rzmk/learnhouse
1
0
Fork 0
mirror of https://github.com/rzmk/learnhouse.git synced 2025-12-19 04:19:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: trail security issue

Browse source
This commit is contained in:
swve 2023-07-10 15:14:02 +01:00
parent 056365dac9
commit ef3d8c1f06
4 changed files with 22 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
front/app/orgs/[orgslug]/(withmenu)/course/[courseid]/course.tsx
View file

@ -62,7 +62,7 @@ const CourseClient = (props: any) => {
<ActivityIndicators course_id={props.course.course.course_id} orgslug={orgslug} course={course} /> <ActivityIndicators course_id={props.course.course.course_id} orgslug={orgslug} course={course} />
<div className="flex flex-row pt-10 flex-wrap"> <div className="flex flex-row pt-10">
<div className="course_metadata_left grow space-y-2"> <div className="course_metadata_left grow space-y-2">
<h2 className="py-3 text-2xl font-bold">Description</h2> <h2 className="py-3 text-2xl font-bold">Description</h2>
<StyledBox> <StyledBox>

2
src/routers/trail.py
View file

@ -1,6 +1,6 @@
from fastapi import APIRouter, Depends, Request from fastapi import APIRouter, Depends, Request
from src.security.auth import get_current_user from src.security.auth import get_current_user
from src.services.trail import Trail, add_activity_to_trail, add_course_to_trail, create_trail, get_user_trail_with_orgslug, get_user_trail, remove_course_from_trail from src.services.trail.trail import Trail, add_activity_to_trail, add_course_to_trail, create_trail, get_user_trail_with_orgslug, get_user_trail, remove_course_from_trail
router = APIRouter() router = APIRouter()

0
src/services/trail/__init__.py Normal file
View file

18
src/services/trail.py → src/services/trail/trail.py
View file

@ -172,6 +172,12 @@ async def add_activity_to_trail(
{"user_id": user.user_id, "courses.course_id": courseid, "org_id": org_id} {"user_id": user.user_id, "courses.course_id": courseid, "org_id": org_id}
) )
if user.user_id == "anonymous":
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Anonymous users cannot add activity to trail",
)
if not trail: if not trail:
return Trail(masked=False, courses=[]) return Trail(masked=False, courses=[])
@ -202,6 +208,12 @@ async def add_course_to_trail(
trails = request.app.db["trails"] trails = request.app.db["trails"]
orgs = request.app.db["organizations"] orgs = request.app.db["organizations"]
if user.user_id == "anonymous":
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Anonymous users cannot add activity to trail",
)
org = await orgs.find_one({"slug": orgslug}) org = await orgs.find_one({"slug": orgslug})
org = PublicOrganization(**org) org = PublicOrganization(**org)
@ -247,6 +259,12 @@ async def remove_course_from_trail(
trails = request.app.db["trails"] trails = request.app.db["trails"]
orgs = request.app.db["organizations"] orgs = request.app.db["organizations"]
if user.user_id == "anonymous":
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Anonymous users cannot add activity to trail",
)
org = await orgs.find_one({"slug": orgslug}) org = await orgs.find_one({"slug": orgslug})
org = PublicOrganization(**org) org = PublicOrganization(**org)