Refactor permissions checks to avoid questions/works leaks between promotions/groups/start-availability

Thanks-To François Dautrême <francois.dautreme@epita.fr>
2022-11-19 11:41:35 +01:00 · 2022-11-19 11:41:35 +01:00 · f675047ce8
commit f675047ce8
parent bf5b0e88dd
3 changed files with 57 additions and 53 deletions
--- a/questions.go
+++ b/questions.go
@ -39,7 +39,7 @@ func declareAPIAuthQuestionsRoutes(router *gin.RouterGroup) {
 				c.JSON(http.StatusOK, questions)
 			}
 		} else {
-			if (!s.Shown || s.Direct != nil) && !u.IsAdmin {
+			if s.Direct != nil && !u.IsAdmin {
 				c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible"})
 				return
 			}
@ -62,24 +62,7 @@ func declareAPIAuthQuestionsRoutes(router *gin.RouterGroup) {
 	questionsRoutes.Use(questionHandler)

 	questionsRoutes.GET("", func(c *gin.Context) {
-		q := c.MustGet("question").(*Question)
-		u := c.MustGet("LoggedUser").(*User)
-
-		if !u.IsAdmin {
-			s, err := getSurvey(int(q.IdSurvey))
-			if err != nil {
-				log.Println("Unable to getSurvey:", err)
-				c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during survey retrieval. Please try again later."})
-				return
-			}
-
-			if !s.Shown || (s.Direct != nil && *s.Direct != q.Id) {
-				c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not authorized"})
-				return
-			}
-		}
-
-		c.JSON(http.StatusOK, q)
+		c.JSON(http.StatusOK, c.MustGet("question").(*Question))
 	})

 	declareAPIAuthProposalsRoutes(questionsRoutes)
@ -171,6 +154,8 @@ func declareAPIAdminUserQuestionsRoutes(router *gin.RouterGroup) {
 }

 func questionHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+
 	var survey *Survey
 	if s, ok := c.Get("survey"); ok {
 		survey = s.(*Survey)
@ -190,6 +175,15 @@ func questionHandler(c *gin.Context) {
 			c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"})
 			return
 		}
+
+		s, err := getSurvey(int(question.IdSurvey))
+		if err != nil {
+			log.Println("Unable to getSurvey:", err)
+			c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during survey retrieval. Please try again later."})
+			return
+		}
+
+		survey = s
 	} else {
 		question, err = survey.GetQuestion(qid)
 		if err != nil {
@ -198,6 +192,15 @@ func questionHandler(c *gin.Context) {
 		}
 	}

+	if !u.IsAdmin && (!survey.checkUserAccessToSurvey(u) || (survey.Direct != nil && *survey.Direct != question.Id)) {
+		c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not authorized"})
+		return
+	}
+	if !u.IsAdmin && survey.StartAvailability.After(time.Now()) {
+		c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible yet"})
+		return
+	}
+
 	c.Set("question", question)

 	c.Next()
--- a/surveys.go
+++ b/surveys.go
@ -62,19 +62,14 @@ func declareAPISurveysRoutes(router *gin.RouterGroup) {
 			return
 		}

-		s := c.MustGet("survey").(*Survey)
-
-		if (s.Promo == u.Promo && (s.Group == "" || strings.Contains(u.Groups, ","+s.Group+",") && s.Shown)) || u.IsAdmin {
-			c.JSON(http.StatusOK, s)
-		} else {
-			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible"})
-		}
+		c.JSON(http.StatusOK, c.MustGet("survey").(*Survey))
 	})
 }

 func declareAPIAuthSurveysRoutes(router *gin.RouterGroup) {
 	surveysRoutes := router.Group("/surveys/:sid")
 	surveysRoutes.Use(surveyHandler)
+	surveysRoutes.Use(surveyUserAccessHandler)

 	surveysRoutes.GET("/score", func(c *gin.Context) {
 		loggedUser := c.MustGet("LoggedUser").(*User)
@ -219,18 +214,20 @@ func surveyHandler(c *gin.Context) {
 	}
 }

