cafe-grader-web Commit - r683:d4ac431eeeb6

cafe-grader-web

Commit `r683:d4ac431eeeb6` public

parent | child

Description:

fix access right control bugs

Commit status:

[Not Reviewed]

References:

java

Diff options:

| | | |

Comments:

0 Commit comments 0 Inline Comments

Unresolved TODOs:

There are no unresolved TODOs

Add another comment

r683:d4ac431eeeb6 - Sun, 17 Sep 2017 08:17:08 - 2 files changed: 9 inserted, 7 deleted

app/controllers/submissions_controller.rb ¶ +8 -6

               class SubmissionsController < ApplicationController
                 before_action :authenticate
-            -   before_action :submission_authorization, only: [:show, :direct_edit_submission, :download, :edit]
+            +   before_action :submission_authorization, only: [:show, :download, :edit]
                 before_action :admin_authorization, only: [:rejudge]
                 # GET /submissions
                 # GET /submissions.json
                 # Show problem selection and user's submission of that problem
                 def index
                   @user = @current_user
                   @problems = @user.available_problems
                   if params[:problem_id]==nil
                     @problem = nil
                     @submissions = nil
                   else
                     @problem = Problem.find_by_id(params[:problem_id])
                     if (@problem == nil) or (not @problem.available)
                       redirect_to main_list_path
                       flash[:notice] = 'Error: submissions for that problem are not viewable.'
                       return
                     end
                     @submissions = Submission.find_all_by_user_problem(@user.id, @problem.id).order(id: :desc)
                   end
                 end
                 # GET /submissions/1
                   @submission = Submission.find(params[:id])
                   #log the viewing
                   user = User.find(session[:user_id])
                   SubmissionViewLog.create(user_id: session[:user_id],submission_id: @submission.id) unless user.admin?
                   @task = @submission.task
                 end
                 def download
                   @submission = Submission.find(params[:id])
                   send_data(@submission.source, {:filename => @submission.download_filename, :type => 'text/plain'})
                 end
                 def compiler_msg
                   @submission = Submission.find(params[:id])
                   respond_to do |format|
                     format.js
                   end
                 end
                 #on-site new submission on specific problem
                 def direct_edit_problem
                   @problem = Problem.find(params[:problem_id])
+            +     unless @current_user.can_view_problem?(@problem)
+            +       unauthorized_redirect
+            +       return
+            +     end
                   @source = ''
-            -     if (params[:user_id])
+            +     if (params[:view_latest])
-            -       u = User.find(params[:user_id])
+            +       sub = Submission.find_last_by_user_and_problem(@current_user.id,@problem.id)
-            -       @submission = Submission.find_last_by_user_and_problem(u.id,@problem.id)
                     @source = @submission.source.to_s if @submission and @submission.source
                   end
                   render 'edit'
                 end
                 # GET /submissions/1/edit
                 def edit
                   @submission = Submission.find(params[:id])
                   @source = @submission.source.to_s
                   @problem = @submission.problem
                   @lang_id = @submission.language.id
                 end
                 def get_latest_submission_status
                   @problem = Problem.find(params[:pid])
                   @submission = Submission.find_last_by_user_and_problem(params[:uid],params[:pid])
                   puts User.find(params[:uid]).login
                   puts Problem.find(params[:pid]).name
                   puts 'nil' unless @submission
                   respond_to do |format|
                     format.js
                   end
                 end
                 # GET /submissions/:id/rejudge
                 def rejudge
                   @submission = Submission.find(params[:id])
                   @task = @submission.task
                   @task.status_inqueue! if @task
                   respond_to do |format|
                     format.js
                   end
                 end
               protected
                 def submission_authorization
                   #admin always has privileged
                   if @current_user.admin?
                     return true
                   end
                   sub = Submission.find(params[:id])
-            -     if sub.problem.available?
+            +     if @current_user.available_problems.include? sub.problem
-            -       puts "sub = #{sub.user.id}, current = #{@current_user.id}"
                     return true if GraderConfiguration["right.user_view_submission"] or sub.user == @current_user
                   end
                   #default to NO
                   unauthorized_redirect
                   return false
                 end
               end

app/models/submission.rb ¶ +1 -1

                                                                      self.source_filename)
                 end
                 # validation codes
                 def must_specify_language
                   return if self.source==nil
                   # for output_only tasks
                   return if self.problem!=nil and self.problem.output_only
                   if self.language==nil
                     errors.add('source',"Cannot detect language. Did you submit a correct source file?") unless self.language!=nil
                   end
                 end
                 def must_have_valid_problem
                   return if self.source==nil
                   if self.problem==nil
                     errors.add('problem',"must be specified.")
                   else
                     #admin always have right
                     return if self.user.admin?
                     #check if user has the right to submit the problem
-            -       errors.add('problem',"must be valid.") if (!self.user.available_problem.include?(self.problem)) and (self.new_record?)
+            +       errors.add('problem',"must be valid.") if (!self.user.available_problems.include?(self.problem)) and (self.new_record?)
                   end
                 end
                 # callbacks
                 def assign_latest_number_if_new_recond
                   return if !self.new_record?
                   latest = Submission.find_last_by_user_and_problem(self.user_id, self.problem_id)
                   self.number = (latest==nil) ? 1 : latest.number + 1;
                 end
               end

Write
Preview

You need to be logged in to leave comments. Login now

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository permissions settings

Sign in to your account

Author

r683:d4ac431eeeb6 - Sun, 17 Sep 2017 08:17:08 - 2 files changed: 9 inserted, 7 deleted

Sign in to your account

Commit r683:d4ac431eeeb6 public

Author

r683:d4ac431eeeb6 - Sun, 17 Sep 2017 08:17:08 - 2 files changed: 9 inserted, 7 deleted

Commit `r683:d4ac431eeeb6` public