
-        permissions.addAll(getCasePermissions(userId));
-        LOG.info("casePermissions + "+System.currentTimeMillis());
-        permissions.addAll(getReportPermissions(userId));
-        LOG.info("reportPermissions + "+System.currentTimeMillis());
-        permissions.addAll(getAppPermissions(userId));
-        LOG.info("appPermissions + "+System.currentTimeMillis());
-
-        permissions.addAll(getPaperPermissions(userId));
-        LOG.info("paperPermissions + "+System.currentTimeMillis());
+
+        Set<String> taskPermission = getTaskPermissions(userId);
+        Set<String> groupPermission = getGroupPermissions(userId);
+        Set<String> casePermission = getCasePermissions(userId);
+        Set<String> reportPermission = getReportPermissions(userId);
+        Set<String> appPermission = getAppPermissions(userId);
+        Set<String> paperPermission = getPaperPermissions(userId);
+
+        if (taskPermission != null) {
+            permissions.addAll(getTaskPermissions(userId));
+        }
+        if (groupPermission != null) {
+            permissions.addAll(getGroupPermissions(userId));
+        }
+        if (casePermission != null) {
+            permissions.addAll(getCasePermissions(userId));
+        }
+        if (reportPermission != null) {
+            permissions.addAll(getReportPermissions(userId));
+        }
+        if (appPermission != null) {
+            permissions.addAll(getAppPermissions(userId));
+        }
+        if (paperPermission != null) {
+            permissions.addAll(getPaperPermissions(userId));
+        }
 
         info.setStringPermissions(permissions);
 
+        LOG.info("permissionStr+" + info.getStringPermissions());
         return info;
     }
 
@@ -106,7 +116,7 @@ public class ShiroRealm extends AuthorizingRealm {
     private Set<String> getTaskPermissions(Long userId) {
 
         List<TaskPermission> taskPermissions = taskPermissionService.getTaskPermissionsByuserId(userId);
-        if (taskPermissions.size() == 0){
+        if (taskPermissions.size() == 0) {
             return null;
         }
         return taskPermissions.stream().map(TaskPermission::toString).collect(Collectors.toSet());
@@ -116,17 +126,16 @@ public class ShiroRealm extends AuthorizingRealm {
     private Set<String> getAppPermissions(Long userId) {
 
         List<AppPermission> appPermissions = appPermissionService.getAppPermissionsByUserId(userId);
-        if (appPermissions.size() == 0){
+        if (appPermissions.size() == 0) {
             return null;
         }
         return appPermissions.stream().map(AppPermission::toString).collect(Collectors.toSet());
-
     }
 
     private Set<String> getReportPermissions(Long userId) {
 
         List<ReportPermission> reportPermissions = reportPermissionService.getReportPermissionsByuserId(userId);
-        if (reportPermissions.size() == 0){
+        if (reportPermissions.size() == 0) {
             return null;
         }
         return reportPermissions.stream().map(ReportPermission::toString).collect(Collectors.toSet());
@@ -136,7 +145,7 @@ public class ShiroRealm extends AuthorizingRealm {
     private Set<String> getPaperPermissions(Long userId) {
 
         List<PaperPermission> paperPermissions = paperPermissionService.getPaperPermissionsByUserId(userId);
-        if (paperPermissions.size() == 0){
+        if (paperPermissions.size() == 0) {
             return null;
         }
         return paperPermissions.stream().map(PaperPermission::toString).collect(Collectors.toSet());
@@ -146,7 +155,7 @@ public class ShiroRealm extends AuthorizingRealm {
     private Set<String> getGroupPermissions(Long userId) {
 
         List<GroupPermission> groupPermissions = groupPermissionService.getGroupPermissionsByUserId(userId);
-        if (groupPermissions.size() == 0){
+        if (groupPermissions.size() == 0) {
             return null;
         }
         return groupPermissions.stream().map(GroupPermission::toString).collect(Collectors.toSet());
@@ -155,7 +164,7 @@ public class ShiroRealm extends AuthorizingRealm {
     private Set<String> getCasePermissions(Long userId) {
 
