Skip to content

Commit c502781

Browse files
callmekatootiecallmekatootie
committed
Fix issue where unregistered members could submit for a challenge
1 parent fbdd04f commit c502781

File tree

1 file changed

+35
-14
lines changed

1 file changed

+35
-14
lines changed

src/common/helper.js

Lines changed: 35 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -367,30 +367,49 @@ function * getSubmissionPhaseId (challengeId) {
367367
* @returns {Promise}
368368
*/
369369
function * checkCreateAccess (authUser, subEntity) {
370-
let response
370+
let challengeDetails
371+
let resources
371372

372373
// User can only create submission for themselves
373374
if (authUser.userId !== subEntity.memberId) {
374375
throw new errors.HttpStatusError(403, 'You are not allowed to submit on behalf of others')
375376
}
376377

378+
const token = yield getM2Mtoken()
379+
377380
try {
378-
const token = yield getM2Mtoken()
379381
logger.info(`Calling to challenge API for fetch phases and winners for ${subEntity.challengeId}`)
380-
response = yield request.get(`${config.CHALLENGEAPI_URL}?filter=id=${subEntity.challengeId}`)
382+
challengeDetails = yield request.get(`${config.CHALLENGEAPI_URL}?filter=id=${subEntity.challengeId}`)
381383
.set('Authorization', `Bearer ${token}`)
382384
.set('Content-Type', 'application/json')
383-
logger.info(`returned for ${subEntity.challengeId} with ${JSON.stringify(response)}`)
385+
logger.info(`returned for ${subEntity.challengeId} with ${JSON.stringify(challengeDetails)}`)
384386
} catch (ex) {
385387
logger.error(`Error while accessing ${config.CHALLENGEAPI_URL}?filter=id=${subEntity.challengeId}`)
386388
logger.error(ex)
387-
return false
389+
throw new errors.HttpStatusError(503, `Could not fetch details of challenge with id ${subEntity.challengeId}`)
388390
}
389391

390-
if (response) {
391-
// Get phases and winner detail from response
392-
const phases = response.body.result.content[0].allPhases
393-
const winner = response.body.result.content[0].winners
392+
try {
393+
resources = yield request.get(`${config.CHALLENGEAPI_URL}/${subEntity.challengeId}/resources`)
394+
.set('Authorization', `Bearer ${token}`)
395+
.set('Content-Type', 'application/json')
396+
} catch (ex) {
397+
logger.error(`Error while accessing ${config.CHALLENGEAPI_URL}/${subEntity.challengeId}/resources`)
398+
logger.error(ex)
399+
throw new errors.HttpStatusError(503, `Could not determine the user's role in the challenge with id ${subEntity.challengeId}`)
400+
}
401+
402+
if (resources && challengeDetails) {
403+
const currUserRoles = _.filter(resources.body.result.content, { properties: { Handle: authUser.handle } })
404+
// Get phases and winner detail from challengeDetails
405+
const phases = challengeDetails.body.result.content[0].allPhases
406+
const winner = challengeDetails.body.result.content[0].winners
407+
408+
// Check if the User is registered for the contest
409+
const submitters = _.filter(currUserRoles, { role: 'Submitter' })
410+
if (submitters.length === 0) {
411+
throw new errors.HttpStatusError(403, `Register for the contest before you can submit`)
412+
}
394413

395414
const submissionPhaseId = yield getSubmissionPhaseId(subEntity.challengeId)
396415

@@ -405,9 +424,11 @@ function * checkCreateAccess (authUser, subEntity) {
405424
throw new errors.HttpStatusError(403, 'Only winner is allowed to submit during Final Fix phase')
406425
}
407426
}
427+
} else {
428+
// We don't have enough details to validate the access
429+
logger.debug('No enough details to validate the Permissions')
430+
throw new errors.HttpStatusError(503, `Not all information could be fetched about challenge with id ${subEntity.challengeId}`)
408431
}
409-
410-
return true
411432
}
412433

413434
/*
@@ -433,7 +454,7 @@ function * checkGetAccess (authUser, submission) {
433454
} catch (ex) {
434455
logger.error(`Error while accessing ${config.CHALLENGEAPI_URL}/${submission.challengeId}/resources`)
435456
logger.error(ex)
436-
return false
457+
throw new errors.HttpStatusError(503, `Could not determine the user's role in the challenge with id ${submission.challengeId}`)
437458
}
438459

439460
try {
@@ -443,7 +464,7 @@ function * checkGetAccess (authUser, submission) {
443464
} catch (ex) {
444465
logger.error(`Error while accessing ${config.CHALLENGEAPI_URL}?filter=id=${submission.challengeId}`)
445466
logger.error(ex)
446-
return false
467+
throw new errors.HttpStatusError(503, `Could not fetch details of challenge with id ${submission.challengeId}`)
447468
}
448469

449470
if (resources && challengeDetails) {
@@ -509,7 +530,7 @@ function * checkGetAccess (authUser, submission) {
509530
} else {
510531
// We don't have enough details to validate the access
511532
logger.debug('No enough details to validate the Permissions')
512-
return true
533+
throw new errors.HttpStatusError(503, `Not all information could be fetched about challenge with id ${submission.challengeId}`)
513534
}
514535
}
515536

0 commit comments

Comments
 (0)