From d787d1c3507bf6c6fc2ecfffe7cde2e64ec5e789 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Wed, 7 Sep 2022 21:33:54 +0200
Subject: [PATCH 1/3] Harden works and surveys routes

---
 surveys.go | 15 +++++++++++++++
 works.go   | 19 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/surveys.go b/surveys.go
index 63e514f..d5091f5 100644
--- a/surveys.go
+++ b/surveys.go
@@ -52,6 +52,7 @@ func declareAPISurveysRoutes(router *gin.RouterGroup) {
 
 	surveysRoutes := router.Group("/surveys/:sid")
 	surveysRoutes.Use(surveyHandler)
+	surveysRoutes.Use(surveyUserAccessHandler)
 
 	surveysRoutes.GET("", func(c *gin.Context) {
 		u := c.MustGet("LoggedUser").(*User)
@@ -198,6 +199,20 @@ func surveyHandler(c *gin.Context) {
 	}
 }
 
+func surveyUserAccessHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	w := c.MustGet("survey").(*Survey)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Survey not found."})
+		return
+	}
+}
+
 type Survey struct {
 	Id                int64     `json:"id"`
 	Title             string    `json:"title"`
diff --git a/works.go b/works.go
index f318741..248e35c 100644
--- a/works.go
+++ b/works.go
@@ -190,6 +190,7 @@ func declareAPIAdminWorksRoutes(router *gin.RouterGroup) {
 func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
 	worksRoutes := router.Group("/works/:wid")
 	worksRoutes.Use(workHandler)
+	worksRoutes.Use(workUserAccessHandler)
 
 	worksRoutes.GET("", func(c *gin.Context) {
 		u := c.MustGet("LoggedUser").(*User)
@@ -209,7 +210,9 @@ func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
 		u := c.MustGet("LoggedUser").(*User)
 		w := c.MustGet("work").(*Work)
 
-		if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) {
+		if !u.IsAdmin && !w.Corrected {
+			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Permission denied"})
+		} else if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) {
 			c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Aucune note n'a été attribuée pour ce travail. Avez-vous rendu ce travail ?"})
 		} else if err != nil {
 			log.Printf("Unable to GetMyWorkGrade(uid=%d;wid=%d): %s", u.Id, w.Id, err.Error())
@@ -236,6 +239,20 @@ func workHandler(c *gin.Context) {
 	}
 }
 
+func workUserAccessHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	w := c.MustGet("work").(*Work)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Work not found."})
+		return
+	}
+}
+
 type OneWork struct {
 	Kind              string    `json:"kind"`
 	Id                int64     `json:"id"`

From b119fe5da460d687029706a3f20bc4b6e04380cb Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Wed, 7 Sep 2022 21:36:40 +0200
Subject: [PATCH 2/3] Disable button if no repo selected

---
 ui/src/components/WorkRepository.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/src/components/WorkRepository.svelte b/ui/src/components/WorkRepository.svelte
index 682f3a6..859721c 100644
--- a/ui/src/components/WorkRepository.svelte
+++ b/ui/src/components/WorkRepository.svelte
@@ -175,7 +175,7 @@
             <button
                 type="submit"
                 class="mt-2 btn btn-primary"
-                disable={submitInProgress || readonly}
+                disable={submitInProgress || readonly || !repo_used || !repo_used.uri}
             >
                 Utiliser ce dépôt
             </button>

From 87d60c5fd503852b7702338047991410bbcfd04c Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Wed, 7 Sep 2022 21:41:20 +0200
Subject: [PATCH 3/3] Try to clarify webhook usage

---
 ui/src/components/WorkRepository.svelte | 13 ++++++++-----
 ui/src/routes/works/[wid]/index.svelte  |  3 +--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/ui/src/components/WorkRepository.svelte b/ui/src/components/WorkRepository.svelte
index 859721c..d376fd8 100644
--- a/ui/src/components/WorkRepository.svelte
+++ b/ui/src/components/WorkRepository.svelte
@@ -82,17 +82,20 @@
     {#each repos as repo (repo.id)}
         <div class="{className} card">
             <div class="card-body d-flex justify-content-between">
-                <div class="d-flex flex-column justify-content-center">
+                <div class="d-flex flex-column justify-content-center pe-3">
                     <div>
                         <div class="row">
-                            <label for={repo.id + "url"} class="col-sm-6 col-form-label">Dépôt lié&nbsp;:</label>
-                            <div class="col-sm-6">
+                            <label for={repo.id + "url"} class="col-sm-4 col-form-label">Dépôt lié&nbsp;:</label>
+                            <div class="col-sm-8">
                                 <input type="text" class="form-control form-control-sm" style="font-family: monospace" disabled id={repo.id + "url"} value={repo.uri}>
                             </div>
                         </div>
+                        <p class="mt-2 mb-0 pe-1">
+                            Vous pouvez ajouter un <span class="fst-italic">webhook</span> sur les <span class="fst-italic"><strong>Tag push events</strong></span> afin d'automatiser la récupération de votre travail. Dans les paramètres de votre dépôt sur GitLab, faite pointer un webhook sur <code>https://lessons.nemunai.re/api/callbacks/trigger.json</code> avec le secret ci-dessous.
+                        </p>
                         <div class="row">
-                            <label for={repo.id + "secret"} class="col-sm-6 col-form-label">Webhook Secret token (à indiquer dans GitLab)&nbsp;:</label>
-                            <div class="col-sm-6">
+                            <label for={repo.id + "secret"} class="col-sm-4 col-form-label">Webhook Secret token&nbsp;:</label>
+                            <div class="col-sm-8">
                                 <div class="input-group">
                                     <input type={repo.show_secret?"text":"password"} class="form-control form-control-sm" disabled id={repo.id + "secret"} value={repo.secret}>
                                     <button class="btn btn-sm btn-outline-info" on:click={() => { repo.show_secret = !repo.show_secret}}>
diff --git a/ui/src/routes/works/[wid]/index.svelte b/ui/src/routes/works/[wid]/index.svelte
index 5cec400..42513e9 100644
--- a/ui/src/routes/works/[wid]/index.svelte
+++ b/ui/src/routes/works/[wid]/index.svelte
@@ -145,8 +145,7 @@
             <ul>
                 <li>être dans l'espace de nom de votre utilisateur (à la fin de la liste des <span class="fst-italic">namespaces</span>),</li>
                 <li>avoir la visibilité «&nbsp;Privé&nbsp;»,</li>
-                <li>avoir invité <a href="https://gitlab.cri.epita.fr/nemunaire" target="_blank" style="font-family: monospace">nemunaire</a> avec le rôle <span class="fst-italic">Reporter</span> une fois le dépôt créé,</li>
-                <li>avoir configuré un <span class="fst-italic">webhook <strong>Tag push events</strong></span> pointant sur <code>https://lessons.nemunai.re/api/callbacks/trigger.json</code> avec le secret donné.</li>
+                <li>avoir invité <a href="https://gitlab.cri.epita.fr/nemunaire" target="_blank" style="font-family: monospace">nemunaire</a> avec le rôle <span class="fst-italic">Reporter</span> une fois le dépôt créé.</li>
             </ul>
 
             {#if w.tag}