From caaa52409e3cae7365388e520be97dfe0397b2fb Mon Sep 17 00:00:00 2001 From: "tobias.kantusch" Date: Thu, 22 Apr 2021 16:56:56 +0200 Subject: [PATCH] Avoid that files from other exercises can be created --- app/controllers/concerns/file_parameters.rb | 3 ++- app/controllers/concerns/submission_parameters.rb | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/file_parameters.rb b/app/controllers/concerns/file_parameters.rb index 850195d3..268749a0 100644 --- a/app/controllers/concerns/file_parameters.rb +++ b/app/controllers/concerns/file_parameters.rb @@ -5,7 +5,8 @@ module FileParameters if Exercise.exists?(id: exercise_id) && params params.reject do |_, file_attributes| file = CodeOcean::File.find_by(id: file_attributes[:file_id]) - file.nil? || file.hidden || file.read_only + # avoid that public files from other contexts can be created + file.nil? || file.hidden || file.read_only || file.context_id != exercise_id.to_i end else [] diff --git a/app/controllers/concerns/submission_parameters.rb b/app/controllers/concerns/submission_parameters.rb index b865f4b6..ddc8223d 100644 --- a/app/controllers/concerns/submission_parameters.rb +++ b/app/controllers/concerns/submission_parameters.rb @@ -9,7 +9,7 @@ module SubmissionParameters # The study_group_id might not be present in the session (e.g. for internal users), resulting in session[:study_group_id] = nil which is intended. submission_params = params[:submission].present? ? params[:submission].permit(:cause, :exercise_id, files_attributes: file_attributes).merge(user_id: current_user_id, user_type: current_user_class_name, study_group_id: session[:study_group_id]) : {} files_attributes = submission_params[:files_attributes] || [] - submission_params[:files_attributes] = reject_illegal_file_attributes(submission_params[:exercise_id], files_attributes) + submission_params[:files_attributes] = reject_illegal_file_attributes(submission_params[:exercise_id].to_i, files_attributes) submission_params end private :submission_params