From 46d50a3baf1f1e701c8830642e82ad3e155c0b65 Mon Sep 17 00:00:00 2001
From: gnaegi <none@none>
Date: Thu, 7 Jun 2012 15:10:20 +0200
Subject: [PATCH] OO-279 add missing quota permission check in repository entry
 details page, move check code to quota manager

---
 .../quota/GenericQuotaEditController.java      | 17 ++++++-----------
 .../org/olat/admin/quota/QuotaController.java  | 18 ++++++------------
 .../org/olat/admin/quota/QuotaManagerImpl.java | 11 +++++++++++
 .../olat/basesecurity/BaseSecurityManager.java |  3 ---
 .../org/olat/core/util/vfs/QuotaManager.java   |  9 +++++++++
 .../RepositoryEditPropertiesController.java    | 18 ++++++++++++------
 6 files changed, 44 insertions(+), 32 deletions(-)

diff --git a/src/main/java/org/olat/admin/quota/GenericQuotaEditController.java b/src/main/java/org/olat/admin/quota/GenericQuotaEditController.java
index 1e0e5904215..eecaebcfe1d 100644
--- a/src/main/java/org/olat/admin/quota/GenericQuotaEditController.java
+++ b/src/main/java/org/olat/admin/quota/GenericQuotaEditController.java
@@ -25,9 +25,6 @@
 
 package org.olat.admin.quota;
 
-import org.olat.basesecurity.BaseSecurity;
-import org.olat.basesecurity.BaseSecurityManager;
-import org.olat.basesecurity.Constants;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
 import org.olat.core.gui.components.link.Link;
@@ -39,7 +36,6 @@ import org.olat.core.gui.control.WindowControl;
 import org.olat.core.gui.control.controller.BasicController;
 import org.olat.core.logging.AssertException;
 import org.olat.core.logging.OLATSecurityException;
-import org.olat.core.util.resource.OresHelper;
 import org.olat.core.util.vfs.Quota;
 import org.olat.core.util.vfs.QuotaManager;
 
@@ -49,6 +45,9 @@ import org.olat.core.util.vfs.QuotaManager;
  * folder path. When finished the controller fires the following events:<BR>
  * Event.CANCELLED_EVENT
  * Event.CHANGED_EVENT
+ * <p>
+ * Check with QuotaManager.hasQuotaEditRights if you are allowed to use this
+ * controller. Fires an exception if user is not allowed to call controller.
  * <P>
  * Initial Date:  Dec 22, 2004
  *
@@ -88,7 +87,7 @@ public class GenericQuotaEditController extends BasicController {
 		// init velocity context
 		initMyContent(ureq);
 		if (currentQuota == null) {
-			this.currentQuota = QuotaManager.getInstance().createQuota(relPath, null, null);
+			this.currentQuota = qm.createQuota(relPath, null, null);
 			myContent.contextPut("editQuota", Boolean.FALSE);			
 		} else {
 			initQuotaForm(ureq, currentQuota);			
@@ -122,11 +121,8 @@ public class GenericQuotaEditController extends BasicController {
 	}
 
 	private void initMyContent(UserRequest ureq) {
-		BaseSecurity mgr = BaseSecurityManager.getInstance();
-		if (!mgr.isIdentityPermittedOnResourceable(
-				ureq.getIdentity(), 
-				Constants.PERMISSION_ACCESS, 
-				OresHelper.lookupType(this.getClass())))
+		QuotaManager qm = QuotaManager.getInstance();
+		if (!qm.hasQuotaEditRights(ureq.getIdentity()))
 			throw new OLATSecurityException("Insufficient permissions to access QuotaController");
 
 		myContent = createVelocityContainer("edit");
@@ -135,7 +131,6 @@ public class GenericQuotaEditController extends BasicController {
 		delQuotaButton = LinkFactory.createButtonSmall("qf.del", myContent, this);
 		cancelButton = LinkFactory.createButtonSmall("cancel", myContent, this);
 		
-		QuotaManager qm = QuotaManager.getInstance();
 		//TODO loop over QuotaManager.getDefaultQuotaIdentifyers instead
 		myContent.contextPut("users",qm.getDefaultQuota(QuotaConstants.IDENTIFIER_DEFAULT_USERS));
 		myContent.contextPut("powerusers",qm.getDefaultQuota(QuotaConstants.IDENTIFIER_DEFAULT_POWER));
diff --git a/src/main/java/org/olat/admin/quota/QuotaController.java b/src/main/java/org/olat/admin/quota/QuotaController.java
index ee561fb904d..221eb33a6dd 100644
--- a/src/main/java/org/olat/admin/quota/QuotaController.java
+++ b/src/main/java/org/olat/admin/quota/QuotaController.java
@@ -25,9 +25,6 @@
 
 package org.olat.admin.quota;
 
