From 857f6466780b98e5af8dfe9b66253683c5f1629e Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Tue, 3 Dec 2024 10:55:28 +0100
Subject: [PATCH 1/2] Upgrade Spring Boot version to address many security
 vulnerabilities (#52)

Fixes #28 ([CVE-2024-38809](https://spring.io/security/cve-2024-38809)), #29 ([CVE-2024-38816](https://spring.io/security/cve-2024-38816)), and #46 ([CVE-2024-38820](https://spring.io/security/cve-2024-38820))

Chose to stay on the 3.2 Spring Boot train despite 3.4 being out. Waiting for a more conscious to do the upgrade in case there are other changes required.

Luckily none of the preconditions of the vulnerabilities were true for SciPro so they could not be exploited.

Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/52
Reviewed-by: Tom Zhao <tom.zhao@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e69b87c989..8448e670cf 100755
--- a/pom.xml
+++ b/pom.xml
@@ -101,7 +101,7 @@
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>
-                <version>3.2.5</version>
+                <version>3.2.12</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>

From c6bd17d9ad5124a9cb334701a181bc4a06a83653 Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Mon, 16 Dec 2024 11:24:33 +0100
Subject: [PATCH 2/2] Fix grade calculator being serialized (#59)

The new calculator that's based on templates has a reference to the @Entity for the template which should not be serialized.

Fixes #40

## How to test/replicate
1. Log in as a supervisor
1. Open a project that's new enough to use a grading report template with grade limits
1. Go to the "Finishing up" tab
1. Go to the sub-tab for an individual author

Reviewed-on: https://gitea.dsv.su.se/DMC/scipro/pulls/59
Reviewed-by: Nico Athanassiadis <nico@dsv.su.se>
Co-authored-by: Andreas Svanberg <andreass@dsv.su.se>
Co-committed-by: Andreas Svanberg <andreass@dsv.su.se>
---
 .../su/dsv/scipro/report/GradeCalculator.java |  4 +---
 .../grading/GradingReportPointsPanel.java     | 20 ++++++-------------
 .../IndividualAuthorAssessmentPanel.java      |  4 ++--
 .../grading/GradingReportPointsPanelTest.java |  2 +-
 4 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/core/src/main/java/se/su/dsv/scipro/report/GradeCalculator.java b/core/src/main/java/se/su/dsv/scipro/report/GradeCalculator.java
index 55cd0c3343..67abd527b3 100644
--- a/core/src/main/java/se/su/dsv/scipro/report/GradeCalculator.java
+++ b/core/src/main/java/se/su/dsv/scipro/report/GradeCalculator.java
@@ -1,8 +1,6 @@
 package se.su.dsv.scipro.report;
 
-import java.io.Serializable;
-
-public interface GradeCalculator extends Serializable {
+public interface GradeCalculator {
     GradingReport.Grade getGrade(GradingReport gradingReport);
 
     long getPoints(GradingReport gradingReport);
diff --git a/view/src/main/java/se/su/dsv/scipro/grading/GradingReportPointsPanel.java b/view/src/main/java/se/su/dsv/scipro/grading/GradingReportPointsPanel.java
index 593ee532c5..4f95d80881 100644
--- a/view/src/main/java/se/su/dsv/scipro/grading/GradingReportPointsPanel.java
+++ b/view/src/main/java/se/su/dsv/scipro/grading/GradingReportPointsPanel.java
@@ -4,7 +4,6 @@ import org.apache.wicket.markup.html.WebMarkupContainer;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.panel.Panel;
 import org.apache.wicket.model.IModel;
-import org.apache.wicket.model.LoadableDetachableModel;
 import se.su.dsv.scipro.components.OppositeVisibility;
 import se.su.dsv.scipro.report.GradeCalculator;
 import se.su.dsv.scipro.report.GradingReport;
@@ -18,15 +17,13 @@ public class GradingReportPointsPanel extends Panel {
     public GradingReportPointsPanel(
         String id,
         final IModel<? extends GradingReport> gradingReportIModel,
-        final GradeCalculator gradeCalculator
+        final IModel<GradeCalculator> gradeCalculator
     ) {
         super(id, gradingReportIModel);
-        final IModel<GradingReport.Grade> gradeModel = new LoadableDetachableModel<>() {
-            @Override
-            protected GradingReport.Grade load() {
-                return gradingReportIModel.getObject().getGrade(gradeCalculator);
-            }
-        };
+        final IModel<GradingReport.Grade> gradeModel = gradingReportIModel.combineWith(
+            gradeCalculator,
+            GradingReport::getGrade
+        );
         final Label grade = new Label(GRADE, gradeModel.map(GradingReport.Grade::name)) {
             @Override
             protected void onConfigure() {
@@ -36,12 +33,7 @@ public class GradingReportPointsPanel extends Panel {
         };
         add(grade);
 
-        final IModel<Long> points = new LoadableDetachableModel<>() {
-            @Override
-            protected Long load() {
-                return gradingReportIModel.getObject().getPoints(gradeCalculator);
-            }
-        };
+        final IModel<Long> points = gradingReportIModel.combineWith(gradeCalculator, GradingReport::getPoints);
         add(new Label(POINTS_LABEL, points));
 
         add(new WebMarkupContainer(NO_GRADE_EXPLANATION).add(new OppositeVisibility(grade)));
diff --git a/view/src/main/java/se/su/dsv/scipro/grading/IndividualAuthorAssessmentPanel.java b/view/src/main/java/se/su/dsv/scipro/grading/IndividualAuthorAssessmentPanel.java
index 6d4ba8e0d6..c9c0938a58 100644
--- a/view/src/main/java/se/su/dsv/scipro/grading/IndividualAuthorAssessmentPanel.java
+++ b/view/src/main/java/se/su/dsv/scipro/grading/IndividualAuthorAssessmentPanel.java
@@ -271,8 +271,8 @@ public class IndividualAuthorAssessmentPanel extends GenericPanel<User> {
                 new TemplatePanel("points_to_grade_conversion", gradingReport.map(SupervisorGradingReport::getProject))
             );
 
-            GradeCalculator supervisorCalculator = gradeCalculatorService.getSupervisorCalculator(
-                gradingReport.getObject().getProject()
+            IModel<GradeCalculator> supervisorCalculator = LoadableDetachableModel.of(() ->
+                gradeCalculatorService.getSupervisorCalculator(gradingReport.getObject().getProject())
             );
             add(new GradingReportPointsPanel("points", gradingReport, supervisorCalculator));
 
diff --git a/view/src/test/java/se/su/dsv/scipro/grading/GradingReportPointsPanelTest.java b/view/src/test/java/se/su/dsv/scipro/grading/GradingReportPointsPanelTest.java
index caa5835e3f..f358d419e6 100644
--- a/view/src/test/java/se/su/dsv/scipro/grading/GradingReportPointsPanelTest.java
+++ b/view/src/test/java/se/su/dsv/scipro/grading/GradingReportPointsPanelTest.java
@@ -62,7 +62,7 @@ public class GradingReportPointsPanelTest extends SciProTest {
 
     private void startPanel() {
         panel = tester.startComponentInPage(
-            new GradingReportPointsPanel("id", Model.of(gradingReport), gradeCalculator)
+            new GradingReportPointsPanel("id", Model.of(gradingReport), () -> gradeCalculator)
         );
     }