From 5179ec32abb17789c09c239aa99383e5d1133f2b Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Sun, 11 Feb 2024 19:37:14 +0500 Subject: [PATCH 1/5] add message in the empty error --- src/apps/api/views/submissions.py | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py index f9582488d..f3d410792 100644 --- a/src/apps/api/views/submissions.py +++ b/src/apps/api/views/submissions.py @@ -209,9 +209,14 @@ def submission_leaderboard_connection(self, request, pk): submission = self.get_object() phase = submission.phase - if not (request.user.is_superuser or request.user == submission.owner): - if not phase.competition.collaborators.filter(pk=request.user.pk).exists(): - raise Http404 + # only super user, owner of submission and competition organizer can proceed + if not ( + request.user.is_superuser or + request.user == submission.owner or + request.user in phase.competition.all_organizers + ): + raise ValidationError("You cannot perform this action, contact the competition organizer!") + if submission.phase.leaderboard.submission_rule in Leaderboard.AUTO_SUBMISSION_RULES and not request.user.is_superuser: raise ValidationError("Users are not allowed to edit the leaderboard on this Competition") From 35eaaee6bf181cfdc904910ec66430b95164f4ea Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Sun, 11 Feb 2024 19:41:57 +0500 Subject: [PATCH 2/5] unused import removed --- src/apps/api/views/submissions.py | 1 - 1 file changed, 1 deletion(-) diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py index f3d410792..2a5278b97 100644 --- a/src/apps/api/views/submissions.py +++ b/src/apps/api/views/submissions.py @@ -6,7 +6,6 @@ from django_filters.rest_framework import DjangoFilterBackend from rest_framework import status from rest_framework.decorators import api_view, permission_classes, action -from django.http import Http404 from rest_framework.exceptions import PermissionDenied, ValidationError from rest_framework.filters import SearchFilter from rest_framework.generics import get_object_or_404 From 3513e9efd745245605535e45bf6c4fe2408cc0a3 Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Mon, 12 Feb 2024 12:24:04 +0500 Subject: [PATCH 3/5] test fixed, additional test added --- src/apps/api/views/submissions.py | 8 ++++++-- src/apps/competitions/tests/test_submissions.py | 16 +++++++++++++++- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py index 2a5278b97..2eb4a8cee 100644 --- a/src/apps/api/views/submissions.py +++ b/src/apps/api/views/submissions.py @@ -205,7 +205,11 @@ def has_admin_permission(self, user, submission): @action(detail=True, methods=('POST', 'DELETE')) def submission_leaderboard_connection(self, request, pk): + + # get submission submission = self.get_object() + + # get submission phase phase = submission.phase # only super user, owner of submission and competition organizer can proceed @@ -214,10 +218,10 @@ def submission_leaderboard_connection(self, request, pk): request.user == submission.owner or request.user in phase.competition.all_organizers ): - raise ValidationError("You cannot perform this action, contact the competition organizer!") + raise PermissionDenied("You cannot perform this action, contact the competition organizer!") if submission.phase.leaderboard.submission_rule in Leaderboard.AUTO_SUBMISSION_RULES and not request.user.is_superuser: - raise ValidationError("Users are not allowed to edit the leaderboard on this Competition") + raise PermissionDenied("Users are not allowed to edit the leaderboard on this Competition") if request.method == 'POST': # Removing any existing submissions on leaderboard unless multiples are allowed diff --git a/src/apps/competitions/tests/test_submissions.py b/src/apps/competitions/tests/test_submissions.py index 4e58ebd93..a7ae024f2 100644 --- a/src/apps/competitions/tests/test_submissions.py +++ b/src/apps/competitions/tests/test_submissions.py @@ -155,7 +155,21 @@ def test_only_owner_can_add_submission_to_leaderboard(self): self.client.force_login(different_user) url = reverse('submission-submission-leaderboard-connection', kwargs={'pk': parent_sub.pk}) resp = self.client.post(url) - assert resp.status_code == 404 + assert resp.status_code == 403 + assert resp.data["detail"] == "You cannot perform this action, contact the competition organizer!" + + def test_only_owner_can_remove_submission_from_leaderboard(self): + parent_sub = SubmissionFactory(has_children=True) + leaderboard = LeaderboardFactory() + parent_sub.phase.leaderboard = leaderboard + parent_sub.phase.save() + + different_user = UserFactory() + self.client.force_login(different_user) + url = reverse('submission-submission-leaderboard-connection', kwargs={'pk': parent_sub.pk}) + resp = self.client.delete(url) + assert resp.status_code == 403 + assert resp.data["detail"] == "You cannot perform this action, contact the competition organizer!" def test_adding_submission_removes_other_submissions_from_owner(self): leaderboard = LeaderboardFactory() From 16579a7209a72ce2e482019cc3a63cfdefaf347d Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Thu, 15 Feb 2024 22:58:17 +0500 Subject: [PATCH 4/5] empty error is now shown to participant --- src/apps/api/views/submissions.py | 1 + src/static/riot/competitions/detail/submission_manager.tag | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py index 2eb4a8cee..394e160bb 100644 --- a/src/apps/api/views/submissions.py +++ b/src/apps/api/views/submissions.py @@ -220,6 +220,7 @@ def submission_leaderboard_connection(self, request, pk): ): raise PermissionDenied("You cannot perform this action, contact the competition organizer!") + # only super user and with these leaderboard rules (FORCE_LAST, FORCE_BEST, FORCE_LATEST_MULTIPLE) can proceed if submission.phase.leaderboard.submission_rule in Leaderboard.AUTO_SUBMISSION_RULES and not request.user.is_superuser: raise PermissionDenied("Users are not allowed to edit the leaderboard on this Competition") diff --git a/src/static/riot/competitions/detail/submission_manager.tag b/src/static/riot/competitions/detail/submission_manager.tag index e7a6f17ed..95db0f866 100644 --- a/src/static/riot/competitions/detail/submission_manager.tag +++ b/src/static/riot/competitions/detail/submission_manager.tag @@ -262,7 +262,7 @@ CODALAB.events.trigger('submission_changed_on_leaderboard') }) .fail(function (response) { - toastr.error(response.responseJSON) + toastr.error(response.responseJSON.detail) }) event.stopPropagation() } @@ -273,7 +273,7 @@ CODALAB.events.trigger('submission_changed_on_leaderboard') }) .fail(function (response) { - toastr.error(response.responseJSON) + toastr.error(response.responseJSON.detail) }) event.stopPropagation() } From fca617e39daac215a1ffbf13fa8d55c6bcc564be Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Fri, 16 Feb 2024 12:21:23 +0500 Subject: [PATCH 5/5] empty error resolved --- src/apps/api/views/submissions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py index 394e160bb..2ce2d3fbe 100644 --- a/src/apps/api/views/submissions.py +++ b/src/apps/api/views/submissions.py @@ -237,7 +237,7 @@ def submission_leaderboard_connection(self, request, pk): if request.method == 'DELETE': if submission.phase.leaderboard.submission_rule not in [Leaderboard.ADD_DELETE, Leaderboard.ADD_DELETE_MULTIPLE]: - raise ValidationError("You are not allowed to remove a submission on this phase") + raise PermissionDenied("You are not allowed to remove a submission on this phase") submission.leaderboard = None submission.save() Submission.objects.filter(parent=submission).update(leaderboard=None)