From 1f3c9db53789dcf9c571278da85249ea93f160f3 Mon Sep 17 00:00:00 2001 From: "tobias.kantusch" Date: Thu, 22 Apr 2021 13:51:19 +0200 Subject: [PATCH] Reject illegal file attributes in remote evaluation Remove ! from reject illegal file parameters --- app/controllers/concerns/file_parameters.rb | 16 +++++++++++++++- .../concerns/submission_parameters.rb | 13 ++----------- app/controllers/remote_evaluation_controller.rb | 1 + 3 files changed, 18 insertions(+), 12 deletions(-) diff --git a/app/controllers/concerns/file_parameters.rb b/app/controllers/concerns/file_parameters.rb index 295b66c3..850195d3 100644 --- a/app/controllers/concerns/file_parameters.rb +++ b/app/controllers/concerns/file_parameters.rb @@ -1,6 +1,20 @@ +# frozen_string_literal: true + module FileParameters + def reject_illegal_file_attributes(exercise_id, params) + if Exercise.exists?(id: exercise_id) && params + params.reject do |_, file_attributes| + file = CodeOcean::File.find_by(id: file_attributes[:file_id]) + file.nil? || file.hidden || file.read_only + end + else + [] + end + end + private :reject_illegal_file_attributes + def file_attributes - %w(content context_id feedback_message file_id file_type_id hidden id name native_file path read_only role weight file_template_id) + %w[content context_id feedback_message file_id file_type_id hidden id name native_file path read_only role weight file_template_id] end private :file_attributes end diff --git a/app/controllers/concerns/submission_parameters.rb b/app/controllers/concerns/submission_parameters.rb index effa8ddc..b865f4b6 100644 --- a/app/controllers/concerns/submission_parameters.rb +++ b/app/controllers/concerns/submission_parameters.rb @@ -1,16 +1,6 @@ module SubmissionParameters include FileParameters - def reject_illegal_file_attributes!(submission_params) - if Exercise.exists?(id: submission_params[:exercise_id]) - submission_params[:files_attributes].try(:reject!) do |_, file_attributes| - file = CodeOcean::File.find_by(id: file_attributes[:file_id]) - file.nil? || file.hidden || file.read_only - end - end - end - private :reject_illegal_file_attributes! - def submission_params if current_user current_user_id = current_user.id @@ -18,7 +8,8 @@ module SubmissionParameters end # The study_group_id might not be present in the session (e.g. for internal users), resulting in session[:study_group_id] = nil which is intended. submission_params = params[:submission].present? ? params[:submission].permit(:cause, :exercise_id, files_attributes: file_attributes).merge(user_id: current_user_id, user_type: current_user_class_name, study_group_id: session[:study_group_id]) : {} - reject_illegal_file_attributes!(submission_params) + files_attributes = submission_params[:files_attributes] || [] + submission_params[:files_attributes] = reject_illegal_file_attributes(submission_params[:exercise_id], files_attributes) submission_params end private :submission_params diff --git a/app/controllers/remote_evaluation_controller.rb b/app/controllers/remote_evaluation_controller.rb index e3a3aa7e..d2513452 100644 --- a/app/controllers/remote_evaluation_controller.rb +++ b/app/controllers/remote_evaluation_controller.rb @@ -62,6 +62,7 @@ class RemoteEvaluationController < ApplicationController _params[:user_id] = remote_evaluation_mapping.user_id _params[:cause] = cause _params[:user_type] = remote_evaluation_mapping.user_type + _params[:files_attributes] = reject_illegal_file_attributes(remote_evaluation_mapping.exercise_id, files_attributes) @submission = Submission.create(_params) score_submission(@submission)