From 39f2456bdb80fe478b7ec9f01070982786efb43d Mon Sep 17 00:00:00 2001
From: JJ-8 <34778827+JJ-8@users.noreply.github.com>
Date: Sat, 2 Apr 2022 12:16:22 +0200
Subject: [PATCH] Limit task creation by access controll

Now we first evaluate `ctfnote_private.can_play_ctf` before adding a task.
If it is not true (value can also be `null`), then we do not create
and add the pad.
This prevents guests from adding tasks to CTFs they
are not allowed to participate in.
---
 api/src/plugins/createTask.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/api/src/plugins/createTask.ts b/api/src/plugins/createTask.ts
index 592a31ecc..fe0904d01 100644
--- a/api/src/plugins/createTask.ts
+++ b/api/src/plugins/createTask.ts
@@ -44,6 +44,16 @@ export default makeExtendSchemaPlugin((build) => {
           { pgClient },
           resolveInfo
         ) => {
+          const {
+            rows: [isAllowed],
+          } = await pgClient.query(`SELECT ctfnote_private.can_play_ctf($1)`, [
+            ctfId,
+          ]);
+
+          if (isAllowed.can_play_ctf !== true) {
+            return {};
+          }
+
           const padPathOrUrl = await createPad();
 
           let padPath: string;