From 724af7ef77f54927b8f12e656b6c841de2e8e5b7 Mon Sep 17 00:00:00 2001
From: Nguyen Viet Dung <29406816+magnified103@users.noreply.github.com>
Date: Mon, 22 Apr 2024 15:51:09 +0700
Subject: [PATCH] Fix vulnerable endpoints due to the lack of permission check

---
 judge/admin/contest.py | 3 +++
 judge/admin/runtime.py | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/judge/admin/contest.py b/judge/admin/contest.py
index 59c25d103a..f6e45b2f05 100644
--- a/judge/admin/contest.py
+++ b/judge/admin/contest.py
@@ -273,6 +273,9 @@ def get_urls(self):
         ] + super(ContestAdmin, self).get_urls()
 
     def rejudge_view(self, request, contest_id, problem_id):
+        contest = get_object_or_404(Contest, id=contest_id)
+        if not self.has_change_permission(request, contest):
+            raise PermissionDenied()
         queryset = ContestSubmission.objects.filter(problem_id=problem_id).select_related('submission')
         for model in queryset:
             model.submission.judge(rejudge=True, rejudge_user=request.user)
diff --git a/judge/admin/runtime.py b/judge/admin/runtime.py
index 3c756527c8..12e0798269 100644
--- a/judge/admin/runtime.py
+++ b/judge/admin/runtime.py
@@ -1,3 +1,4 @@
+from django.core.exceptions import PermissionDenied
 from django.db.models import TextField
 from django.forms import ModelForm, TextInput
 from django.http import HttpResponseRedirect
@@ -85,13 +86,21 @@ def disconnect_judge(self, id, force=False):
         return HttpResponseRedirect(reverse('admin:judge_judge_changelist'))
 
     def disconnect_view(self, request, id):
+        judge = get_object_or_404(Judge, id=id)
+        if not self.has_change_permission(request, judge):
+            raise PermissionDenied()
         return self.disconnect_judge(id)
 
     def terminate_view(self, request, id):
+        judge = get_object_or_404(Judge, id=id)
+        if not self.has_change_permission(request, judge):
+            raise PermissionDenied()
         return self.disconnect_judge(id, force=True)
 
     def disable_view(self, request, id):
         judge = get_object_or_404(Judge, id=id)
+        if not self.has_change_permission(request, judge):
+            raise PermissionDenied()
         judge.toggle_disabled()
         return HttpResponseRedirect(reverse('admin:judge_judge_change', args=(judge.id,)))