Fixes for massive load of student grades and permissions in Spring Se…

…curity (#122) - Fixed permissions for students and remove 403 Forbidden when updating a student's grade - Fixed massive load of student grades
MatiasComercio · Feb 5, 2017 · ad79540 · ad79540
1 parent 2a3a3aa
commit ad79540
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/webapp/src/main/java/ar/edu/itba/paw/webapp/config/WebAuthConfig.java b/webapp/src/main/java/ar/edu/itba/paw/webapp/config/WebAuthConfig.java
@@ -40,13 +40,21 @@ protected void configure(final HttpSecurity http) throws Exception {
 					.authorizeRequests()
 
 						// StudentController permissions
+						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "/students/*/finalInscriptions/*/qualify").hasAuthority("ADMIN")
 						.antMatchers(HttpMethod.POST,   API_PREFIX_VERSION + "/students/*/grades/*").hasAuthority("EDIT_GRADE")
 						.antMatchers(HttpMethod.POST,   API_PREFIX_VERSION + "/students/*/grades").hasAuthority("ADD_GRADE")
+						.antMatchers(HttpMethod.DELETE, API_PREFIX_VERSION + "/students/*").hasAuthority("DELETE_STUDENT")
 						.antMatchers(HttpMethod.POST,   API_PREFIX_VERSION + "/students").hasAuthority("ADD_STUDENT")
-						.antMatchers(HttpMethod.DELETE, API_PREFIX_VERSION + "/students").hasAuthority("DELETE_STUDENT")
 
 						// CourseController permissions
-						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "courses/finalInscriptions/*/grades").hasAuthority("ADMIN")
+
+
+						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "/courses/*/finalInscriptions/*/qualify").hasAuthority("ADMIN")
+						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "/courses/*/finalInscriptions/*").hasAuthority("ADMIN")
+						.antMatchers(HttpMethod.DELETE, API_PREFIX_VERSION + "/courses/*/finalInscriptions/*").hasAuthority("ADMIN")
+						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "/courses/*/finalInscriptions").hasAuthority("ADMIN")
+						.antMatchers(HttpMethod.POST, API_PREFIX_VERSION + "/courses/*/students/qualify").hasAuthority("ADMIN")
+						.antMatchers(HttpMethod.GET, API_PREFIX_VERSION + "/courses/*/correlatives/available").hasAuthority("ADMIN")
 						.antMatchers(HttpMethod.DELETE, API_PREFIX_VERSION + "/courses/*/correlatives/*").hasAuthority("DELETE_CORRELATIVE")
 						.antMatchers(HttpMethod.POST,   API_PREFIX_VERSION + "/courses/*/correlatives").hasAuthority("ADD_CORRELATIVE")
 						.antMatchers(HttpMethod.POST,   API_PREFIX_VERSION + "/courses/*").hasAuthority("EDIT_COURSE")

diff --git a/webapp/src/main/java/ar/edu/itba/paw/webapp/controllers/CourseController.java b/webapp/src/main/java/ar/edu/itba/paw/webapp/controllers/CourseController.java
@@ -207,6 +207,7 @@ public Response coursesStudentsQualify(@PathParam("courseId") final String cours
 
 					if (studentCourses == null || !studentCourses.contains(course)) {
 						httpStatusList.add(String.valueOf(docket), Status.CONFLICT);
+					} else {
 						final Grade grade = new Grade.Builder(null, student, course.getId(), course.getCourseId(), gradeValue).build();
 
 						grade.setCourse(course);

diff --git a/webapp/src/main/java/ar/edu/itba/paw/webapp/controllers/StudentController.java b/webapp/src/main/java/ar/edu/itba/paw/webapp/controllers/StudentController.java
@@ -320,11 +320,6 @@ public Response studentsGradesUpdate(
       return status(Status.NOT_FOUND).build();
     }
 
-	  final int dni = LoggedUser.getDni();
-	  if (dni != student.getDni() && !LoggedUser.isAdmin()) {
-		  return status(Status.FORBIDDEN).build();
-	  }
-
     final Course course = cs.getByCourseID(gradeDTO.getCourseId());
     if(course == null){
       return status(Status.BAD_REQUEST).build();