diff --git a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java index e76d3e141..7840cf7ce 100644 --- a/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java +++ b/webgoat-container/src/main/java/org/owasp/webgoat/lessons/model/LessonInfoModel.java @@ -20,16 +20,22 @@ public class LessonInfoModel { public LessonInfoModel(WebSession webSession) { AbstractLesson lesson = webSession.getCurrentLesson(); - //TODO make these first class citizens of the lesson itself; and stop passing the session all over + //TODO make these first class citizens of the lesson itself; and stop passing the session all over ... and generally tighten the checks up this.hasSource = !lesson.getSource(webSession).contains("Could not find the source file or source file does not exist"); this.hasPlan = !lesson.getSource(webSession).contains("Could not find lesson plan"); this.hasSolution = !lesson.getSolution(webSession).contains("Could not find the solution file or solution file does not exist"); this.lessonTitle = lesson.getTitle(); - this.numberHints = lesson.getHintCount(webSession); - if (lesson.getCategory().equals(Category.CHALLENGE) || this.numberHints < 1 || lesson.getHint(webSession,0).equals("Hint: There are no hints defined.")) { + + if ( this.numberHints < 1 || lesson.getHint(webSession,0).equals("Hint: There are no hints defined.")) { this.numberHints = 0; } + //special challenge case + if (lesson.getCategory().equals(Category.CHALLENGE)) { + this.numberHints = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)) ? lesson.getHintCount(webSession) : 0; + this.hasSource = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); + this.hasSolution = (lesson.isAuthorized(webSession, AbstractLesson.CHALLENGE_ROLE, WebSession.SHOWHINTS)); //assuming we want this as well + } } // GETTERS