From 15d108497e08a34a10922930a1765292083802ba Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Tue, 5 Feb 2019 03:24:52 +0100 Subject: [PATCH] backend: check the team has access to the exercice/flag before doing the action --- backend/choices.go | 6 ++++++ backend/hint.go | 12 +++++++----- backend/submission.go | 6 ++++++ libfic/flag_key.go | 10 ++++++++++ 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/backend/choices.go b/backend/choices.go index 441d06bc..72599433 100644 --- a/backend/choices.go +++ b/backend/choices.go @@ -25,6 +25,12 @@ func treatWantChoices(pathname string, team fic.Team) { os.Remove(pathname) } else if flag, err := fic.GetFlagKey(ask.FlagId); err != nil { log.Println("[ERR]", err) + } else if !team.CanSeeFlag(flag) { + log.Println("[!!!] The team asks to display choices whereas it doesn't have access to the flag") + } else if exercice, err := flag.GetExercice(); err != nil { + log.Println("[ERR] Unable to retrieve the flag's underlying exercice:", err) + } else if !team.HasAccess(exercice) { + log.Println("[!!!] The team asks to display choices whereas it doesn't have access to the exercice") } else if err = team.DisplayChoices(flag); err != nil { log.Println("[ERR]", err) } else { diff --git a/backend/hint.go b/backend/hint.go index 7430edb0..cf33356f 100644 --- a/backend/hint.go +++ b/backend/hint.go @@ -25,14 +25,16 @@ func treatOpeningHint(pathname string, team fic.Team) { log.Println("[WRN] Invalid content in hint file: ", pathname) os.Remove(pathname) } else if hint, err := fic.GetHint(ask.HintId); err != nil { - log.Println("[ERR]", err) + log.Println("[ERR] Unable to retrieve the given hint:", err) + } else if exercice, err := hint.GetExercice(); err != nil { + log.Println("[ERR] Unable to retrieve the hint's underlying exercice:", err) + } else if !team.HasAccess(exercice) { + log.Println("[!!!] The team asks to open an hint whereas it doesn't have access to the exercice") } else if err = team.OpenHint(hint); err != nil { - log.Println("[ERR]", err) + log.Println("[ERR] Unable to open hint", err) } else { // Write event - if exercice, err := hint.GetExercice(); err != nil { - log.Println("[WRN]", err) - } else if lvl, err := exercice.GetLevel(); err != nil { + if lvl, err := exercice.GetLevel(); err != nil { log.Println("[WRN]", err) } else if theme, err := fic.GetTheme(exercice.IdTheme); err != nil { log.Println("[WRN]", err) diff --git a/backend/submission.go b/backend/submission.go index 14c6cecb..6486f8a3 100644 --- a/backend/submission.go +++ b/backend/submission.go @@ -43,6 +43,12 @@ func treatSubmission(pathname string, team fic.Team, exercice_id string) { return } + // Check the team can access this exercice + if !team.HasAccess(exercice) { + log.Println("[!!!] The team submits something for an exercice it doesn't have access yet") + return + } + // Find the corresponding theme theme, err := fic.GetTheme(exercice.IdTheme) if err != nil { diff --git a/libfic/flag_key.go b/libfic/flag_key.go index 065cb89f..30e6e130 100644 --- a/libfic/flag_key.go +++ b/libfic/flag_key.go @@ -266,3 +266,13 @@ func (k FlagKey) Check(v interface{}) int { func (k FlagKey) FoundBy(t Team) { DBExec("INSERT INTO flag_found (id_flag, id_team, time) VALUES (?, ?, ?)", k.Id, t.Id, time.Now()) } + +// GetExercice returns the parent Exercice where this flag can be found. +func (k FlagKey) GetExercice() (Exercice, error) { + var eid int64 + if err := DBQueryRow("SELECT id_exercice FROM exercice_flags WHERE id_flag = ?", k.Id).Scan(&eid); err != nil { + return Exercice{}, err + } + + return GetExercice(eid) +}