Example 16 with UnauthorizedAccessException
use of teammates.common.exception.UnauthorizedAccessException in project teammates by TEAMMATES.
the class Action method authenticateAndGetNominalUser.
protected AccountAttributes authenticateAndGetNominalUser(UserType loggedInUserType) {
String paramRequestedUserId = request.getParameter(Const.ParamsNames.USER_ID);
AccountAttributes account = null;
if (isMasqueradeModeRequested(loggedInUser, paramRequestedUserId)) {
if (loggedInUserType.isAdmin) {
// Allowing admin to masquerade as another user
account = logic.getAccount(paramRequestedUserId);
if (account == null) {
// Unregistered user
if (regkey == null) {
// since admin is masquerading, fabricate a regkey
regkey = "any-non-null-value";
}
account = AccountAttributes.builder().withGoogleId(paramRequestedUserId).build();
}
return account;
}
throw new UnauthorizedAccessException("User " + loggedInUserType.id + " is trying to masquerade as " + paramRequestedUserId + " without admin permission.");
}
account = loggedInUser;
if (isPersistenceIssue() && isHomePage()) {
// let the user go through as this is a persistence issue
} else if (doesUserNeedRegistration(account) && !loggedInUserType.isAdmin) {
if (regkey != null && student != null) {
// TODO: encrypt the email as currently anyone with the regkey can
// get the email because of this redirect:
String joinUrl = Config.getAppUrl(student.getRegistrationUrl()).withParam(Const.ParamsNames.NEXT_URL, requestUrl).toString();
setRedirectPage(joinUrl);
return null;
}
throw new UnauthorizedAccessException("Unregistered user for a page that needs registration");
}
boolean isUserLoggedIn = account.googleId != null;
if (isPageNotCourseJoinRelated() && doesRegkeyBelongToUnregisteredStudent() && isUserLoggedIn) {
String redirectUrl = Config.getAppUrl(student.getRegistrationUrl()).withParam(Const.ParamsNames.NEXT_URL, requestUrl).toString();
setRedirectPage(redirectUrl);
return null;
}
return account;
}
Also used :
AccountAttributes(teammates.common.datatransfer.attributes.AccountAttributes)
UnauthorizedAccessException(teammates.common.exception.UnauthorizedAccessException)
Example 17 with UnauthorizedAccessException
use of teammates.common.exception.UnauthorizedAccessException in project teammates by TEAMMATES.
the class Action method authenticateNotLoggedInUser.
protected AccountAttributes authenticateNotLoggedInUser(String email, String courseId) {
student = logic.getStudentForRegistrationKey(regkey);
boolean isUnknownKey = student == null;
boolean isARegisteredUser = !isUnknownKey && student.googleId != null && !student.googleId.isEmpty();
boolean isMissingAdditionalAuthenticationInfo = email == null || courseId == null;
boolean isAuthenticationFailure = !isUnknownKey && (!student.email.equals(email) || !student.course.equals(courseId));
AccountAttributes loggedInUser = null;
if (isUnknownKey) {
throw new UnauthorizedAccessException("Unknown Registration Key " + regkey);
} else if (isARegisteredUser) {
setRedirectPage(gateKeeper.getLoginUrl(requestUrl));
return null;
} else if (isNotLegacyLink() && isMissingAdditionalAuthenticationInfo) {
throw new UnauthorizedAccessException("Insufficient information to authenticate user");
} else if (isNotLegacyLink() && isAuthenticationFailure) {
throw new UnauthorizedAccessException("Invalid email/course for given Registration Key");
} else {
// Unregistered and not logged in access given to page
loggedInUser = AccountAttributes.builder().withEmail(student.email).build();
}
return loggedInUser;
}
Also used :
AccountAttributes(teammates.common.datatransfer.attributes.AccountAttributes)
UnauthorizedAccessException(teammates.common.exception.UnauthorizedAccessException)
Example 18 with UnauthorizedAccessException
use of teammates.common.exception.UnauthorizedAccessException in project teammates by TEAMMATES.
the class StudentFeedbackResultsPageActionTest method testExecuteAndPostProcess.
