QingdaoU/OnlineJudge
1
0
Fork 0
mirror of https://github.com/QingdaoU/OnlineJudge.git synced 2024-12-29 00:22:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #155 from QingdaoU/bugfix/fix_permission_check

Browse Source 
Bugfix/fix permission check
This commit is contained in:
zema1 2018-07-02 15:48:56 +08:00 committed by GitHub
commit 10db3232a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
account/decorators.py
View File

@ -79,14 +79,15 @@ def check_contest_permission(check_type="details"):
except Contest.DoesNotExist:
return self.error("Contest %s doesn't exist" % contest_id)
# Anonymous
if not user.is_authenticated():
return self.error("Please login first.")
# creator or owner
if user.is_authenticated() and user.is_contest_admin(self.contest):
if user.is_contest_admin(self.contest):
return func(*args, **kwargs)
if self.contest.contest_type == ContestType.PASSWORD_PROTECTED_CONTEST:
# Anonymous
if not user.is_authenticated():
return self.error("Please login first.")
# password error
if self.contest.id not in request.session.get("accessible_contests", []):
return self.error("Password is required.")
@ -109,6 +110,8 @@ def ensure_created_by(obj, user):
e = APIError(msg=f"{obj.__class__.__name__} does not exist")
if not user.is_admin_role():
raise e
if user.is_super_admin():
return
if isinstance(obj, Problem):
if not user.can_mgmt_all_problem() and obj.created_by != user:
raise e

68
problem/views/admin.py
View File

@ -194,24 +194,6 @@ class ProblemBase(APIView):
data["total_score"] = total_score
data["languages"] = list(data["languages"])
@problem_permission_required
def delete(self, request):
id = request.GET.get("id")
if not id:
return self.error("Invalid parameter, id is required")
try:
problem = Problem.objects.get(id=id, contest_id__isnull=True)
except Problem.DoesNotExist:
return self.error("Problem does not exists")
ensure_created_by(problem, request.user)
if Submission.objects.filter(problem=problem).exists():
return self.error("Can't delete the problem as it has submissions")
d = os.path.join(settings.TEST_CASE_DIR, problem.test_case_id)
if os.path.isdir(d):
shutil.rmtree(d, ignore_errors=True)
problem.delete()
return self.success()
class ProblemAPI(ProblemBase):
@problem_permission_required
@ -307,6 +289,24 @@ class ProblemAPI(ProblemBase):
return self.success()
@problem_permission_required
def delete(self, request):
id = request.GET.get("id")
if not id:
return self.error("Invalid parameter, id is required")
try:
problem = Problem.objects.get(id=id, contest_id__isnull=True)
except Problem.DoesNotExist:
return self.error("Problem does not exists")
ensure_created_by(problem, request.user)
if Submission.objects.filter(problem=problem).exists():
return self.error("Can't delete the problem as it has submissions")
d = os.path.join(settings.TEST_CASE_DIR, problem.test_case_id)
if os.path.isdir(d):
shutil.rmtree(d, ignore_errors=True)
problem.delete()
return self.success()
class ContestProblemAPI(ProblemBase):
@validate_serializer(CreateContestProblemSerializer)
@ -346,7 +346,6 @@ class ContestProblemAPI(ProblemBase):
problem.tags.add(tag)
return self.success(ProblemAdminSerializer(problem).data)
@problem_permission_required
def get(self, request):
problem_id = request.GET.get("id")
contest_id = request.GET.get("contest_id")
@ -354,15 +353,19 @@ class ContestProblemAPI(ProblemBase):
if problem_id:
try:
problem = Problem.objects.get(id=problem_id)
ensure_created_by(problem, user)
ensure_created_by(problem.contest, user)
except Problem.DoesNotExist:
return self.error("Problem does not exist")
return self.success(ProblemAdminSerializer(problem).data)
if not contest_id:
return self.error("Contest id is required")
problems = Problem.objects.filter(contest_id=contest_id).order_by("-create_time")
try:
contest = Contest.objects.get(id=contest_id)
ensure_created_by(contest, user)
except Contest.DoesNotExist:
return self.error("Contest does not exist")
problems = Problem.objects.filter(contest=contest).order_by("-create_time")
if user.is_admin():
problems = problems.filter(contest__created_by=user)
keyword = request.GET.get("keyword")
@ -371,7 +374,6 @@ class ContestProblemAPI(ProblemBase):
return self.success(self.paginate_data(request, problems, ProblemAdminSerializer))
@validate_serializer(EditContestProblemSerializer)
@problem_permission_required
def put(self, request):
data = request.data
user = request.user
@ -388,8 +390,7 @@ class ContestProblemAPI(ProblemBase):
problem_id = data.pop("id")
try:
problem = Problem.objects.get(id=problem_id)
ensure_created_by(problem, user)
problem = Problem.objects.get(id=problem_id, contest=contest)
except Problem.DoesNotExist:
return self.error("Problem does not exist")
@ -419,6 +420,23 @@ class ContestProblemAPI(ProblemBase):
problem.tags.add(tag)
return self.success()
def delete(self, request):
id = request.GET.get("id")
if not id:
return self.error("Invalid parameter, id is required")
try:
problem = Problem.objects.get(id=id, contest_id__isnull=False)
except Problem.DoesNotExist:
return self.error("Problem does not exists")
ensure_created_by(problem.contest, request.user)
if Submission.objects.filter(problem=problem).exists():
return self.error("Can't delete the problem as it has submissions")
d = os.path.join(settings.TEST_CASE_DIR, problem.test_case_id)
if os.path.isdir(d):
shutil.rmtree(d, ignore_errors=True)
problem.delete()
return self.success()
class MakeContestProblemPublicAPIView(APIView):
@validate_serializer(ContestProblemMakePublicSerializer)