Skip to content

Commit

Permalink
Fix vulnerable endpoints due to the lack of permission check
Browse files Browse the repository at this point in the history
  • Loading branch information
magnified103 authored and quantum5 committed Apr 22, 2024
1 parent fd7fb05 commit 724af7e
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
3 changes: 3 additions & 0 deletions judge/admin/contest.py
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,9 @@ def get_urls(self):
] + super(ContestAdmin, self).get_urls()

def rejudge_view(self, request, contest_id, problem_id):
contest = get_object_or_404(Contest, id=contest_id)
if not self.has_change_permission(request, contest):
raise PermissionDenied()
queryset = ContestSubmission.objects.filter(problem_id=problem_id).select_related('submission')
for model in queryset:
model.submission.judge(rejudge=True, rejudge_user=request.user)
Expand Down
9 changes: 9 additions & 0 deletions judge/admin/runtime.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
from django.core.exceptions import PermissionDenied
from django.db.models import TextField
from django.forms import ModelForm, TextInput
from django.http import HttpResponseRedirect
Expand Down Expand Up @@ -85,13 +86,21 @@ def disconnect_judge(self, id, force=False):
return HttpResponseRedirect(reverse('admin:judge_judge_changelist'))

def disconnect_view(self, request, id):
judge = get_object_or_404(Judge, id=id)
if not self.has_change_permission(request, judge):
raise PermissionDenied()
return self.disconnect_judge(id)

def terminate_view(self, request, id):
judge = get_object_or_404(Judge, id=id)
if not self.has_change_permission(request, judge):
raise PermissionDenied()
return self.disconnect_judge(id, force=True)

def disable_view(self, request, id):
judge = get_object_or_404(Judge, id=id)
if not self.has_change_permission(request, judge):
raise PermissionDenied()
judge.toggle_disabled()
return HttpResponseRedirect(reverse('admin:judge_judge_change', args=(judge.id,)))

Expand Down

0 comments on commit 724af7e

Please sign in to comment.