Prevent spoofing the author of an annotation

autolab · Sep 21, 2023 · d2ab510 · d2ab510
1 parent 729723c
commit d2ab510
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/app/controllers/annotations_controller.rb b/app/controllers/annotations_controller.rb
@@ -80,6 +80,8 @@ def annotation_params
     params[:annotation].delete(:id)
     params[:annotation].delete(:created_at)
     params[:annotation].delete(:updated_at)
+    # Prevent spoofing the submitter
+    params[:annotation][:submitted_by] = @current_user.email
     params.require(:annotation).permit(:filename, :position, :line, :submitted_by,
                                        :comment, :shared_comment, :global_comment, :value,
                                        :problem_id, :submission_id, :coordinate)