|
|
@@ -2,7 +2,6 @@ package cn.iselab.mooctest.site.web.ctrl;
|
|
|
|
|
|
import cn.iselab.mooctest.site.common.constant.UrlConstants;
|
|
|
import cn.iselab.mooctest.site.models.Exam;
|
|
|
-import cn.iselab.mooctest.site.service.ExamService;
|
|
|
import cn.iselab.mooctest.site.web.data.ExamVO;
|
|
|
import cn.iselab.mooctest.site.web.data.SearchConditionVO;
|
|
|
import cn.iselab.mooctest.site.web.exception.HttpNotFoundException;
|
|
|
@@ -16,7 +15,6 @@ import cn.iselab.mooctest.site.web.data.PaperVO;
|
|
|
import cn.iselab.mooctest.site.web.logic.DetailStatisticsLogic;
|
|
|
import cn.iselab.mooctest.site.web.logic.PaperLogic;
|
|
|
import com.google.gson.Gson;
|
|
|
-import org.apache.commons.lang3.StringUtils;
|
|
|
import org.apache.shiro.SecurityUtils;
|
|
|
import org.apache.shiro.authz.UnauthenticatedException;
|
|
|
import org.apache.shiro.authz.annotation.RequiresPermissions;
|
|
|
@@ -55,18 +53,27 @@ public class PaperController extends BaseSearchController{
|
|
|
// 试卷应该,只有管理员或者作者可以进入。
|
|
|
Long userId = (Long) SecurityUtils.getSubject().getSession().getAttribute("userId");
|
|
|
String permissionStr = userId.toString() + ":paper:*:" + paperId.toString();
|
|
|
- boolean isOwner = SecurityUtils.getSubject().isPermitted(new PaperPermission(permissionStr));
|
|
|
+ boolean isPaperOwner = SecurityUtils.getSubject().isPermitted(new PaperPermission(permissionStr));
|
|
|
boolean isAdmin = roleLogic.isAdmin(userId);
|
|
|
boolean isStudentFromExam = (examId != null);
|
|
|
- if (!isOwner && !isAdmin && !isStudentFromExam) {
|
|
|
+
|
|
|
+ // come from paper page
|
|
|
+ if (!isPaperOwner && !isAdmin && !isStudentFromExam) {
|
|
|
throw new UnauthenticatedException("forbidden");
|
|
|
}
|
|
|
|
|
|
- // 试卷在考试开始前的同学应该看不到
|
|
|
- if (isStudentFromExam) {
|
|
|
- ExamVO exam = examLogic.getExamByIdAndParticipantIdIfPermited(examId, userId);
|
|
|
+ /*
|
|
|
+ admin and owner can view any time.
|
|
|
+ participant only view after upcoming state.
|
|
|
+ */
|
|
|
+ ExamVO exam = examLogic.getExamById(examId);
|
|
|
+ boolean isExamOwner = exam.getManagerId().equals(userId);
|
|
|
+ boolean isExamOwnerOrParticipant = examLogic.checkTaskViewPermission(userId, examId);
|
|
|
+ if (isStudentFromExam && !isAdmin && !isExamOwner) {
|
|
|
if (exam.getStatus().equals(Exam.STATUS_UPCOMING)) {
|
|
|
throw new UnauthenticatedException("forbidden");
|
|
|
+ } else if (!isExamOwnerOrParticipant) {
|
|
|
+ throw new UnauthenticatedException("forbidden");
|
|
|
}
|
|
|
}
|
|
|
|
|
|
@@ -77,6 +84,18 @@ public class PaperController extends BaseSearchController{
|
|
|
return paperVO;
|
|
|
}
|
|
|
|
|
|
+ private void foo(boolean isAdmin, ExamVO exam, boolean isExamOwner, boolean isExamOwnerOrParticipant) {
|
|
|
+ if (exam.getStatus().equals(Exam.STATUS_UPCOMING)) {
|
|
|
+ if (!isExamOwner && !isAdmin) {
|
|
|
+ throw new UnauthenticatedException("forbidden");
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ if (!isExamOwner && !isAdmin && !isExamOwnerOrParticipant) {
|
|
|
+ throw new UnauthenticatedException("forbidden");
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
@RequiresPermissions("paper:create")
|
|
|
@RequestMapping(value = "api/paper/{paperId}", method = RequestMethod.POST)
|
|
|
public PaperVO copyPaper(@PathVariable("paperId") Long paperId) {
|
xuexiaobo