-import org.olat.basesecurity.BaseSecurity;
-import org.olat.basesecurity.BaseSecurityManager;
-import org.olat.basesecurity.Constants;
 import org.olat.core.gui.UserRequest;
 import org.olat.core.gui.components.Component;
 import org.olat.core.gui.components.link.Link;
@@ -45,14 +42,14 @@ import org.olat.core.gui.control.Event;
 import org.olat.core.gui.control.WindowControl;
 import org.olat.core.gui.control.controller.BasicController;
 import org.olat.core.logging.OLATSecurityException;
-import org.olat.core.util.resource.OresHelper;
 import org.olat.core.util.vfs.Quota;
 import org.olat.core.util.vfs.QuotaManager;
 
 /**
- *  Description:<br>
- *  is the controller for
- *
+ * Description:<br>
+ * This controller shows the list of all quotas in the system and offers an
+ * editor to edit the quotas or to create a new one.
+ * 
  * @author Felix Jost
  */
 public class QuotaController extends BasicController {
@@ -72,11 +69,8 @@ public class QuotaController extends BasicController {
 	public QuotaController(UserRequest ureq, WindowControl wControl) {
 		super(ureq, wControl);
 
-		BaseSecurity mgr = BaseSecurityManager.getInstance();
-		if (!mgr.isIdentityPermittedOnResourceable(
-				ureq.getIdentity(),
-				Constants.PERMISSION_ACCESS,
-				OresHelper.lookupType(this.getClass())))
+		QuotaManager qm = QuotaManager.getInstance();
+		if (!qm.hasQuotaEditRights(ureq.getIdentity()))
 			throw new OLATSecurityException("Insufficient permissions to access QuotaController");
 
 		main = new Panel("quotamain");
diff --git a/src/main/java/org/olat/admin/quota/QuotaManagerImpl.java b/src/main/java/org/olat/admin/quota/QuotaManagerImpl.java
index 1c1b070737f..03147b8d6ca 100644
--- a/src/main/java/org/olat/admin/quota/QuotaManagerImpl.java
+++ b/src/main/java/org/olat/admin/quota/QuotaManagerImpl.java
@@ -32,6 +32,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
+import org.olat.basesecurity.BaseSecurity;
 import org.olat.basesecurity.BaseSecurityManager;
 import org.olat.basesecurity.Constants;
 import org.olat.core.commons.modules.bc.FolderConfig;
@@ -403,4 +404,14 @@ public class QuotaManagerImpl extends QuotaManager {
 		return ctr;
 	}
 
+	@Override
+	public boolean hasQuotaEditRights(Identity identity) {
+		BaseSecurity mgr = BaseSecurityManager.getInstance();
+		boolean hasQuoaRights = mgr.isIdentityPermittedOnResourceable(
+				identity, 
+				Constants.PERMISSION_ACCESS, 
+				OresHelper.lookupType(GenericQuotaEditController.class));
+		return hasQuoaRights;
+	}
+
 }
diff --git a/src/main/java/org/olat/basesecurity/BaseSecurityManager.java b/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
index f295d853a99..d2da8275c5c 100644
--- a/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
+++ b/src/main/java/org/olat/basesecurity/BaseSecurityManager.java
@@ -38,7 +38,6 @@ import java.util.UUID;
 import org.hibernate.Hibernate;
 import org.hibernate.type.Type;
 import org.olat.admin.quota.GenericQuotaEditController;
-import org.olat.admin.quota.QuotaController;
 import org.olat.admin.sysinfo.SysinfoController;
 import org.olat.admin.user.UserAdminController;
 import org.olat.admin.user.UserChangePasswordController;
@@ -152,7 +151,6 @@ public class BaseSecurityManager extends BasicManager implements BaseSecurity {
 		createAndPersistPolicyIfNotExists(adminGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(UserAdminController.class));
 		createAndPersistPolicyIfNotExists(adminGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(UserChangePasswordController.class));
 		createAndPersistPolicyIfNotExists(adminGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(UserCreateController.class));
-		createAndPersistPolicyIfNotExists(adminGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(QuotaController.class));
 		createAndPersistPolicyIfNotExists(adminGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(GenericQuotaEditController.class));
 	}
 
