tdpeuter/2025SELab2-project-Dwengo
tdpeuter/2025SELab2-project-Dwengo
1
Fork 0
Code Issues Releases 4 Packages 2 Wiki Activity

Merge pull request #284 from SELab-2/fix/submission-authorization

Browse source 
fix: authorizatie in submissions gefixt
This commit is contained in:
Adriaan J. 2025-05-18 16:50:35 +02:00 committed by GitHub
commit 390d198653
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 24 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

17
backend/src/middleware/auth/checks/submission-checks.ts
View file

@ -7,6 +7,9 @@ import { authorize } from './auth-checks.js';
import { FALLBACK_LANG } from '../../../config.js';
import { mapToUsername } from '../../../interfaces/user.js';
import { AccountType } from '@dwengo-1/common/util/account-types';
import { fetchClass } from '../../../services/classes.js';
import { fetchGroup } from '../../../services/groups.js';
import { requireFields } from '../../../controllers/error-helper.js';
export const onlyAllowSubmitter = authorize(
(auth: AuthenticationInfo, req: AuthenticatedRequest) => (req.body as { submitter: string }).submitter === auth.username
@ -26,3 +29,17 @@ export const onlyAllowIfHasAccessToSubmission = authorize(async (auth: Authentic
return submission.onBehalfOf.members.map(mapToUsername).includes(auth.username);
});
export const onlyAllowIfHasAccessToSubmissionFromParams = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
const { classId, assignmentId, groupId } = req.query;
requireFields({ classId, assignmentId, groupId });
if (auth.accountType === AccountType.Teacher) {
const cls = await fetchClass(classId as string);
return cls.teachers.map(mapToUsername).includes(auth.username);
}
const group = await fetchGroup(classId as string, Number(assignmentId as string), Number(groupId as string));
return group.members.map(mapToUsername).includes(auth.username);
});

10
backend/src/routes/submissions.ts
View file

@ -1,10 +1,14 @@
import express from 'express';
import { createSubmissionHandler, deleteSubmissionHandler, getSubmissionHandler, getSubmissionsHandler } from '../controllers/submissions.js';
import { onlyAllowIfHasAccessToSubmission, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
import {
onlyAllowIfHasAccessToSubmission,
onlyAllowIfHasAccessToSubmissionFromParams,
onlyAllowSubmitter,
} from '../middleware/auth/checks/submission-checks.js';
import { studentsOnly } from '../middleware/auth/checks/auth-checks.js';
const router = express.Router({ mergeParams: true });
router.get('/', adminOnly, getSubmissionsHandler);
router.get('/', onlyAllowIfHasAccessToSubmissionFromParams, getSubmissionsHandler);
router.post('/', studentsOnly, onlyAllowSubmitter, createSubmissionHandler);