+func (s *Survey) checkUserAccessToSurvey(u *User) bool {
+	return u.IsAdmin || (u.Promo == s.Promo && s.Shown && (s.Group == "" || strings.Contains(u.Groups, ","+s.Group+",")))
+}
+
 func surveyUserAccessHandler(c *gin.Context) {
 	u := c.MustGet("LoggedUser").(*User)
-	w := c.MustGet("survey").(*Survey)
+	s := c.MustGet("survey").(*Survey)

-	if u.IsAdmin {
-		c.Next()
-	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
-		c.Next()
-	} else {
+	if !s.checkUserAccessToSurvey(u) {
 		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Survey not found."})
 		return
 	}
+
+	c.Next()
 }

 type Survey struct {
--- a/works.go
+++ b/works.go
@ -43,7 +43,11 @@ func declareAPIWorksRoutes(router *gin.RouterGroup) {
 		} else {
 			for _, w := range works {
 				if w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",") {
+					// Remove informations not needed on front page for students
+					w.Promo = 0
 					w.Group = ""
+					w.DescriptionRaw = ""
+
 					response = append(response, w)
 				}
 			}
@ -79,7 +83,10 @@ func declareAPIWorksRoutes(router *gin.RouterGroup) {
 		} else {
 			for _, w := range works {
 				if w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",") {
+					// Remove informations not needed on front page for students
+					w.Promo = 0
 					w.Group = ""
+
 					response = append(response, w)
 				}
 			}
@ -193,16 +200,7 @@ func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
 	worksRoutes.Use(workUserAccessHandler)

 	worksRoutes.GET("", func(c *gin.Context) {
-		u := c.MustGet("LoggedUser").(*User)
-		w := c.MustGet("work").(*Work)
-
-		if u.IsAdmin {
-			c.JSON(http.StatusOK, w)
-		} else if w.Shown && w.StartAvailability.Before(time.Now()) && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
-			c.JSON(http.StatusOK, w)
-		} else {
-			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Permission denied"})
-		}
+		c.JSON(http.StatusOK, c.MustGet("work").(*Work))
 	})

 	// Grades related to works
@ -239,18 +237,24 @@ func workHandler(c *gin.Context) {
 	}
 }

+func (w *Work) checkUserAccessToWork(u *User) bool {
+	return u.IsAdmin || (u.Promo == w.Promo && w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")))
+}
+
 func workUserAccessHandler(c *gin.Context) {
 	u := c.MustGet("LoggedUser").(*User)
 	w := c.MustGet("work").(*Work)

-	if u.IsAdmin {
-		c.Next()
-	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
-		c.Next()
-	} else {
+	if !w.checkUserAccessToWork(u) {
 		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Work not found."})
 		return
 	}
+	if !u.IsAdmin && w.StartAvailability.After(time.Now()) {
+		c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible yet"})
+		return
+	}
+
+	c.Next()
 }

 type OneWork struct {
@ -291,14 +295,14 @@ func allWorks(cnd string, param ...interface{}) (items []*OneWork, err error) {
 type Work struct {
 	Id                int64     `json:"id"`
 	Title             string    `json:"title"`
-	Promo             uint      `json:"promo"`
-	Group             string    `json:"group"`
+	Promo             uint      `json:"promo,omitempty"`
+	Group             string    `json:"group,omitempty"`
 	Shown             bool      `json:"shown"`
-	Description       string    `json:"description"`
+	Description       string    `json:"description,omitempty"`
 	DescriptionRaw    string    `json:"descr_raw,omitempty"`
-	Tag               string    `json:"tag"`
-	SubmissionURL     *string   `json:"submission_url"`
-	Corrected         bool      `json:"corrected"`
+	Tag               string    `json:"tag,omitempty"`
+	SubmissionURL     *string   `json:"submission_url,omitempty"`
+	Corrected         bool      `json:"corrected,omitempty"`
 	StartAvailability time.Time `json:"start_availability"`
 	EndAvailability   time.Time `json:"end_availability"`
 }