leak users

[lbeziaud]

Hi,

The Django REST framework leaks the list of users (with emails) through the "collaborators" selector of the HTML competition submission form (bottom of the page https://www.codabench.org/api/competitions/).

Edit: Seems it only works when logged in 🙌. The extraction is possible through the GUI "Add collaborator" auto completion feature, but giving out the list like that might not be desired.

[Didayolo]

Good catch, thank you for reporting this problem.

When using the editor through the UI to add collaborators, the behavior is as excepted:

Not able to see the email when not logged in as an administrator of the platform:

Able to see the email when logged in as an administrator of the platform:

It seems that, using the REST API, the emails are always given? That is an important leakage that we need to fix.

[lbeziaud]

Emails are indeed given although I'm no admin. I reported the issue while looking at /competitions but the email issue is more obvious by looking at https://www.codabench.org/api/participants/. Seems the API is not following the email access rights you describe for the UI (visible only when admin). I'm not familiar with Django REST framework but I guess
the issue is with CompetitionParticipantViewSet or CompetitionParticipantSerializer.

Edit: Maybe that's another issue but /competitions is also not consistent with the rights defined by CompetitionViewSet. The later lists competitions belonging to someone else only if published, whereas the former lists all competitions. That's not a big privacy issue but the access right might need some "unification". Maybe by being defined at the API level rather than through views?

[Didayolo]

I close this issue to keep track of this directly in the PR.

[Didayolo]

I re-open this issue because #929 got reverted. Indeed, this change is breaking the organizer interface used to approve / revoke participants (the buttons simply stops working).

We therefore need to:

• Fix the change to merge it again
• Check that is does not break anything
• Add tests for the participants tab Add tests for approving / revoking participants #996

[Didayolo]

Related: #1008

[ihsaan-ullah]

@Didayolo this issue is done