Skip to content

Commit

Permalink
Merge pull request #402 from fujaba/fix/assignment-privacy
Browse files Browse the repository at this point in the history
Assignment Privacy
  • Loading branch information
Clashsoft authored Jan 26, 2024
2 parents 2df116e + 399514a commit 87c941c
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 2 deletions.
4 changes: 4 additions & 0 deletions frontend/src/app/assignment/services/assignment.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,10 @@ export class AssignmentService {
}

findAll(ids?: string[], createdBy?: string, archived?: boolean): Observable<ReadAssignmentDto[]> {
if (!ids?.length && !createdBy) {
// disallow global queries
return of([]);
}
return this.http.get<ReadAssignmentDto[]>(`${environment.assignmentsApiUrl}/assignments`, {
params: {
...(ids?.length ? {ids: ids.join(',')} : {}),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,10 @@ export class AssignmentController {
const members = await this.memberService.findAll({user: {$in: memberIds}});
(filter.$or ||= []).push({_id: {$in: members.map(m => m.parent)}});
}
if (!filter.$or?.length) {
// disallow global queries
return [];
}
return (await this.assignmentService.findAll(filter, {
sort: ASSIGNMENT_SORT,
collation: ASSIGNMENT_COLLATION,
Expand Down
14 changes: 12 additions & 2 deletions services/apps/assignments/src/assignment/assignment.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,21 @@ export class AssignmentService extends MongooseRepository<Assignment> {
return undefined;
}

/**
* Removes all information from the assignment that should be hidden from unauthorized users.
* Note that some information will always be hidden (e.g. GitHub token, OpenAI API Key) via Mongoose transforms.
* @param assignment the assignment to mask.
* **Do not pass `AssignmentDocument` (use `.toObject()` first), as it will lead to unwanted extra fields.**
* @returns the masked assignment
*/
mask(assignment: Assignment): ReadAssignmentDto {
const {token, tasks, classroom, ...rest} = assignment;
const {token: _token, tasks: _tasks, classroom: _classroom, ...rest} = assignment;
const tasks = assignment.deadline && assignment.deadline.valueOf() > Date.now()
? [] // hide tasks if deadline is in the future
: assignment.tasks.map(t => this.maskTask(t));
return {
...rest,
tasks: assignment.tasks.map(t => this.maskTask(t)),
tasks,
};
}

Expand Down

0 comments on commit 87c941c

Please sign in to comment.