         List<CasePermission> casePermissions = casePermissionService.getCasePermissionsByuserId(userId);
-        if (casePermissions.size() == 0){
+        if (casePermissions.size() == 0) {
             return null;
         }
         return casePermissions.stream().map(CasePermission::toString).collect(Collectors.toSet());
@@ -166,7 +175,7 @@ public class ShiroRealm extends AuthorizingRealm {
 
         UsernamePasswordToken upToken = (UsernamePasswordToken) token;
         String username = upToken.getUsername();
-        User user =  userService.findByEmail(username);
+        User user = userService.findByEmail(username);
         // Null username is invalid
         if (user == null) {
             throw new AccountException("Null usernames are not allowed by this realm.");

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/models/instancePermission/AppPermission.java

@@ -1,7 +1,5 @@
 package cn.iselab.mooctest.site.models.instancePermission;
 
-import org.apache.shiro.authz.permission.WildcardPermission;
-
 import javax.persistence.*;
 import java.sql.Timestamp;
 
@@ -11,7 +9,7 @@ import java.sql.Timestamp;
  */
 @Entity
 @Table(name = "app_permission")
-public class AppPermission extends WildcardPermission {
+public class AppPermission {
     @Id
     @GeneratedValue
     private Long id;
@@ -44,9 +42,7 @@ public class AppPermission extends WildcardPermission {
         this.userId = userId;
     }
 
-    public String getOperation() {
-        return operation;
-    }
+    public String getOperation() {return operation;}
 
     public void setOperation(String operation) {
         this.operation = operation;
@@ -67,4 +63,9 @@ public class AppPermission extends WildcardPermission {
     public void setCreateTime(Timestamp createTime) {
         this.createTime = createTime;
     }
+
+    @Override
+    public String toString() {
+        return String.join(":", userId.toString(), "app", operation, instanceId.toString());
+    }
 }

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/models/instancePermission/PaperPermission.java

@@ -1,7 +1,5 @@
 package cn.iselab.mooctest.site.models.instancePermission;
 
-import org.apache.shiro.authz.permission.WildcardPermission;
-
 import javax.persistence.*;
 import java.sql.Timestamp;
 
@@ -11,7 +9,7 @@ import java.sql.Timestamp;
  */
 @Entity
 @Table(name = "paper_permission")
-public class PaperPermission extends WildcardPermission {
+public class PaperPermission {
 
     @Id
     @GeneratedValue
@@ -68,4 +66,9 @@ public class PaperPermission extends WildcardPermission {
     public void setCreateTime(Timestamp createTime) {
         this.createTime = createTime;
     }
+
+    @Override
+    public String toString() {
+        return String.join(":", userId.toString(), "paper", operation, instanceId.toString());
+    }
 }

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/models/instancePermission/ReportPermission.java

@@ -1,7 +1,5 @@
 package cn.iselab.mooctest.site.models.instancePermission;
 
-import org.apache.shiro.authz.permission.WildcardPermission;
-
 import javax.persistence.*;
 import java.sql.Timestamp;
 
@@ -11,7 +9,7 @@ import java.sql.Timestamp;
  */
 @Entity
 @Table(name = "report_permission")
-public class ReportPermission extends WildcardPermission{
+public class ReportPermission{
 
     @Id
     @GeneratedValue
@@ -68,4 +66,9 @@ public class ReportPermission extends WildcardPermission{
     public void setCreateTime(Timestamp createTime) {
         this.createTime = createTime;
     }
+
+    @Override
+    public String toString() {
+        return String.join(":", userId.toString(), "report", operation, instanceId.toString());
+    }
 }

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/models/instancePermission/TaskPermission.java

@@ -70,7 +70,8 @@ public class TaskPermission {
     }
 
     @Override
-    public String toString() {
+    public String toString()
+    {
         return String.join(":", userId.toString(), "task", operation, instanceId.toString());
     }
 }

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/web/ctrl/ExamController.java

