Merge branch 'fix-any-teacher-can-view-paper-paper-issue' into 'Test'

fix owner of paper unable view paper in exam page







See merge request !1333

mooctest-site-server/src/main/java/cn/iselab/mooctest/site/web/ctrl/PaperController.java

@@ -2,7 +2,6 @@ package cn.iselab.mooctest.site.web.ctrl;
 
 import cn.iselab.mooctest.site.common.constant.UrlConstants;
 import cn.iselab.mooctest.site.models.Exam;
-import cn.iselab.mooctest.site.service.ExamService;
 import cn.iselab.mooctest.site.web.data.ExamVO;
 import cn.iselab.mooctest.site.web.data.SearchConditionVO;
 import cn.iselab.mooctest.site.web.exception.HttpNotFoundException;
@@ -16,7 +15,6 @@ import cn.iselab.mooctest.site.web.data.PaperVO;
 import cn.iselab.mooctest.site.web.logic.DetailStatisticsLogic;
 import cn.iselab.mooctest.site.web.logic.PaperLogic;
 import com.google.gson.Gson;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.UnauthenticatedException;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -55,18 +53,27 @@ public class PaperController extends BaseSearchController{
         // 试卷应该,只有管理员或者作者可以进入。
         Long userId = (Long) SecurityUtils.getSubject().getSession().getAttribute("userId");
         String permissionStr = userId.toString() + ":paper:*:" + paperId.toString();
-        boolean isOwner = SecurityUtils.getSubject().isPermitted(new PaperPermission(permissionStr));
+        boolean isPaperOwner = SecurityUtils.getSubject().isPermitted(new PaperPermission(permissionStr));
         boolean isAdmin = roleLogic.isAdmin(userId);
         boolean isStudentFromExam = (examId != null);
-        if (!isOwner && !isAdmin && !isStudentFromExam) {
+
+        // come from paper page
+        if (!isPaperOwner && !isAdmin && !isStudentFromExam) {
             throw new UnauthenticatedException("forbidden");
         }
 
-        // 试卷在考试开始前的同学应该看不到
-        if (isStudentFromExam) {
-            ExamVO exam = examLogic.getExamByIdAndParticipantIdIfPermited(examId, userId);
+        /*
+          admin and owner can view any time.
+          participant only view after upcoming state.
+         */
+        ExamVO exam = examLogic.getExamById(examId);
+        boolean isExamOwner = exam.getManagerId().equals(userId);
+        boolean isExamOwnerOrParticipant = examLogic.checkTaskViewPermission(userId, examId);
+        if (isStudentFromExam && !isAdmin && !isExamOwner) {
             if (exam.getStatus().equals(Exam.STATUS_UPCOMING)) {
                 throw new UnauthenticatedException("forbidden");
+            } else if (!isExamOwnerOrParticipant) {
+                throw new UnauthenticatedException("forbidden");
             }
         }
 
@@ -77,6 +84,18 @@ public class PaperController extends BaseSearchController{
         return paperVO;
     }
 
+    private void foo(boolean isAdmin, ExamVO exam, boolean isExamOwner, boolean isExamOwnerOrParticipant) {
+        if (exam.getStatus().equals(Exam.STATUS_UPCOMING)) {
+            if (!isExamOwner && !isAdmin) {
+                throw new UnauthenticatedException("forbidden");
+            }
+        } else {
+            if (!isExamOwner && !isAdmin && !isExamOwnerOrParticipant) {
+                throw new UnauthenticatedException("forbidden");
+            }
+        }
+    }
+
     @RequiresPermissions("paper:create")
     @RequestMapping(value = "api/paper/{paperId}", method = RequestMethod.POST)
     public PaperVO copyPaper(@PathVariable("paperId") Long paperId) {