codalab · Didayolo · Feb 19, 2024 · Feb 11, 2024 · Feb 11, 2024 · Feb 12, 2024
diff --git a/src/apps/api/views/submissions.py b/src/apps/api/views/submissions.py
@@ -6,7 +6,6 @@
 from django_filters.rest_framework import DjangoFilterBackend
 from rest_framework import status
 from rest_framework.decorators import api_view, permission_classes, action
-from django.http import Http404
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.filters import SearchFilter
 from rest_framework.generics import get_object_or_404
@@ -206,14 +205,24 @@ def has_admin_permission(self, user, submission):
 
     @action(detail=True, methods=('POST', 'DELETE'))
     def submission_leaderboard_connection(self, request, pk):
+
+        # get submission
         submission = self.get_object()
+
+        # get submission phase
         phase = submission.phase
 
-        if not (request.user.is_superuser or request.user == submission.owner):
-            if not phase.competition.collaborators.filter(pk=request.user.pk).exists():
-                raise Http404
+        # only super user, owner of submission and competition organizer can proceed
+        if not (
+            request.user.is_superuser or
+            request.user == submission.owner or
+            request.user in phase.competition.all_organizers
+        ):
+            raise PermissionDenied("You cannot perform this action, contact the competition organizer!")
+
+        # only super user and with these leaderboard rules (FORCE_LAST, FORCE_BEST, FORCE_LATEST_MULTIPLE) can proceed
         if submission.phase.leaderboard.submission_rule in Leaderboard.AUTO_SUBMISSION_RULES and not request.user.is_superuser:
-            raise ValidationError("Users are not allowed to edit the leaderboard on this Competition")
+            raise PermissionDenied("Users are not allowed to edit the leaderboard on this Competition")
 
         if request.method == 'POST':
             # Removing any existing submissions on leaderboard unless multiples are allowed
@@ -228,7 +237,7 @@ def submission_leaderboard_connection(self, request, pk):
 
         if request.method == 'DELETE':
             if submission.phase.leaderboard.submission_rule not in [Leaderboard.ADD_DELETE, Leaderboard.ADD_DELETE_MULTIPLE]:
-                raise ValidationError("You are not allowed to remove a submission on this phase")
+                raise PermissionDenied("You are not allowed to remove a submission on this phase")
             submission.leaderboard = None
             submission.save()
             Submission.objects.filter(parent=submission).update(leaderboard=None)

diff --git a/src/apps/competitions/tests/test_submissions.py b/src/apps/competitions/tests/test_submissions.py
@@ -155,7 +155,21 @@ def test_only_owner_can_add_submission_to_leaderboard(self):
         self.client.force_login(different_user)
         url = reverse('submission-submission-leaderboard-connection', kwargs={'pk': parent_sub.pk})
         resp = self.client.post(url)
-        assert resp.status_code == 404
+        assert resp.status_code == 403
+        assert resp.data["detail"] == "You cannot perform this action, contact the competition organizer!"
+
+    def test_only_owner_can_remove_submission_from_leaderboard(self):
+        parent_sub = SubmissionFactory(has_children=True)
+        leaderboard = LeaderboardFactory()
+        parent_sub.phase.leaderboard = leaderboard
+        parent_sub.phase.save()
+
+        different_user = UserFactory()
+        self.client.force_login(different_user)
+        url = reverse('submission-submission-leaderboard-connection', kwargs={'pk': parent_sub.pk})
+        resp = self.client.delete(url)
+        assert resp.status_code == 403
+        assert resp.data["detail"] == "You cannot perform this action, contact the competition organizer!"
 
     def test_adding_submission_removes_other_submissions_from_owner(self):
         leaderboard = LeaderboardFactory()

diff --git a/src/static/riot/competitions/detail/submission_manager.tag b/src/static/riot/competitions/detail/submission_manager.tag
@@ -262,7 +262,7 @@
                     CODALAB.events.trigger('submission_changed_on_leaderboard')
                 })
                 .fail(function (response) {
-                    toastr.error(response.responseJSON)
+                    toastr.error(response.responseJSON.detail)
                 })
             event.stopPropagation()
         }
@@ -273,7 +273,7 @@
                     CODALAB.events.trigger('submission_changed_on_leaderboard')
                 })
                 .fail(function (response) {
-                    toastr.error(response.responseJSON)
+                    toastr.error(response.responseJSON.detail)
                 })
             event.stopPropagation()
         }