@@ -217,7 +215,6 @@ public class BaseSecurityManager extends BasicManager implements BaseSecurity {
 			institutionalResourceManagerGroup = createAndPersistNamedSecurityGroup(Constants.GROUP_INST_ORES_MANAGER);
 		//manager have a author policy and access permissions to authoring tools
 		createAndPersistPolicyIfNotExists(institutionalResourceManagerGroup, Constants.PERMISSION_HASROLE, Constants.ORESOURCE_INSTORESMANAGER);
-		createAndPersistPolicyIfNotExists(institutionalResourceManagerGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(QuotaController.class));
 		createAndPersistPolicyIfNotExists(institutionalResourceManagerGroup, Constants.PERMISSION_ACCESS, OresHelper.lookupType(GenericQuotaEditController.class));
 	}
 
diff --git a/src/main/java/org/olat/core/util/vfs/QuotaManager.java b/src/main/java/org/olat/core/util/vfs/QuotaManager.java
index 9386146448c..a1e6467fd96 100644
--- a/src/main/java/org/olat/core/util/vfs/QuotaManager.java
+++ b/src/main/java/org/olat/core/util/vfs/QuotaManager.java
@@ -167,4 +167,13 @@ public abstract class QuotaManager extends BasicManager{
 	 * @return
 	 */
 	public abstract Controller getQuotaEditorInstance(UserRequest ureq, WindowControl wControl, String relPath, boolean modalMode);
+	
+	/**
+	 * Check if a user has the rights to launch the quota editor tool
+	 * 
+	 * @param identity The identity that requests to change a quota
+	 * @return true: user is allowed to launch quota editor ; false: user is not
+	 *         allowed to launch quota editor
+	 */
+	public abstract boolean hasQuotaEditRights(Identity identity);
 }
diff --git a/src/main/java/org/olat/repository/controllers/RepositoryEditPropertiesController.java b/src/main/java/org/olat/repository/controllers/RepositoryEditPropertiesController.java
index d690acf5cbd..1aeea6f5620 100644
--- a/src/main/java/org/olat/repository/controllers/RepositoryEditPropertiesController.java
+++ b/src/main/java/org/olat/repository/controllers/RepositoryEditPropertiesController.java
@@ -230,14 +230,20 @@ public class RepositoryEditPropertiesController extends BasicController implemen
 			tabbedPane.addTab(translate("tab.glossary.edit"), glossEditCtr.getInitialComponent());
 		
 		} else if (ImsCPFileResource.TYPE_NAME.equals(repositoryEntry.getOlatResource().getResourceableTypeName())) {
-			OlatRootFolderImpl cpRoot = FileResourceManager.getInstance().unzipContainerResource(repositoryEntry.getOlatResource());
-			Controller quotaCtrl = QuotaManager.getInstance().getQuotaEditorInstance(ureq, wControl, cpRoot.getRelPath(), false);
-			tabbedPane.addTab(translate("tab.quota.edit"), quotaCtrl.getInitialComponent());
+			QuotaManager qm = QuotaManager.getInstance();
+			if (qm.hasQuotaEditRights(ureq.getIdentity())) {
+				OlatRootFolderImpl cpRoot = FileResourceManager.getInstance().unzipContainerResource(repositoryEntry.getOlatResource());
+				Controller quotaCtrl = qm.getQuotaEditorInstance(ureq, wControl, cpRoot.getRelPath(), false);
+				tabbedPane.addTab(translate("tab.quota.edit"), quotaCtrl.getInitialComponent());
+			}
 		} else if (BlogFileResource.TYPE_NAME.equals(repositoryEntry.getOlatResource().getResourceableTypeName())
 				|| PodcastFileResource.TYPE_NAME.equals(repositoryEntry.getOlatResource().getResourceableTypeName())) {
-			OlatRootFolderImpl feedRoot = FileResourceManager.getInstance().getFileResourceRootImpl(repositoryEntry.getOlatResource());
-			Controller quotaCtrl = QuotaManager.getInstance().getQuotaEditorInstance(ureq, wControl, feedRoot.getRelPath(), false);
-			tabbedPane.addTab(translate("tab.quota.edit"), quotaCtrl.getInitialComponent());
+			QuotaManager qm = QuotaManager.getInstance();
+			if (qm.hasQuotaEditRights(ureq.getIdentity())) {
+				OlatRootFolderImpl feedRoot = FileResourceManager.getInstance().getFileResourceRootImpl(repositoryEntry.getOlatResource());
+				Controller quotaCtrl = qm.getQuotaEditorInstance(ureq, wControl, feedRoot.getRelPath(), false);
+				tabbedPane.addTab(translate("tab.quota.edit"), quotaCtrl.getInitialComponent());
+			}
 		}
 
 		bgVC.put("descTB", tabbedPane);
-- 
GitLab