fix: authorizatie in submissions gefixt

2025-05-18 10:33:13 +02:00 · 2025-05-18 10:33:13 +02:00 · 6d62d8f586
commit 6d62d8f586
parent 57ddc3d608
2 changed files with 19 additions and 2 deletions
--- a/backend/src/middleware/auth/checks/submission-checks.ts
+++ b/backend/src/middleware/auth/checks/submission-checks.ts
@ -7,6 +7,9 @@ import { authorize } from './auth-checks.js';
 import { FALLBACK_LANG } from '../../../config.js';
 import { mapToUsername } from '../../../interfaces/user.js';
 import { AccountType } from '@dwengo-1/common/util/account-types';
 import { fetchClass } from '../../../services/classes.js';
 import { fetchGroup } from '../../../services/groups.js';
 import { requireFields } from '../../../controllers/error-helper.js';
 export const onlyAllowSubmitter = authorize(
    (auth: AuthenticationInfo, req: AuthenticatedRequest) => (req.body as { submitter: string }).submitter === auth.username
@ -26,3 +29,17 @@ export const onlyAllowIfHasAccessToSubmission = authorize(async (auth: Authentic
    return submission.onBehalfOf.members.map(mapToUsername).includes(auth.username);
 });
 export const onlyAllowIfHasAccessToSubmissionFromParams = authorize(async (auth: AuthenticationInfo, req: AuthenticatedRequest) => {
    const { classId, assignmentId, groupId } = req.params;
    requireFields({ classId, assignmentId, groupId });
    if (auth.accountType === AccountType.Teacher) {
        const cls = await fetchClass(classId);
        return cls.teachers.map(mapToUsername).includes(auth.username);
    }
    const group = await fetchGroup(classId, +assignmentId, +groupId);
    return group.members.map(mapToUsername).includes(auth.username);
 });
--- a/backend/src/routes/submissions.ts
+++ b/backend/src/routes/submissions.ts
@ -1,10 +1,10 @@
 import express from 'express';
 import { createSubmissionHandler, deleteSubmissionHandler, getSubmissionHandler, getSubmissionsHandler } from '../controllers/submissions.js';
-import { onlyAllowIfHasAccessToSubmission, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
+import { onlyAllowIfHasAccessToSubmission, onlyAllowIfHasAccessToSubmissionFromParams, onlyAllowSubmitter } from '../middleware/auth/checks/submission-checks.js';
 import { adminOnly, studentsOnly } from '../middleware/auth/checks/auth-checks.js';
 const router = express.Router({ mergeParams: true });
-router.get('/', adminOnly, getSubmissionsHandler);
+router.get('/', onlyAllowIfHasAccessToSubmissionFromParams, getSubmissionsHandler);
 router.post('/', studentsOnly, onlyAllowSubmitter, createSubmissionHandler);