@Override
@Test
public void testExecuteAndPostProcess() throws Exception {
FeedbackSessionAttributes session1InCourse1 = typicalBundle.feedbackSessions.get("session1InCourse1");
FeedbackSessionAttributes emptySession = typicalBundle.feedbackSessions.get("empty.session");
FeedbackSessionAttributes closedSession = typicalBundle.feedbackSessions.get("closedSession");
FeedbackSessionAttributes gracePeriodSession = typicalBundle.feedbackSessions.get("gracePeriodSession");
session1InCourse1.setResultsVisibleFromTime(session1InCourse1.getStartTime());
FeedbackSessionsLogic.inst().updateFeedbackSession(session1InCourse1);
StudentAttributes student1InCourse1 = typicalBundle.students.get("student1InCourse1");
gaeSimulation.loginAsStudent(student1InCourse1.googleId);
______TS("invalid params");
String[] submissionParams = new String[] {};
verifyRedirectTo(Const.ActionURIs.STUDENT_HOME_PAGE, submissionParams);
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, session1InCourse1.getCourseId() };
verifyRedirectTo(Const.ActionURIs.STUDENT_HOME_PAGE, submissionParams);
submissionParams = new String[] { Const.ParamsNames.FEEDBACK_SESSION_NAME, session1InCourse1.getFeedbackSessionName() };
verifyRedirectTo(Const.ActionURIs.STUDENT_HOME_PAGE, submissionParams);
______TS("results not viewable when not published");
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, session1InCourse1.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, session1InCourse1.getFeedbackSessionName() };
FeedbackSessionsLogic.inst().unpublishFeedbackSession(session1InCourse1);
StudentFeedbackResultsPageAction pageAction = getAction(submissionParams);
try {
getShowPageResult(pageAction);
} catch (UnauthorizedAccessException exception) {
assertEquals("This feedback session is not yet visible.", exception.getMessage());
}
______TS("cannot access a private session");
FeedbackSessionsLogic.inst().publishFeedbackSession(session1InCourse1);
session1InCourse1.setFeedbackSessionType(FeedbackSessionType.PRIVATE);
FeedbackSessionsLogic.inst().updateFeedbackSession(session1InCourse1);
pageAction = getAction(submissionParams);
try {
getShowPageResult(pageAction);
} catch (UnauthorizedAccessException exception) {
assertEquals("Feedback session [First feedback session] is not accessible to student " + "[" + student1InCourse1.email + "]", exception.getMessage());
}
session1InCourse1.setFeedbackSessionType(FeedbackSessionType.STANDARD);
FeedbackSessionsLogic.inst().updateFeedbackSession(session1InCourse1);
______TS("access a empty session");
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, emptySession.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, emptySession.getFeedbackSessionName() };
pageAction = getAction(submissionParams);
ShowPageResult pageResult = getShowPageResult(pageAction);
assertEquals(Const.ViewURIs.STUDENT_FEEDBACK_RESULTS, pageResult.destination);
assertFalse(pageResult.isError);
assertEquals("You have not received any new feedback but you may review your own submissions below.", pageResult.getStatusMessage());
______TS("access a gracePeriodSession session");
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, gracePeriodSession.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, gracePeriodSession.getFeedbackSessionName() };
pageAction = getAction(submissionParams);
try {
pageResult = getShowPageResult(pageAction);
} catch (UnauthorizedAccessException exception) {
assertEquals("This feedback session is not yet visible.", exception.getMessage());
}
______TS("access a closed session");
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, closedSession.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, closedSession.getFeedbackSessionName() };
pageAction = getAction(submissionParams);
try {
pageResult = getShowPageResult(pageAction);
} catch (UnauthorizedAccessException exception) {
assertEquals("This feedback session is not yet visible.", exception.getMessage());
}
______TS("access a non-existent session");
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, session1InCourse1.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, "non-existent session" };
pageAction = getAction(submissionParams);
try {
pageResult = getShowPageResult(pageAction);
} catch (UnauthorizedAccessException exception) {
assertEquals("Trying to access system using a non-existent feedback session entity", exception.getMessage());
}
______TS("typical case");
removeAndRestoreTypicalDataBundle();
session1InCourse1 = FeedbackSessionsLogic.inst().getFeedbackSession(session1InCourse1.getFeedbackSessionName(), session1InCourse1.getCourseId());
FeedbackSessionsLogic.inst().publishFeedbackSession(session1InCourse1);
submissionParams = new String[] { Const.ParamsNames.COURSE_ID, session1InCourse1.getCourseId(), Const.ParamsNames.FEEDBACK_SESSION_NAME, session1InCourse1.getFeedbackSessionName() };
pageAction = getAction(submissionParams);
pageResult = getShowPageResult(pageAction);
assertEquals(Const.ViewURIs.STUDENT_FEEDBACK_RESULTS, pageResult.destination);
assertFalse(pageResult.isError);
assertEquals("You have received feedback from others. Please see below.", pageResult.getStatusMessage());
StudentFeedbackResultsPageData pageData = (StudentFeedbackResultsPageData) pageResult.data;
// databundle time changed here because publishing sets resultsVisibleTime to now.
