Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.wise.portal.domain.project.Project;
Expand All @@ -42,6 +43,7 @@
* Admin utility functions like db migrations and batch scripts
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
public class AdminUtilsController {

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import java.util.Calendar;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.validation.BindingResult;
Expand All @@ -55,6 +56,7 @@
*
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/batchcreateuseraccounts.html")
public class BatchCreateUserAccountsController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
Expand All @@ -41,6 +42,7 @@
* Only accessed by a WISE admin user.
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/enabledisableuser")
public class EnableDisableUserController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletRequest;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.validation.BindingResult;
Expand All @@ -50,6 +51,7 @@
* @author Patrick Lawler
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/lookupuser")
public class LookupUserController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
import javax.servlet.http.HttpServletResponse;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
Expand All @@ -44,6 +45,7 @@
*
* @author Hiroki Terashima
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/manageuserroles.html")
public class ManageUserRolesController {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.wise.portal.service.authentication.UserDetailsService;

@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/account/show-all-users")
public class ShowAllUsersController {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.annotation.Secured;
import org.springframework.security.acls.model.Permission;
import org.springframework.web.bind.annotation.*;
import org.wise.portal.dao.ObjectNotFoundException;
Expand All @@ -13,6 +14,7 @@
import java.util.List;
import java.util.Set;

@Secured("ROLE_ADMINISTRATOR")
@RestController
@RequestMapping("/api/admin/project/shared")
public class UpdateProjectSharedPermissionsAPIController {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
package org.wise.portal.presentation.web.controllers.admin;

import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/project/updatesharedprojects")
public class UpdateSharedProjectsController {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import org.json.JSONObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.core.env.Environment;
import org.springframework.security.access.annotation.Secured;
import org.springframework.stereotype.Controller;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.GetMapping;
Expand Down Expand Up @@ -32,6 +33,7 @@
* student data, it will replace the Base64 string with a reference to that png image in the
* studentuploads folder.
*/
@Secured("ROLE_ADMINISTRATOR")
@Controller
@RequestMapping("/admin/run/replacebase64withpng.html")
public class ReplaceBase64WithPNGController {
Expand Down
23 changes: 16 additions & 7 deletions src/main/java/org/wise/portal/spring/impl/WebSecurityConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -85,14 +85,23 @@ protected void configure(HttpSecurity http) throws Exception {
.addFilterAfter(googleOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(microsoftOpenIdConnectFilter(), OAuth2ClientContextFilter.class)
.addFilterAfter(authenticationProcessingFilter(), GoogleOpenIdConnectFilter.class)
.authorizeRequests().antMatchers("/api/login/impersonate")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/admin/**")
.hasAnyRole("ADMINISTRATOR", "RESEARCHER").antMatchers("/author/**").hasAnyRole("TEACHER")
.authorizeRequests()
// Matched the way Spring MVC matches, so a trailing slash cannot slip an exact path
// past these rules and into the broader "/admin/**" rule below.
.mvcMatchers("/admin/account/**", "/admin/portal/**", "/admin/news/**",
"/admin/mergeProjectMetadata", "/admin/project/updatesharedprojects",
"/admin/run/replacebase64withpng.html", "/api/admin/**")
.hasRole("ADMINISTRATOR")
.antMatchers("/api/login/impersonate").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/admin/**").hasAnyRole("ADMINISTRATOR", "RESEARCHER")
.antMatchers("/author/**").hasAnyRole("TEACHER")
.antMatchers("/project/notifyAuthor*/**").hasAnyRole("TEACHER")
.antMatchers("/student/account/info").hasAnyRole("TEACHER").antMatchers("/student/**")
.hasAnyRole("STUDENT").antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER").antMatchers("/sso/discourse")
.hasAnyRole("TEACHER", "STUDENT").antMatchers("/").permitAll();
.antMatchers("/student/account/info").hasAnyRole("TEACHER")
.antMatchers("/student/**").hasAnyRole("STUDENT")
.antMatchers("/studentStatus").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/teacher/**").hasAnyRole("TEACHER")
.antMatchers("/sso/discourse").hasAnyRole("TEACHER", "STUDENT")
.antMatchers("/").permitAll();
http.formLogin().loginPage("/login").permitAll();
http.logout().addLogoutHandler(wiseLogoutHandler())
.logoutRequestMatcher(new AntPathRequestMatcher("/api/logout"));
Expand Down
62 changes: 31 additions & 31 deletions src/main/webapp/portal/admin/index.jsp
Original file line number Diff line number Diff line change
Expand Up @@ -58,12 +58,12 @@
</div>
<div class="panelContent">

<div class="sectionHead" style="padding-top: 0;">
<spring:message code='admin.index.userManagement' />
</div>
<div class="sectionContent">
<h5>
<sec:authorize access="hasRole('ROLE_ADMINISTRATOR')">
<sec:authorize access="hasRole('ROLE_ADMINISTRATOR')">
<div class="sectionHead" style="padding-top: 0;">
<spring:message code='admin.index.userManagement' />
</div>
<div class="sectionContent">
<h5>
<spring:message code='admin.index.list' />
<spring:message code='admin.index.allUsersWhoLoggedIn' />
<a href="${contextPath}/admin/account/show-online-users">
Expand All @@ -76,34 +76,34 @@
<spring:message code='thisMonth' /></a> |
<a href="${contextPath}/admin/account/show-recent-users?duration=thisYear">
<spring:message code='thisYear' /></a>
</sec:authorize>
</h5>
<h5>
<spring:message code='admin.index.find' />
<a href="${contextPath}/admin/account/lookupuser?userType=teacher">
<spring:message code='teacher_cap' /></a> |
<a href="${contextPath}/admin/account/lookupuser?userType=student">
<spring:message code='student_cap' /></a>
</h5>
<h5>
<spring:message code='admin.index.list' />
<a href="${contextPath}/admin/account/show-all-users?userType=teacher">
<spring:message code='admin.index.allTeachers' /></a> |
<a href="${contextPath}/admin/account/show-all-users?userType=student">
<spring:message code='admin.index.allStudents' /></a>
</h5>
<h5>
<spring:message code='admin.index.find' />
<a href="${contextPath}/admin/account/lookupuser?userType=teacher">
<spring:message code='teacher_cap' /></a> |
<a href="${contextPath}/admin/account/lookupuser?userType=student">
<spring:message code='student_cap' /></a>
</h5>
<h5>
<spring:message code='admin.index.list' />
<a href="${contextPath}/admin/account/show-all-users?userType=teacher">
<spring:message code='admin.index.allTeachers' /></a> |
<a href="${contextPath}/admin/account/show-all-users?userType=student">
<spring:message code='admin.index.allStudents' /></a>

</h5>
<h5>
<a href="${contextPath}/admin/account/enabledisableuser">
<spring:message code='admin.index.enableDisableUser' /></a>
</h5>
<c:if test="${isBatchCreateUserAccountsEnabled}">
</h5>
<h5>
<a href="${contextPath}/admin/account/batchcreateuseraccounts.html">
<spring:message code='admin.index.batchCreateUserAccounts' /></a>
<a href="${contextPath}/admin/account/enabledisableuser">
<spring:message code='admin.index.enableDisableUser' /></a>
</h5>
</c:if>
</div>
<c:if test="${isBatchCreateUserAccountsEnabled}">
<h5>
<a href="${contextPath}/admin/account/batchcreateuseraccounts.html">
<spring:message code='admin.index.batchCreateUserAccounts' /></a>
</h5>
</c:if>
</div>
</sec:authorize>

<div class="sectionHead">
<spring:message code='admin.index.projectRunManagement' />
Expand Down
Loading