OO-3287: change the access rules of the export course in the REST API

fe96a2cd · srosse · cdbaab8c · fe96a2cd · fe96a2cd
Commit fe96a2cd authored 7 years ago by srosse
--- a/src/main/java/org/olat/restapi/repository/course/CourseWebService.java
+++ b/src/main/java/org/olat/restapi/repository/course/CourseWebService.java
@@ -93,7 +93,6 @@ import org.olat.resource.OLATResource;
 import org.olat.resource.OLATResourceManager;
 import org.olat.resource.accesscontrol.ACService;
 import org.olat.resource.accesscontrol.AccessResult;
-import org.olat.restapi.security.RestSecurityHelper;
 import org.olat.restapi.support.ObjectFactory;
 import org.olat.restapi.support.vo.CourseConfigVO;
 import org.olat.restapi.support.vo.CourseVO;
@@ -276,37 +275,33 @@ public class CourseWebService {
 	@Path("file")
 	@Produces({ "application/zip", MediaType.APPLICATION_OCTET_STREAM })
 	public Response getRepoFileById(@Context HttpServletRequest request) {
-		if(!isAuthor(request)) {
-			return Response.serverError().status(Status.UNAUTHORIZED).build();
-		}
 		RepositoryService rs = CoreSpringFactory.getImpl(RepositoryService.class);
 		RepositoryEntry re = course.getCourseEnvironment().getCourseGroupManager().getCourseEntry();
 		if (re == null) {
 			return Response.serverError().status(Status.NOT_FOUND).build();
 		}
 		RepositoryHandler typeToDownload = RepositoryHandlerFactory.getInstance().getRepositoryHandler(re);
 		if (typeToDownload == null) {
 			return Response.serverError().status(Status.NOT_FOUND).build();
 		}
+		Identity identity = getIdentity(request);
+		boolean canDownload = re.getCanDownload() && typeToDownload.supportsDownload();
+		if (isAdmin(request) || RepositoryManager.getInstance().isOwnerOfRepositoryEntry(identity, re)) {
+			canDownload = true;
+		} else if(!isAuthor(request)) {
+			return Response.serverError().status(Status.UNAUTHORIZED).build();
+		}
+		if(!canDownload) {
+			return Response.serverError().status(Status.UNAUTHORIZED).build();
+		}
 		OLATResource ores = OLATResourceManager.getInstance().findResourceable(re.getOlatResource());
 		if (ores == null) {
 			return Response.serverError().status(Status.NOT_FOUND).build();
 		}
-		Identity identity = getIdentity(request);
-		boolean isAuthor = RestSecurityHelper.isAuthor(request);
-		boolean isOwner = RepositoryManager.getInstance().isOwnerOfRepositoryEntry(identity, re);
-		if (!(isAuthor | isOwner)) {
-			return Response.serverError().status(Status.UNAUTHORIZED).build();
-		}
-		boolean canDownload = re.getCanDownload() && typeToDownload.supportsDownload();
-		if (!canDownload) {
-			return Response.serverError().status(Status.NOT_ACCEPTABLE).build();
-		}
 		boolean isAlreadyLocked = typeToDownload.isLocked(ores);
 		LockResult lockResult = null;
 		try {

--- a/src/test/java/org/olat/restapi/CourseTest.java
+++ b/src/test/java/org/olat/restapi/CourseTest.java
@@ -614,6 +614,62 @@ public class CourseTest extends OlatJerseyTestCase {
 		Assert.assertEquals(0, repositoryEntry.getAccess());
 	}
+	@Test
+	public void exportCourse()
+	throws IOException, URISyntaxException {
+		Assert.assertTrue(conn.login("administrator", "openolat"));
+		Identity author = JunitTestHelper.createAndPersistIdentityAsRndUser("course-owner");
+		RepositoryEntry course = JunitTestHelper.deployBasicCourse(author);
+		dbInstance.closeSession();
+		URI request = UriBuilder.fromUri(getContextURI()).path("repo").path("courses")
+				.path(course.getOlatResource().getResourceableId().toString()).path("file").build();
+		HttpGet method = conn.createGet(request, "application/zip", true);
+		HttpResponse response = conn.execute(method);
+		Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+		byte[] exportedFile = EntityUtils.toByteArray(response.getEntity());
+		Assert.assertTrue(exportedFile.length > 1000);	
+	}
+	@Test
+	public void exportCourse_owner()
+	throws IOException, URISyntaxException {
+		Identity author = JunitTestHelper.createAndPersistIdentityAsRndUser("course-owner-2");
+		RepositoryEntry course = JunitTestHelper.deployBasicCourse(author);
+		dbInstance.closeSession();
+		Assert.assertTrue(conn.login(author.getName(), "A6B7C8"));
+		URI request = UriBuilder.fromUri(getContextURI()).path("repo").path("courses")
+				.path(course.getOlatResource().getResourceableId().toString()).path("file").build();
+		HttpGet method = conn.createGet(request, "application/zip", true);
+		HttpResponse response = conn.execute(method);
+		Assert.assertEquals(200, response.getStatusLine().getStatusCode());
+		byte[] exportedFile = EntityUtils.toByteArray(response.getEntity());
+		Assert.assertTrue(exportedFile.length > 1000);	
+	}
+	@Test
+	public void exportCourse_notOwner()
+	throws IOException, URISyntaxException {
+		Identity owner = JunitTestHelper.createAndPersistIdentityAsRndUser("course-owner-3");
+		Identity otherUser = JunitTestHelper.createAndPersistIdentityAsRndUser("course-owner-4");
+		RepositoryEntry course = JunitTestHelper.deployBasicCourse(owner);
+		dbInstance.closeSession();
+		Assert.assertTrue(conn.login(otherUser.getName(), "A6B7C8"));
+		URI request = UriBuilder.fromUri(getContextURI()).path("repo").path("courses")
+				.path(course.getOlatResource().getResourceableId().toString()).path("file").build();
+		HttpGet method = conn.createGet(request, "application/zip", true);
+		HttpResponse response = conn.execute(method);
+		Assert.assertEquals(401, response.getStatusLine().getStatusCode());
+		EntityUtils.consume(response.getEntity());
+	}
 	protected List<UserVO> parseUserArray(InputStream body) {
 		try {
 			ObjectMapper mapper = new ObjectMapper(jsonFactory);