From 6d62d8f58638ec2630021440abb6bf0b6b300ea9 Mon Sep 17 00:00:00 2001
From: Adriaan Jacquet <adriaanjacquet@gmail.com>
Date: Sun, 18 May 2025 10:33:13 +0200
Subject: [PATCH] fix: authorizatie in submissions gefixt

---
 .../middleware/auth/checks/submission-checks.ts | 17 +++++++++++++++++
 backend/src/routes/submissions.ts               |  4 ++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/backend/src/middleware/auth/checks/submission-checks.ts b/backend/src/middleware/auth/checks/submission-checks.ts
index 893371c2..bb0ad021 100644
--- a/backend/src/middleware/auth/checks/submission-checks.ts
+++ b/backend/src/middleware/auth/checks/submission-checks.ts
@@ -7,6 +7,9 @@ import { authorize } from './auth-checks.js';
 import { FALLBACK_LANG } from '../../../config.js';
 import { mapToUsername } from '../../../interfaces/user.js';
 import { AccountType } from '@dwengo-1/common/util/account-types';
+import { fetchClass } from '../../../services/classes.js';
+import { fetchGroup } from '../../../services/groups.js';
+import { requireFields } from '../../../controllers/error-helper.js';
 
 export const onlyAllowSubmitter = authorize(
     (auth: AuthenticationInfo, req: AuthenticatedRequest) => (req.body as { submitter: string }).submitter === auth.username
@@ -26,3 +29,17 @@ export const onlyAllowIfHasAccessToSubmission = authorize(async (auth: Authentic
 
     return submission.onBehalfOf.members.map(mapToUsername).includes(auth.username);
 });
+
+export const onlyAllowIfHasAccessToSubmissionFromParams = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
+    const { classId, assignmentId, groupId } = req.params;
+
+    requireFields({ classId, assignmentId, groupId });
+    
+    if (auth.accountType === AccountType.Teacher) {
+        const cls = await fetchClass(classId);
+        return cls.teachers.map(mapToUsername).includes(auth.username);
+    }
+
+    const group = await fetchGroup(classId, +assignmentId, +groupId);
+    return group.members.map(mapToUsername).includes(auth.username);
+});
\ No newline at end of file
diff --git a/backend/src/routes/submissions.ts b/backend/src/routes/submissions.ts
index 88309ce8..7dfa80f3 100644
--- a/backend/src/routes/submissions.ts
+++ b/backend/src/routes/submissions.ts
@@ -1,10 +1,10 @@
 import express from 'express';
 import { createSubmissionHandler, deleteSubmissionHandler, getSubmissionHandler, getSubmissionsHandler } from '../controllers/submissions.js';
-import { onlyAllowIfHasAccessToSubmission, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
+import { onlyAllowIfHasAccessToSubmission, onlyAllowIfHasAccessToSubmissionFromParams, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
 import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
 const router = express.Router({ mergeParams: true });
 
-router.get('/', adminOnly, getSubmissionsHandler);
+router.get('/', onlyAllowIfHasAccessToSubmissionFromParams, getSubmissionsHandler);
 
 router.post('/', studentsOnly, onlyAllowSubmitter, createSubmissionHandler);