From 9bd900bd86a61ddcd2a3b767b3c6728fdf1ce468 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Thu, 17 Nov 2022 20:38:42 +0100
Subject: [PATCH] Raise NotAuthorized Error if ID cannot be found

Fixes CODEOCEAN-F3
---
 app/helpers/authenticated_url_helper.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/helpers/authenticated_url_helper.rb b/app/helpers/authenticated_url_helper.rb
index d650a7aa..3a3c6be1 100644
--- a/app/helpers/authenticated_url_helper.rb
+++ b/app/helpers/authenticated_url_helper.rb
@@ -29,7 +29,11 @@ module AuthenticatedUrlHelper
       end
 
       cookie_name = AuthenticatedUrlHelper.cookie_name_for(:render_file_token)
-      object = klass.find(request.parameters[:id])
+      begin
+        object = klass.find(request.parameters[:id])
+      rescue ActiveRecord::RecordNotFound
+        raise Pundit::NotAuthorizedError
+      end
 
       signed_url = request.parameters[TOKEN_PARAM].present? ? request.url : cookies[cookie_name]
       # Throws an exception if the token is not matching the object or has expired