From 96abd5ea93a39d9fe24f4fa0a2d5245335410b9a Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Thu, 16 Apr 2020 14:22:12 +0200
Subject: [PATCH] OO-4639: limit list of bookmarks in WebDAV

---
 .../course/CoursefolderWebDAVMergeSource.java |  7 +-
 .../olat/repository/RepositoryManager.java    | 17 +++--
 .../repository/RepositoryManagerTest.java     | 76 ++++++++++++++++++-
 3 files changed, 90 insertions(+), 10 deletions(-)

diff --git a/src/main/java/org/olat/course/CoursefolderWebDAVMergeSource.java b/src/main/java/org/olat/course/CoursefolderWebDAVMergeSource.java
index 5da00b21b83..2ddd8393db1 100644
--- a/src/main/java/org/olat/course/CoursefolderWebDAVMergeSource.java
+++ b/src/main/java/org/olat/course/CoursefolderWebDAVMergeSource.java
@@ -103,7 +103,12 @@ class CoursefolderWebDAVMergeSource extends WebDAVMergeSource {
 		
 		//add bookmarked courses
 		if(webDAVModule.isEnableLearnersBookmarksCourse()) {
-			List<RepositoryEntry> bookmarkedEntries = repositoryManager.getLearningResourcesAsBookmark(getIdentity(), identityEnv.getRoles(), "CourseModule", 0, -1);
+			List<RepositoryEntry> bookmarkedEntries = repositoryManager.getLearningResourcesAsBookmarkedMember(getIdentity(), identityEnv.getRoles(), "CourseModule", 0, -1);
+			for(RepositoryEntry bookmarkedEntry:bookmarkedEntries) {
+				System.out.println(bookmarkedEntry.getDisplayname());
+			}
+			
+			
 			appendCourses(bookmarkedEntries, containers, terms, noTermContainer, namingAndGrouping, false);
 		}
 
diff --git a/src/main/java/org/olat/repository/RepositoryManager.java b/src/main/java/org/olat/repository/RepositoryManager.java
index d033d501472..9b581fc5e48 100644
--- a/src/main/java/org/olat/repository/RepositoryManager.java
+++ b/src/main/java/org/olat/repository/RepositoryManager.java
@@ -1741,7 +1741,17 @@ public class RepositoryManager {
 				.getResultList();
 	}
 
-	public List<RepositoryEntry> getLearningResourcesAsBookmark(Identity identity, Roles roles, String type, int firstResult, int maxResults) {
+	/**
+	 * This method only returns entries with a valid membership.
+	 * 
+	 * @param identity The identity
+	 * @param roles The roles of the identity
+	 * @param type The type of resource to search for
+	 * @param firstResult The first result
+	 * @param maxResults The max. numbers of results to return or -1 if all
+	 * @return A list of repository entries
+	 */
+	public List<RepositoryEntry> getLearningResourcesAsBookmarkedMember(Identity identity, Roles roles, String type, int firstResult, int maxResults) {
 		if(roles.isGuestOnly()) {
 			return Collections.emptyList();
 		}
@@ -1756,7 +1766,7 @@ public class RepositoryManager {
 		  .append(" ) ")
 		  .append(" and res.resName=:resourceType")
 		  .append(" and exists (select rel from repoentrytogroup as rel, bgroup as baseGroup, bgroupmember as membership")
-		  .append("   where rel.entry=v and rel.group=baseGroup and membership.group=baseGroup and membership.identity.key=:identityKey")
+		  .append("   where rel.entry.key=v.key and rel.group.key=baseGroup.key and membership.group.key=baseGroup.key and membership.identity.key=:identityKey")
 		  .append("   and (")
 		  .append("     (")
 		  .append("      membership.role ").in(OrganisationRoles.administrator, OrganisationRoles.learnresourcemanager, GroupRoles.owner).append(" and v.status").in(RepositoryEntryStatusEnum.preparationToClosed())
@@ -1764,9 +1774,6 @@ public class RepositoryManager {
 		  .append("      membership.role ").in(GroupRoles.coach).append(" and v.status").in(RepositoryEntryStatusEnum.coachPublishedToClosed())
 		  .append("     ) or (")
 		  .append("      membership.role ").in(GroupRoles.participant).append(" and v.status").in(RepositoryEntryStatusEnum.publishedAndClosed())
-		  .append("     ) or (")
-		  .append("      (v.allUsers=true or v.bookable=true) and v.status ").in(RepositoryEntryStatusEnum.publishedAndClosed())
-		  .append("       and membership.role not ").in(OrganisationRoles.invitee, OrganisationRoles.guest, GroupRoles.waiting)
 		  .append("     )")
 		  .append("   )")
 		  .append(" )");
diff --git a/src/test/java/org/olat/repository/RepositoryManagerTest.java b/src/test/java/org/olat/repository/RepositoryManagerTest.java
index 5b36d648d67..226776aa336 100644
--- a/src/test/java/org/olat/repository/RepositoryManagerTest.java
+++ b/src/test/java/org/olat/repository/RepositoryManagerTest.java
@@ -36,6 +36,7 @@ import java.util.List;
 import java.util.Set;
 import java.util.UUID;
 
