From b6cecf53aa0090e5df3c60d3782f8ab4b7016cc2 Mon Sep 17 00:00:00 2001 From: Sebastian Serth Date: Thu, 17 Nov 2022 21:37:45 +0100 Subject: [PATCH] Pundit: Skip authorization in case of errors Fixes CODEOCEAN-F3 --- app/controllers/live_streams_controller.rb | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/app/controllers/live_streams_controller.rb b/app/controllers/live_streams_controller.rb index 5134f806..a5a2047e 100644 --- a/app/controllers/live_streams_controller.rb +++ b/app/controllers/live_streams_controller.rb @@ -6,15 +6,14 @@ class LiveStreamsController < ApplicationController include ActionController::Live def download_submission_file - begin - @submission = authorize AuthenticatedUrlHelper.retrieve!(Submission, request, force_render_host: false) - rescue Pundit::NotAuthorizedError - # TODO: Option to disable? - # Using the submission ID parameter would allow looking up the corresponding exercise ID - # Therefore, we just redirect to the root_path, but actually expect to redirect back (that should work!) - return redirect_back(fallback_location: root_path, alert: t('exercises.download_file_tree.gone')) - end - + @submission = authorize AuthenticatedUrlHelper.retrieve!(Submission, request, force_render_host: false) + rescue Pundit::NotAuthorizedError + # TODO: Option to disable? + # Using the submission ID parameter would allow looking up the corresponding exercise ID + # Therefore, we just redirect to the root_path, but actually expect to redirect back (that should work!) + skip_authorization + redirect_back(fallback_location: root_path, alert: t('exercises.download_file_tree.gone')) + else desired_file = params[:filename].to_s runner = Runner.for(current_user, @submission.exercise.execution_environment) fallback_location = implement_exercise_path(@submission.exercise)