Description:
fix access right control bugs
Commit status:
[Not Reviewed]
References:
Diff options:
Comments:
0 Commit comments
0 Inline Comments
Unresolved TODOs:
There are no unresolved TODOs
Author
-
r683:d4ac431eeeb6 - - 2 files changed: 9 inserted, 7 deleted
| @@ -1,9 +1,9 | |||
|
|
1 | 1 | class SubmissionsController < ApplicationController |
|
|
2 | 2 | before_action :authenticate |
|
|
3 |
- before_action :submission_authorization, only: [:show, |
|
|
|
3 | + before_action :submission_authorization, only: [:show, :download, :edit] | |
|
|
4 | 4 | before_action :admin_authorization, only: [:rejudge] |
|
|
5 | 5 | |
|
|
6 | 6 | # GET /submissions |
|
|
7 | 7 | # GET /submissions.json |
|
|
8 | 8 | # Show problem selection and user's submission of that problem |
|
|
9 | 9 | def index |
| @@ -48,16 +48,19 | |||
|
|
48 | 48 | end |
|
|
49 | 49 | end |
|
|
50 | 50 | |
|
|
51 | 51 | #on-site new submission on specific problem |
|
|
52 | 52 | def direct_edit_problem |
|
|
53 | 53 | @problem = Problem.find(params[:problem_id]) |
|
|
54 | + unless @current_user.can_view_problem?(@problem) | |
|
|
55 | + unauthorized_redirect | |
|
|
56 | + return | |
|
|
57 | + end | |
|
|
54 | 58 | @source = '' |
|
|
55 |
- if (params[: |
|
|
|
56 | - u = User.find(params[:user_id]) | |
|
|
57 | - @submission = Submission.find_last_by_user_and_problem(u.id,@problem.id) | |
|
|
59 | + if (params[:view_latest]) | |
|
|
60 | + sub = Submission.find_last_by_user_and_problem(@current_user.id,@problem.id) | |
|
|
58 | 61 | @source = @submission.source.to_s if @submission and @submission.source |
|
|
59 | 62 | end |
|
|
60 | 63 | render 'edit' |
|
|
61 | 64 | end |
|
|
62 | 65 | |
|
|
63 | 66 | # GET /submissions/1/edit |
| @@ -96,14 +99,13 | |||
|
|
96 | 99 | #admin always has privileged |
|
|
97 | 100 | if @current_user.admin? |
|
|
98 | 101 | return true |
|
|
99 | 102 | end |
|
|
100 | 103 | |
|
|
101 | 104 | sub = Submission.find(params[:id]) |
|
|
102 | - if sub.problem.available? | |
|
|
103 | - puts "sub = #{sub.user.id}, current = #{@current_user.id}" | |
|
|
105 | + if @current_user.available_problems.include? sub.problem | |
|
|
104 | 106 | return true if GraderConfiguration["right.user_view_submission"] or sub.user == @current_user |
|
|
105 | 107 | end |
|
|
106 | 108 | |
|
|
107 | 109 | #default to NO |
|
|
108 | 110 | unauthorized_redirect |
|
|
109 | 111 | return false |
| @@ -149,13 +149,13 | |||
|
|
149 | 149 | errors.add('problem',"must be specified.") |
|
|
150 | 150 | else |
|
|
151 | 151 | #admin always have right |
|
|
152 | 152 | return if self.user.admin? |
|
|
153 | 153 | |
|
|
154 | 154 | #check if user has the right to submit the problem |
|
|
155 | - errors.add('problem',"must be valid.") if (!self.user.available_problem.include?(self.problem)) and (self.new_record?) | |
|
|
155 | + errors.add('problem',"must be valid.") if (!self.user.available_problems.include?(self.problem)) and (self.new_record?) | |
|
|
156 | 156 | end |
|
|
157 | 157 | end |
|
|
158 | 158 | |
|
|
159 | 159 | # callbacks |
|
|
160 | 160 | def assign_latest_number_if_new_recond |
|
|
161 | 161 | return if !self.new_record? |
You need to be logged in to leave comments.
Login now