Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require valid token to view series activities #5249

Merged
merged 4 commits into from
Dec 20, 2023
Merged

Require valid token to view series activities #5249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8d3fcc9
Require valid token to view series activities
jorg-vr Dec 20, 2023
e2eed7c
Add tests
jorg-vr Dec 20, 2023
cf6f391
Fix linting
jorg-vr Dec 20, 2023
6487fc5
Apply feedback
jorg-vr Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app/controllers/activities_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,8 @@ def index
@activities = if params[:series_id]
@series = Series.find(params[:series_id])
authorize @series, :show?
raise Pundit::NotAuthorizedError unless policy(@series).valid_token?(params[:token])

policy(@series).overview? ? @series.activities : []
else
policy_scope(Activity).order_by_popularity(:DESC)
Expand Down
4 changes: 1 addition & 3 deletions app/controllers/series_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,9 +283,7 @@ def set_series
end

def check_token
raise Pundit::NotAuthorizedError if @series.hidden? &&
!current_user&.course_admin?(@series.course) &&
@series.access_token != params[:token]
raise Pundit::NotAuthorizedError unless policy(@series).valid_token?(params[:token])
end

def send_zip(zip)
Expand Down
5 changes: 5 additions & 0 deletions app/policies/series_policy.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,11 @@ def show_progress?
record.instance_of?(Series) && (record.progress_enabled || course_admin?)
end

def valid_token?(token)
!record.hidden? || user&.course_admin?(record.course) ||
record.access_token == token
end

private

def course_member?
Expand Down
42 changes: 42 additions & 0 deletions test/controllers/activities_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -988,4 +988,46 @@ class ExerciseDescriptionTest < ActionDispatch::IntegrationTest

assert_equal [other_exercise.id, exercise.id], activities_json.pluck('id')
end

test 'activities for hidden series should only be shown with token' do
course = courses(:course1)
exercise = exercises(:python_exercise)
other_exercise = create :exercise
series = create :series, course: course, exercises: [exercise, other_exercise], visibility: :hidden

sign_in users(:student)

get series_activities_url(series, format: :json)

# should return 403
assert_response :forbidden

get series_activities_url(series, format: :json, token: series.access_token)

assert_response :success
activities_json = response.parsed_body

assert_equal [exercise.id, other_exercise.id], activities_json.pluck('id')
end

test 'admin should be able to see hidden series' do
course = courses(:course1)
exercise = exercises(:python_exercise)
other_exercise = create :exercise
series = create :series, course: course, exercises: [exercise, other_exercise], visibility: :hidden

sign_in users(:staff)

get series_activities_url(series, format: :json)

assert_response :forbidden

course.administrating_members << users(:staff)
get series_activities_url(series, format: :json)

assert_response :success
activities_json = response.parsed_body

assert_equal [exercise.id, other_exercise.id], activities_json.pluck('id')
end
end