From a068c4f279a3c13e240b536ae86af9a36d43ad11 Mon Sep 17 00:00:00 2001
From: Matti Lupari <matti.lupari@gmail.com>
Date: Tue, 25 Jun 2024 18:33:36 +0300
Subject: [PATCH] CSCEXAM-1237 Prohibit copying an exam without privileges

---
 app/controllers/ExamController.java                       | 8 +++++++-
 .../teacher/categories/exam-list-category.component.ts    | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/controllers/ExamController.java b/app/controllers/ExamController.java
index d38a50843..d125181e1 100644
--- a/app/controllers/ExamController.java
+++ b/app/controllers/ExamController.java
@@ -441,6 +441,13 @@ public Result updateExamLanguage(Long eid, String code, Http.Request request) {
     @Restrict({ @Group("TEACHER"), @Group("ADMIN") })
     public Result copyExam(Long id, Http.Request request) {
         User user = request.attrs().get(Attrs.AUTHENTICATED_USER);
+        String examinationType = formFactory.form().bindFromRequest(request).get("examinationType");
+        if (
+            Exam.Implementation.valueOf(examinationType) != Exam.Implementation.AQUARIUM &&
+            !user.hasPermission(Permission.Type.CAN_CREATE_BYOD_EXAM)
+        ) {
+            return forbidden("i18n_access_forbidden");
+        }
         Exam prototype = DB
             .find(Exam.class) // TODO: check if all this fetching is necessary
             .fetch("creator", "id")
@@ -463,7 +470,6 @@ public Result copyExam(Long id, Http.Request request) {
             return notFound("i18n_exam_not_found");
         }
         String type = formFactory.form().bindFromRequest(request).get("type");
-        String examinationType = formFactory.form().bindFromRequest(request).get("examinationType");
         ExamExecutionType executionType = DB.find(ExamExecutionType.class).where().eq("type", type).findOne();
         if (executionType == null) {
             return notFound("i18n_execution_type_not_found");
diff --git a/ui/src/app/dashboard/staff/teacher/categories/exam-list-category.component.ts b/ui/src/app/dashboard/staff/teacher/categories/exam-list-category.component.ts
index b37401a30..9685bbb04 100644
--- a/ui/src/app/dashboard/staff/teacher/categories/exam-list-category.component.ts
+++ b/ui/src/app/dashboard/staff/teacher/categories/exam-list-category.component.ts
@@ -139,6 +139,7 @@ export class ExamListCategoryComponent implements OnInit, OnDestroy {
                     this.toast.success(this.translate.instant('i18n_exam_copied'));
                     this.router.navigate(['/staff/exams', resp.id, '1']);
                 },
+                error: () => this.toast.error(this.translate.instant('i18n_error_access_forbidden')),
             });
 
     deleteExam = (exam: DashboardExam) => {