OO-4065: defense against rogue roles

src/main/java/org/olat/basesecurity/manager/OrganisationDAO.java

@@ -500,7 +500,7 @@ public class OrganisationDAO {
 		sb.append("select membership.role, count(distinct membership.key) from organisation org")
 		  .append(" inner join org.group baseGroup")
 		  .append(" inner join baseGroup.members membership")
-		  .append(" where org.key=:organisationKey and membership.identity.key in (:identityKeys)")
+		  .append(" where org.key=:organisationKey and membership.identity.key in (:identityKeys) and membership.role is not null")
 		  .append(" group by membership.role");
 		
 		List<Long> identityKeys = identities.stream()

src/main/java/org/olat/user/ui/admin/bulk/move/ChooseRolesController.java

@@ -97,26 +97,26 @@ public class ChooseRolesController extends StepFormBasicController {
 
 	@Override
 	protected void initForm(FormItemContainer formLayout, Controller listener, UserRequest ureq) {
-		int numOfRoles = statistics.size();
-		String[] roleKeys = new String[statistics.size()];
-		String[] roleValues = new String[statistics.size()];
-		for(int i=0; i<numOfRoles; i++) {
-			OrganisationMembershipStats stats = statistics.get(i);
-			roleKeys[i] = stats.getRole().name();
-			roleValues[i] = translate("role.".concat(stats.getRole().name())) + " ( " + stats.getNumOfMembers() + " )"; 
+		KeyValues rolesKeyValues = new KeyValues();
+		for(OrganisationMembershipStats stats:statistics) {
+			if(stats.getRole() != null) {
+				String roleKey = stats.getRole().name();
+				String roleValue = translate("role.".concat(stats.getRole().name())) + " ( " + stats.getNumOfMembers() + " )";
+				rolesKeyValues.add(KeyValues.entry(roleKey, roleValue));
+			}
 		}
-		rolesEl = uifactory.addCheckboxesVertical("roles", formLayout, roleKeys, roleValues, 1);
+		rolesEl = uifactory.addCheckboxesVertical("roles", formLayout, rolesKeyValues.keys(), rolesKeyValues.values(), 1);
 		
 		uifactory.addStaticTextElement("source.organisation", organisation.getDisplayName(), formLayout);
 
-		KeyValues keyValues = new KeyValues();
+		KeyValues organisationsKeyValues = new KeyValues();
 		for(Organisation target:targetOrganisations) {
 			String organisationKey = target.getKey().toString();
 			String parentLine = organisationWithParentLine(target);
-			keyValues.add(KeyValues.entry(organisationKey, parentLine));
+			organisationsKeyValues.add(KeyValues.entry(organisationKey, parentLine));
 		}
-		keyValues.sort(KeyValues.VALUE_ASC);
-		targetOrganisationEl = uifactory.addDropdownSingleselect("target.organisation", formLayout, keyValues.keys(), keyValues.values());
+		organisationsKeyValues.sort(KeyValues.VALUE_ASC);
+		targetOrganisationEl = uifactory.addDropdownSingleselect("target.organisation", formLayout, organisationsKeyValues.keys(), organisationsKeyValues.values());
 	}
 	
 	private String organisationWithParentLine(Organisation org) {