backend: check the team has access to the exercice/flag before doing the action

2019-02-05 03:24:52 +01:00 · 2019-02-05 03:24:52 +01:00 · 15d108497e
commit 15d108497e
parent ff7c89af9f
4 changed files with 29 additions and 5 deletions
--- a/backend/choices.go
+++ b/backend/choices.go
@ -25,6 +25,12 @@ func treatWantChoices(pathname string, team fic.Team) {
 		os.Remove(pathname)
 	} else if flag, err := fic.GetFlagKey(ask.FlagId); err != nil {
 		log.Println("[ERR]", err)
+	} else if !team.CanSeeFlag(flag) {
+		log.Println("[!!!] The team asks to display choices whereas it doesn't have access to the flag")
+	} else if exercice, err := flag.GetExercice(); err != nil {
+		log.Println("[ERR] Unable to retrieve the flag's underlying exercice:", err)
+	} else if !team.HasAccess(exercice) {
+		log.Println("[!!!] The team asks to display choices whereas it doesn't have access to the exercice")
 	} else if err = team.DisplayChoices(flag); err != nil {
 		log.Println("[ERR]", err)
 	} else {
--- a/backend/hint.go
+++ b/backend/hint.go
@ -25,14 +25,16 @@ func treatOpeningHint(pathname string, team fic.Team) {
 		log.Println("[WRN] Invalid content in hint file: ", pathname)
 		os.Remove(pathname)
 	} else if hint, err := fic.GetHint(ask.HintId); err != nil {
-		log.Println("[ERR]", err)
+		log.Println("[ERR] Unable to retrieve the given hint:", err)
+	} else if exercice, err := hint.GetExercice(); err != nil {
+		log.Println("[ERR] Unable to retrieve the hint's underlying exercice:", err)
+	} else if !team.HasAccess(exercice) {
+		log.Println("[!!!] The team asks to open an hint whereas it doesn't have access to the exercice")
 	} else if err = team.OpenHint(hint); err != nil {
-		log.Println("[ERR]", err)
+		log.Println("[ERR] Unable to open hint", err)
 	} else {
 		// Write event
-		if exercice, err := hint.GetExercice(); err != nil {
-			log.Println("[WRN]", err)
-		} else if lvl, err := exercice.GetLevel(); err != nil {
+		if lvl, err := exercice.GetLevel(); err != nil {
 			log.Println("[WRN]", err)
 		} else if theme, err := fic.GetTheme(exercice.IdTheme); err != nil {
 			log.Println("[WRN]", err)
--- a/backend/submission.go
+++ b/backend/submission.go
@ -43,6 +43,12 @@ func treatSubmission(pathname string, team fic.Team, exercice_id string) {
 		return
 	}

+	// Check the team can access this exercice
+	if !team.HasAccess(exercice) {
+		log.Println("[!!!] The team submits something for an exercice it doesn't have access yet")
+		return
+	}
+
 	// Find the corresponding theme
 	theme, err := fic.GetTheme(exercice.IdTheme)
 	if err != nil {
--- a/libfic/flag_key.go
+++ b/libfic/flag_key.go
@ -266,3 +266,13 @@ func (k FlagKey) Check(v interface{}) int {
 func (k FlagKey) FoundBy(t Team) {
 	DBExec("INSERT INTO flag_found (id_flag, id_team, time) VALUES (?, ?, ?)", k.Id, t.Id, time.Now())
 }
+
+// GetExercice returns the parent Exercice where this flag can be found.
+func (k FlagKey) GetExercice() (Exercice, error) {
+	var eid int64
+	if err := DBQueryRow("SELECT id_exercice FROM exercice_flags WHERE id_flag = ?", k.Id).Scan(&eid); err != nil {
+		return Exercice{}, err
+	}
+
+	return GetExercice(eid)
+}