Skip to content

Commit

Permalink
Merge pull request #5455 from dodona-edu/fix/series-security-leak
Browse files Browse the repository at this point in the history 
Don't show series info on activity show if activity not in series
  • Loading branch information
@jorg-vr
jorg-vr authored Mar 28, 2024
2 parents 423e1e6 + c77aa30 commit b8b2669
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
3 changes: 3 additions & 0 deletions app/controllers/activities_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ def show
raise Pundit::NotAuthorizedError, 'Not allowed' unless @activity.accessible?(current_user, @course)

@series = Series.find_by(id: params[:series_id])
# Double check if activity still exists within this series, redirect to course activity if it does not
redirect_to helpers.activity_scoped_path(activity: @activity, course: @course) if @series&.activities&.exclude?(@activity)

@not_registered = @course && !current_user&.member_of?(@course)
flash.now[:alert] = I18n.t('activities.show.not_a_member') if @not_registered
@current_membership = CourseMembership.where(course: @course, user: current_user).first if @lti_launch && @not_registered
Expand Down
34 changes: 34 additions & 0 deletions test/controllers/activities_controller_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -823,6 +823,40 @@ def create_exercises_return_valid
assert exercise.reload.draft
assert_equal 'new name', exercise.name_en
end

test 'should not show activity if not in series' do
right_course = create :course
right_series = create :series, course: right_course
right_exercise = create :exercise
right_series.exercises << right_exercise

get course_series_activity_url(right_course, right_series, right_exercise)

assert_response :success

wrong_series = create :series, course: right_course

get course_series_activity_url(right_course, wrong_series, right_exercise)

assert_redirected_to course_activity_url(right_course, right_exercise)
end

test 'should not show activity if series not in course' do
right_course = create :course
right_series = create :series, course: right_course
right_exercise = create :exercise
right_series.exercises << right_exercise

get course_series_activity_url(right_course, right_series, right_exercise)

assert_response :success

wrong_course = create :course

get course_series_activity_url(wrong_course, right_series, right_exercise)

assert_redirected_to root_url
end
end

class ExerciseErrorMailerTest < ActionDispatch::IntegrationTest
Expand Down

0 comments on commit b8b2669

Please sign in to comment.