From cb6b4eed1f76c415fa5963f5eaf1485c02c9ec39 Mon Sep 17 00:00:00 2001
From: srosse <none@none>
Date: Thu, 21 May 2015 10:23:37 +0200
Subject: [PATCH] OO-1557: fix rs if option all users is chosen with groups,
 fix xss issue with course title, fetch load the group of invitation and add
 unit test

---
 .../olat/portfolio/manager/EPPolicyManager.java |  2 +-
 .../olat/portfolio/manager/InvitationDAO.java   |  4 +++-
 .../ui/structel/EPMultipleMapController.java    |  2 +-
 .../portfolio/manager/InvitationDAOTest.java    | 17 +++++++++++++++++
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/olat/portfolio/manager/EPPolicyManager.java b/src/main/java/org/olat/portfolio/manager/EPPolicyManager.java
index e8fb1189057..61d160033d3 100644
--- a/src/main/java/org/olat/portfolio/manager/EPPolicyManager.java
+++ b/src/main/java/org/olat/portfolio/manager/EPPolicyManager.java
@@ -288,7 +288,7 @@ public class EPPolicyManager {
 	private EPStructureElementToGroupRelation applyPolicyToGroup(Group group, EPMapPolicy policy, PortfolioStructureMap map) {
 		Collection<EPStructureElementToGroupRelation> currentRelations = map.getGroups();
 		for(EPStructureElementToGroupRelation currentRelation:currentRelations) {
-			if(currentRelation.getGroup().equals(group)) {
+			if(currentRelation.getGroup() != null && currentRelation.getGroup().equals(group)) {
 				updatePolicy(currentRelation, policy.getFrom(), policy.getTo());
 				return currentRelation;
 			}
diff --git a/src/main/java/org/olat/portfolio/manager/InvitationDAO.java b/src/main/java/org/olat/portfolio/manager/InvitationDAO.java
index e802be56af7..6e9e1fb8259 100644
--- a/src/main/java/org/olat/portfolio/manager/InvitationDAO.java
+++ b/src/main/java/org/olat/portfolio/manager/InvitationDAO.java
@@ -131,7 +131,8 @@ public class InvitationDAO {
 	public Invitation findInvitation(Group group) {
 		StringBuilder sb = new StringBuilder();
 		sb.append("select invitation from binvitation as invitation ")
-		  .append(" where invitation.baseGroup=:group");
+		  .append(" inner join fetch invitation.baseGroup bGroup")
+		  .append(" where bGroup=:group");
 
 		List<Invitation> invitations = dbInstance.getCurrentEntityManager()
 				  .createQuery(sb.toString(), Invitation.class)
@@ -149,6 +150,7 @@ public class InvitationDAO {
 	public Invitation findInvitation(String token) {
 		StringBuilder sb = new StringBuilder();
 		sb.append("select invitation from binvitation as invitation ")
+		  .append(" inner join fetch invitation.baseGroup bGroup")
 		  .append(" where invitation.token=:token");
 
 		List<Invitation> invitations = dbInstance.getCurrentEntityManager()
diff --git a/src/main/java/org/olat/portfolio/ui/structel/EPMultipleMapController.java b/src/main/java/org/olat/portfolio/ui/structel/EPMultipleMapController.java
index 7b70ec0bbb7..86a999c3418 100644
--- a/src/main/java/org/olat/portfolio/ui/structel/EPMultipleMapController.java
+++ b/src/main/java/org/olat/portfolio/ui/structel/EPMultipleMapController.java
@@ -280,7 +280,7 @@ public class EPMultipleMapController extends BasicController implements Activate
 					EPTargetResource resource = structMap.getTargetResource();
 					RepositoryEntry repoEntry = RepositoryManager.getInstance().lookupRepositoryEntry(resource.getOLATResourceable(), false);
 					if(repoEntry != null) {
-						vC.contextPut("courseName" + i, repoEntry.getDisplayname());
+						vC.contextPut("courseName" + i, StringHelper.escapeHtml(repoEntry.getDisplayname()));
 						String url = Settings.getServerContextPathURI();
 						url += "/url/RepositoryEntry/" + repoEntry.getKey() + "/CourseNode/" + resource.getSubPath();
 						vC.contextPut("courseLink" + i, url);
diff --git a/src/test/java/org/olat/portfolio/manager/InvitationDAOTest.java b/src/test/java/org/olat/portfolio/manager/InvitationDAOTest.java
index c53a6a404d8..0d693a13885 100644
--- a/src/test/java/org/olat/portfolio/manager/InvitationDAOTest.java
+++ b/src/test/java/org/olat/portfolio/manager/InvitationDAOTest.java
@@ -26,6 +26,7 @@ import java.util.UUID;
 
 import org.junit.Assert;
 import org.junit.Test;
+import org.olat.basesecurity.Group;
 import org.olat.basesecurity.Invitation;
 import org.olat.core.commons.persistence.DB;
 import org.olat.core.id.Identity;
@@ -64,6 +65,21 @@ public class InvitationDAOTest extends OlatTestCase {
 		Assert.assertNotNull(invitation.getToken());
 	}
 	
+	@Test
+	public void findInvitation_group() {
+		Invitation invitation = invitationDao.createAndPersistInvitation();
+		Group baseGroup = invitation.getBaseGroup();
+		Assert.assertNotNull(invitation);
+		dbInstance.commitAndCloseSession();
+		
+		Invitation reloadedInvitation = invitationDao.findInvitation(baseGroup);
+		Assert.assertNotNull(reloadedInvitation);
+		Assert.assertNotNull(reloadedInvitation.getKey());
+		Assert.assertEquals(baseGroup, reloadedInvitation.getBaseGroup());
+		Assert.assertEquals(invitation, reloadedInvitation);
+		Assert.assertEquals(invitation.getToken(), reloadedInvitation.getToken());
+	}
+	
 	@Test
 	public void findInvitation_token() {
 		Invitation invitation = invitationDao.createAndPersistInvitation();
@@ -78,6 +94,7 @@ public class InvitationDAOTest extends OlatTestCase {
 		Assert.assertEquals(invitation.getToken(), reloadedInvitation.getToken());
 	}
 	
+	
 	@Test
 	public void hasInvitationPolicies_testHQL() {
 		String token = UUID.randomUUID().toString();
-- 
GitLab