typicalBundle.feedbackSessions.get("session1InCourse1").setResultsVisibleFromTime(Instant.now());
/*
* The above test can fail if the time elapsed between pageData... and dataBundle...
* changes the time recorded by dataBundle up to the precision of seconds.
* To solve that, verify that the time elapsed is less than one second (or else the test
* fails after all) and if it does, change the value in the dataBundle to match.
*/
Instant pageDataResultsVisibleFromTime = pageData.getBundle().feedbackSession.getResultsVisibleFromTime();
Instant dataBundleResultsVisibleFromTime = typicalBundle.feedbackSessions.get("session1InCourse1").getResultsVisibleFromTime();
Duration difference = Duration.between(pageDataResultsVisibleFromTime, dataBundleResultsVisibleFromTime);
long toleranceTimeInMs = 1000;
if (difference.compareTo(Duration.ofMillis(toleranceTimeInMs)) < 0) {
// change to the value that will never make the test fail
typicalBundle.feedbackSessions.get("session1InCourse1").setResultsVisibleFromTime(pageData.getBundle().feedbackSession.getResultsVisibleFromTime());
}
List<FeedbackSessionAttributes> expectedInfoList = new ArrayList<>();
List<FeedbackSessionAttributes> actualInfoList = new ArrayList<>();
expectedInfoList.add(typicalBundle.feedbackSessions.get("session1InCourse1"));
actualInfoList.add(pageData.getBundle().feedbackSession);
AssertHelper.assertSameContentIgnoreOrder(expectedInfoList, actualInfoList);
assertEquals(student1InCourse1.googleId, pageData.account.googleId);
assertEquals(student1InCourse1.getIdentificationString(), pageData.student.getIdentificationString());
}
Also used :
Instant(java.time.Instant)
ArrayList(java.util.ArrayList)
Duration(java.time.Duration)
StudentFeedbackResultsPageData(teammates.ui.pagedata.StudentFeedbackResultsPageData)
StudentAttributes(teammates.common.datatransfer.attributes.StudentAttributes)
FeedbackSessionAttributes(teammates.common.datatransfer.attributes.FeedbackSessionAttributes)
ShowPageResult(teammates.ui.controller.ShowPageResult)
StudentFeedbackResultsPageAction(teammates.ui.controller.StudentFeedbackResultsPageAction)
UnauthorizedAccessException(teammates.common.exception.UnauthorizedAccessException)
Test(org.testng.annotations.Test)
Example 19 with UnauthorizedAccessException
use of teammates.common.exception.UnauthorizedAccessException in project teammates by TEAMMATES.
the class StudentProfilePictureActionTest method testActionWithEmailAndCourseUnauthorisedInstructorOrStudent.