+import org.apache.logging.log4j.Logger;
 import org.hibernate.LazyInitializationException;
 import org.junit.Assert;
 import org.junit.Test;
@@ -49,7 +50,6 @@ import org.olat.core.id.OLATResourceable;
 import org.olat.core.id.Organisation;
 import org.olat.core.id.Roles;
 import org.olat.core.logging.AssertException;
-import org.apache.logging.log4j.Logger;
 import org.olat.core.logging.Tracing;
 import org.olat.core.util.CodeHelper;
 import org.olat.core.util.resource.OresHelper;
@@ -63,6 +63,12 @@ import org.olat.repository.model.RepositoryEntryMembership;
 import org.olat.repository.model.RepositoryEntrySecurity;
 import org.olat.resource.OLATResource;
 import org.olat.resource.OLATResourceManager;
+import org.olat.resource.accesscontrol.ACService;
+import org.olat.resource.accesscontrol.Offer;
+import org.olat.resource.accesscontrol.OfferAccess;
+import org.olat.resource.accesscontrol.manager.ACMethodDAO;
+import org.olat.resource.accesscontrol.model.AccessMethod;
+import org.olat.resource.accesscontrol.model.TokenAccessMethod;
 import org.olat.test.JunitTestHelper;
 import org.olat.test.OlatTestCase;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -95,8 +101,12 @@ public class RepositoryManagerTest extends OlatTestCase {
 	@Autowired
 	private RepositoryEntryRelationDAO repositoryEntryRelationDao;
 	@Autowired
+	private ACService acService;
+	@Autowired
 	private MarkManager markManager;
 	@Autowired
+	private ACMethodDAO acMethodManager;
+	@Autowired
 	private RepositoryEntryLifecycleDAO lifecycleDao;
 
 	/**
@@ -418,11 +428,12 @@ public class RepositoryManagerTest extends OlatTestCase {
 		Identity participant = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-courses-2");
 		RepositoryEntry course = JunitTestHelper.deployBasicCourse(owner);
 		markManager.setMark(course, participant, null, "[RepositoryEntry:" + course.getKey() + "]");
+		repositoryEntryRelationDao.addRole(participant, course, GroupRoles.participant.name());
 		dbInstance.commitAndCloseSession();
 		
 		//participant bookmarks
 		Roles roles = Roles.userRoles();
-		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmark(participant, roles, "CourseModule", 0, -1);
+		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmarkedMember(participant, roles, "CourseModule", 0, -1);
 		Assert.assertNotNull(courses);
 		Assert.assertEquals(1, courses.size());
 	}
@@ -437,16 +448,73 @@ public class RepositoryManagerTest extends OlatTestCase {
 		RepositoryEntry course = JunitTestHelper.deployBasicCourse(owner);
 		markManager.setMark(course, participant, null, "[RepositoryEntry:" + course.getKey() + "]");
 		dbInstance.commitAndCloseSession();
-		repositoryManager.setAccess(course, RepositoryEntryStatusEnum.preparation, false, false);
+		repositoryManager.setAccess(course, RepositoryEntryStatusEnum.published, false, false);
 		dbInstance.commitAndCloseSession();
 		
 		//participant bookmarks
 		Roles roles = Roles.userRoles();
-		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmark(participant, roles, "CourseModule", 0, -1);
+		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmarkedMember(participant, roles, "CourseModule", 0, -1);
 		Assert.assertNotNull(courses);
 		Assert.assertEquals(0, courses.size());
 	}
 	
+	/**
+	 * Check that the method return only courses within the permissions of the user.
+	 */
+	@Test
+	public void getLearningResourcesAsBookmark_notPublished() {
+		Identity owner = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-courses-1");
+		Identity participant = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-courses-2");
+		RepositoryEntry course = JunitTestHelper.deployBasicCourse(owner);
+		markManager.setMark(course, participant, null, "[RepositoryEntry:" + course.getKey() + "]");
+		repositoryEntryRelationDao.addRole(participant, course, GroupRoles.participant.name());
+		dbInstance.commitAndCloseSession();
+		repositoryManager.setAccess(course, RepositoryEntryStatusEnum.coachpublished, false, false);
+		dbInstance.commitAndCloseSession();
+		
+		//participant bookmarks
+		Roles roles = Roles.userRoles();
+		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmarkedMember(participant, roles, "CourseModule", 0, -1);
+		Assert.assertNotNull(courses);
+		Assert.assertEquals(0, courses.size());
+	}
+	
+	/**
+	 * Check that the method return only courses within the permissions of the user.
+	 */
+	@Test
+	public void getLearningResourcesAsBookmark_noPermissionsBookable() {
+		Identity owner = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-courses-1");
+		Identity participant = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-courses-2");
+		RepositoryEntry course = JunitTestHelper.deployBasicCourse(owner);
+		markManager.setMark(course, participant, null, "[RepositoryEntry:" + course.getKey() + "]");
+		repositoryManager.setAccess(course, false, false, true, RepositoryEntryAllowToLeaveOptions.never, null);
+		repositoryManager.setAccess(course, RepositoryEntryStatusEnum.published, false, false);
+		
+		//create and save an offer
+		Offer offer = acService.createOffer(course.getOlatResource(), course.getDisplayname());
+		offer = acService.save(offer);
+		dbInstance.commitAndCloseSession();
+
+		//create a link offer to method
+		List<AccessMethod> methods = acMethodManager.getAvailableMethodsByType(TokenAccessMethod.class);
+		AccessMethod method = methods.get(0);
+		OfferAccess access = acMethodManager.createOfferAccess(offer, method);
+		acMethodManager.save(access);
+
+		dbInstance.commitAndCloseSession();
+
+		//participant bookmarks
+		Roles roles = Roles.userRoles();
+		List<RepositoryEntry> courses = repositoryManager.getLearningResourcesAsBookmarkedMember(participant, roles, "CourseModule", 0, -1);
+		Assert.assertNotNull(courses);
+		Assert.assertEquals(0, courses.size());
+		
+		// beacause it triggers issues with other tests
+		repositoryManager.setAccess(course, RepositoryEntryStatusEnum.preparation, false, false);
+		
+	}
+	
 	@Test
 	public void getParticipantRepositoryEntry() {
 		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("re-stud-lc-");
-- 
GitLab