From 8b8e50f84d1f632ffa0a668f9bd325bc1833c285 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Mon, 6 Feb 2017 20:48:48 +0100
Subject: [PATCH] OO-2498: apply the same check in the callout as in the
 security check

---
 .../olat/repository/RepositoryManager.java    |  2 +-
 .../author/AuthorDeletedListController.java   | 22 ++++++++++++-------
 .../ui/author/ConfirmRestoreController.java   |  1 +
 3 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/olat/repository/RepositoryManager.java b/src/main/java/org/olat/repository/RepositoryManager.java
index fe75173fcd7..64f3da28c03 100644
--- a/src/main/java/org/olat/repository/RepositoryManager.java
+++ b/src/main/java/org/olat/repository/RepositoryManager.java
@@ -1227,7 +1227,7 @@ public class RepositoryManager {
 	 * check ownership of identity for a resource
 	 * @return true if the identity is member of the security group of the repository entry
 	 */
-	public boolean isOwnerOfRepositoryEntry(Identity identity, RepositoryEntry entry) {
+	public boolean isOwnerOfRepositoryEntry(IdentityRef identity, RepositoryEntryRef entry) {
 		if(entry == null || identity == null) {
 			return false;
 		}
diff --git a/src/main/java/org/olat/repository/ui/author/AuthorDeletedListController.java b/src/main/java/org/olat/repository/ui/author/AuthorDeletedListController.java
index 291fd03fe6b..0fdbe9047d7 100644
--- a/src/main/java/org/olat/repository/ui/author/AuthorDeletedListController.java
+++ b/src/main/java/org/olat/repository/ui/author/AuthorDeletedListController.java
@@ -114,13 +114,18 @@ public class AuthorDeletedListController extends AuthorListController {
 			}
 			cleanUp();
 		} else if(confirmRestoreCtrl == source) {
-			if(cmc != null) {
-				cmc.deactivate();
-			}
 			if(event == Event.DONE_EVENT || event == Event.CHANGED_EVENT) {
+				if(cmc != null) {
+					cmc.deactivate();
+				}
 				reloadRows();
+				cleanUp();
+			} else if(event == Event.CANCELLED_EVENT) {
+				if(cmc != null) {
+					cmc.deactivate();
+				}
+				cleanUp();
 			}
-			cleanUp();
 		} else if(dToolsCtrl == source) {
 			if(event == Event.DONE_EVENT) {
 				toolsCalloutCtrl.deactivate();
@@ -185,14 +190,15 @@ public class AuthorDeletedListController extends AuthorListController {
 			toolsCalloutCtrl.activate();
 		}
 	}
-	
 
 	private void doRestore(UserRequest ureq, List<AuthoringEntryRow> rows) {
 		Roles roles = ureq.getUserSession().getRoles();
 		List<Long> deleteableRowKeys = new ArrayList<>(rows.size());
 		for(AuthoringEntryRow row:rows) {
 			boolean managed = RepositoryEntryManagedFlag.isManaged(row.getManagedFlags(), RepositoryEntryManagedFlag.delete);
-			boolean canDelete = roles.isOLATAdmin() || repositoryManager.isInstitutionalRessourceManagerFor(getIdentity(), roles, row);
+			boolean canDelete = roles.isOLATAdmin()
+					|| repositoryService.hasRole(getIdentity(), row, GroupRoles.owner.name())
+					|| repositoryManager.isInstitutionalRessourceManagerFor(getIdentity(), roles, row);
 			if(canDelete && !managed) {
 				deleteableRowKeys.add(row.getKey());
 			}
@@ -263,9 +269,9 @@ public class AuthorDeletedListController extends AuthorListController {
 			Roles roles = ureq.getUserSession().getRoles();
 			boolean isInstitutionalResourceManager = !roles.isGuestOnly()
 						&& repositoryManager.isInstitutionalRessourceManagerFor(identity, roles, entry);
-			isOwner = isOlatAdmin || repositoryService.hasRole(ureq.getIdentity(), entry, GroupRoles.owner.name())
+			isOwner = isOlatAdmin || repositoryService.hasRole(identity, entry, GroupRoles.owner.name())
 						|| isInstitutionalResourceManager;
-			isAuthor = isOlatAdmin || roles.isAuthor() | isInstitutionalResourceManager;
+			isAuthor = isOlatAdmin || roles.isAuthor() || isInstitutionalResourceManager;
 			
 			RepositoryHandler handler = repositoryHandlerFactory.getRepositoryHandler(entry);
 
diff --git a/src/main/java/org/olat/repository/ui/author/ConfirmRestoreController.java b/src/main/java/org/olat/repository/ui/author/ConfirmRestoreController.java
index d9046e28580..30a20df26f8 100644
--- a/src/main/java/org/olat/repository/ui/author/ConfirmRestoreController.java
+++ b/src/main/java/org/olat/repository/ui/author/ConfirmRestoreController.java
@@ -134,5 +134,6 @@ public class ConfirmRestoreController extends FormBasicController {
 				fireEvent(ureq, new EntryChangedEvent(reloadedEntry, getIdentity(), Change.restored, "restored"));
 			}
 		}
+		fireEvent(ureq, Event.DONE_EVENT);
 	}
 }
\ No newline at end of file
-- 
GitLab