private void testActionWithEmailAndCourseUnauthorisedInstructorOrStudent() {
String[] submissionParams = new String[] { Const.ParamsNames.STUDENT_EMAIL, StringHelper.encrypt(student.email), Const.ParamsNames.COURSE_ID, StringHelper.encrypt(student.course) };
______TS("Failure case: instructor not from same course");
AccountAttributes unauthInstructor = typicalBundle.accounts.get("instructor1OfCourse2");
gaeSimulation.loginAsInstructor(unauthInstructor.googleId);
StudentProfilePictureAction action = getAction(submissionParams);
try {
action.executeAndPostProcess();
signalFailureToDetectException("Unauthorised Access");
} catch (UnauthorizedAccessException uae) {
assertEquals("User is not in the course that student belongs to", uae.getMessage());
}
______TS("Failure case: instructor from same course with no 'viewing student' privilege");
unauthInstructor = typicalBundle.accounts.get("helperOfCourse1");
gaeSimulation.loginAsInstructor(unauthInstructor.googleId);
action = getAction(submissionParams);
try {
action.executeAndPostProcess();
signalFailureToDetectException("Unauthorised Access");
} catch (UnauthorizedAccessException uae) {
assertEquals("Instructor does not have enough privileges to view the photo", uae.getMessage());
}
______TS("Failure case: student not from same course");
AccountAttributes unauthStudent = typicalBundle.accounts.get("student1InArchivedCourse");
gaeSimulation.loginAsStudent(unauthStudent.googleId);
action = getAction(submissionParams);
try {
action.executeAndPostProcess();
signalFailureToDetectException("Unauthorised Access");
} catch (UnauthorizedAccessException uae) {
assertEquals("User is not in the course that student belongs to", uae.getMessage());
}
______TS("Failure case: student not from same team");
StudentAttributes studentFromDifferentTeam = typicalBundle.students.get("student5InCourse1");
gaeSimulation.loginAsStudent(studentFromDifferentTeam.googleId);
action = getAction(submissionParams);
try {
action.executeAndPostProcess();
signalFailureToDetectException("Unauthorised Access");
} catch (UnauthorizedAccessException uae) {
assertEquals("Student does not have enough privileges to view the photo", uae.getMessage());
}
}
Also used :
AccountAttributes(teammates.common.datatransfer.attributes.AccountAttributes)
UnauthorizedAccessException(teammates.common.exception.UnauthorizedAccessException)
StudentProfilePictureAction(teammates.ui.controller.StudentProfilePictureAction)
StudentAttributes(teammates.common.datatransfer.attributes.StudentAttributes)
Example 20 with UnauthorizedAccessException
use of teammates.common.exception.UnauthorizedAccessException in project teammates by TEAMMATES.
the class SystemErrorEmailReportTest method testUnauthorizedAccessException.
// TODO: this test should be moved to the class testing access control
private void testUnauthorizedAccessException() {
______TS("UnauthorizedAccessException testing");
AppUrl url = createUrl(Const.ActionURIs.ADMIN_EXCEPTION_TEST).withParam(Const.ParamsNames.ERROR, UnauthorizedAccessException.class.getSimpleName());
page.navigateTo(url);
print("This exception is handled by system, make sure you don't receive any emails. ");
}
Also used :
AppUrl(teammates.common.util.AppUrl)
UnauthorizedAccessException(teammates.common.exception.UnauthorizedAccessException)
Aggregations
UnauthorizedAccessException (teammates.common.exception.UnauthorizedAccessException)32
InstructorAttributes (teammates.common.datatransfer.attributes.InstructorAttributes)18
Test (org.testng.annotations.Test)13
FeedbackSessionAttributes (teammates.common.datatransfer.attributes.FeedbackSessionAttributes)8
ShowPageResult (teammates.ui.controller.ShowPageResult)8
FeedbackQuestionAttributes (teammates.common.datatransfer.attributes.FeedbackQuestionAttributes)6
StudentAttributes (teammates.common.datatransfer.attributes.StudentAttributes)6
AccountAttributes (teammates.common.datatransfer.attributes.AccountAttributes)5
FeedbackResponseAttributes (teammates.common.datatransfer.attributes.FeedbackResponseAttributes)4
EntityNotFoundException (teammates.common.exception.EntityNotFoundException)4
FeedbackQuestionsDb (teammates.storage.api.FeedbackQuestionsDb)4
FeedbackResponsesDb (teammates.storage.api.FeedbackResponsesDb)4
RedirectResult (teammates.ui.controller.RedirectResult)4
CourseAttributes (teammates.common.datatransfer.attributes.CourseAttributes)3
StatusMessage (teammates.common.util.StatusMessage)3
Action (teammates.ui.controller.Action)3
DeadlineExceededException (com.google.apphosting.api.DeadlineExceededException)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
UserType (teammates.common.datatransfer.UserType)2