@@ -5,6 +5,10 @@ import cn.iselab.mooctest.site.web.data.AssignedTaskVO;
 import cn.iselab.mooctest.site.web.data.ExamVO;
 import cn.iselab.mooctest.site.web.exception.IllegalOperationException;
 import cn.iselab.mooctest.site.web.logic.ExamLogic;
+import cn.iselab.mooctest.site.web.logic.UserLogic;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authz.UnauthorizedException;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageRequest;
@@ -24,6 +28,10 @@ public class ExamController {
     @Autowired
     ExamLogic examLogic;
 
+    @Autowired
+    private UserLogic userLogic;
+
+    @RequiresPermissions("tasks:view")
     @RequestMapping(value = "api/exams", method = RequestMethod.GET)
     public Page<ExamVO> getExamList(@RequestParam(value = "organizer_id", required = false) Long organizerId
             , @RequestParam(value = "participant_id", required = false) Long participantId,
@@ -47,44 +55,44 @@ public class ExamController {
 
 
     @RequestMapping(value = "api/exam/{examId}", method = RequestMethod.GET)
-    public ExamVO getExamById(@PathVariable Long examId)
-    {
-//        Long userId = userLogic.findUserByEmail((String)SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal()).getId();
-//        String permissionStr = String.valueOf(userId)+":task:view:"+String.valueOf(examId);
-//        if (!SecurityUtils.getSubject().isPermitted(permissionStr)){
-//            throw new UnauthorizedException("unauthorized");
-//        }
+    public ExamVO getExamById(@PathVariable Long examId) {
+        String username = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
+        Long userId = userLogic.findUserByEmail(username).getId();
+        String permissionStr = String.valueOf(userId) + ":task:view:" + String.valueOf(examId);
+        if (!SecurityUtils.getSubject().isPermitted(permissionStr)) {
+            throw new UnauthorizedException("unauthorized");
+        }
         return examLogic.getExamById(examId);
     }
 
-    @RequestMapping(value= "api/exam", method = RequestMethod.POST)
+    @RequestMapping(value = "api/exam", method = RequestMethod.POST)
     public ExamVO create(@RequestBody ExamVO examVO) {
         return examLogic.createExam(examVO);
     }
 
-    @RequestMapping(value= "api/exam/{examId}", method = RequestMethod.PUT)
-    public ExamVO update(@PathVariable Long examId,@RequestBody ExamVO examVO) {
-        if(!examId.equals(examVO.getId())){
+    @RequestMapping(value = "api/exam/{examId}", method = RequestMethod.PUT)
+    public ExamVO update(@PathVariable Long examId, @RequestBody ExamVO examVO) {
+        if (!examId.equals(examVO.getId())) {
             throw new IllegalArgumentException();
         }
         return examLogic.updateExam(examVO);
     }
 
-    @RequestMapping(value = UrlConstants.API+"assignedTask", method = RequestMethod.GET)
+    @RequestMapping(value = UrlConstants.API + "assignedTask", method = RequestMethod.GET)
     public Page<AssignedTaskVO> getAssignedTaskByExamId(@RequestParam(name = "examId", required = false) Long examId,
-                                    HttpServletRequest request) throws Exception{
+                                                        HttpServletRequest request) throws Exception {
         String activePage = request.getHeader("activePage");
         String rowsOnPage = request.getHeader("rowsOnPage");
-        if(activePage == null || rowsOnPage == null) {
+        if (activePage == null || rowsOnPage == null) {
             throw new IllegalArgumentException("缺少分页信息");
         }
         Pageable pageable = new PageRequest(Integer.parseInt(activePage) - 1, Integer.parseInt(rowsOnPage));
         return examLogic.getAssignedTasks(examId, pageable);
     }
 
-    @RequestMapping(value = UrlConstants.API+"scoreList", method = RequestMethod.GET)
+    @RequestMapping(value = UrlConstants.API + "scoreList", method = RequestMethod.GET)
     public List<Double> getScoreListByExamId(@RequestParam(name = "examId", required = false) Long examId,
-                                                HttpServletRequest request) throws Exception{
+                                             HttpServletRequest request) throws Exception {
         return examLogic.getScoreList(examId);
     }
 }

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/web/ctrl/TestController.java

@@ -128,5 +128,4 @@ public class TestController {
         userLogic.deleteRepeatedUser(userVO.getEmail());
     }
 
-
 }