From 01b3582b786ad119da2f0c91f2f30ef56d85f45b Mon Sep 17 00:00:00 2001
From: Adrian Kunz <a.kunz@uni-kassel.de>
Date: Thu, 25 Jan 2024 16:40:37 +0100
Subject: [PATCH 1/3] fix(frontend,assignments-service): Disallow global
 assignment queries that return all

---
 frontend/src/app/assignment/services/assignment.service.ts    | 4 ++++
 .../apps/assignments/src/assignment/assignment.controller.ts  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/frontend/src/app/assignment/services/assignment.service.ts b/frontend/src/app/assignment/services/assignment.service.ts
index 1982ff48..a704b78f 100644
--- a/frontend/src/app/assignment/services/assignment.service.ts
+++ b/frontend/src/app/assignment/services/assignment.service.ts
@@ -83,6 +83,10 @@ export class AssignmentService {
   }
 
   findAll(ids?: string[], createdBy?: string, archived?: boolean): Observable<ReadAssignmentDto[]> {
+    if (!ids?.length && !createdBy) {
+      // disallow global queries
+      return of([]);
+    }
     return this.http.get<ReadAssignmentDto[]>(`${environment.assignmentsApiUrl}/assignments`, {
       params: {
         ...(ids?.length ? {ids: ids.join(',')} : {}),
diff --git a/services/apps/assignments/src/assignment/assignment.controller.ts b/services/apps/assignments/src/assignment/assignment.controller.ts
index b4876e0d..82171b27 100644
--- a/services/apps/assignments/src/assignment/assignment.controller.ts
+++ b/services/apps/assignments/src/assignment/assignment.controller.ts
@@ -69,6 +69,10 @@ export class AssignmentController {
       const members = await this.memberService.findAll({user: {$in: memberIds}});
       (filter.$or ||= []).push({_id: {$in: members.map(m => m.parent)}});
     }
+    if (!filter.$or?.length) {
+      // disallow global queries
+      return [];
+    }
     return (await this.assignmentService.findAll(filter, {
       sort: ASSIGNMENT_SORT,
       collation: ASSIGNMENT_COLLATION,

From 08dac0394867a3d6890973db33f11fac4ea31ad4 Mon Sep 17 00:00:00 2001
From: Adrian Kunz <a.kunz@uni-kassel.de>
Date: Fri, 26 Jan 2024 10:51:41 +0100
Subject: [PATCH 2/3] docs(assignments-service): Document
 AssignmentService.mask method

---
 .../apps/assignments/src/assignment/assignment.service.ts  | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/apps/assignments/src/assignment/assignment.service.ts b/services/apps/assignments/src/assignment/assignment.service.ts
index b810dc7e..9e66b1ff 100644
--- a/services/apps/assignments/src/assignment/assignment.service.ts
+++ b/services/apps/assignments/src/assignment/assignment.service.ts
@@ -31,6 +31,13 @@ export class AssignmentService extends MongooseRepository<Assignment> {
     return undefined;
   }
 
+  /**
+   * Removes all information from the assignment that is should be hidden from unauthorized users.
+   * Note that some information will always be hidden (e.g. GitHub token, OpenAI API Key) via Mongoose transforms.
+   * @param assignment the assignment to mask.
+   * **Do not pass `AssignmentDocument`, as it will lead to unwanted extra fields.**
+   * @returns the masked assignment
+   */
   mask(assignment: Assignment): ReadAssignmentDto {
     const {token, tasks, classroom, ...rest} = assignment;
     return {

From 399514aeca473259c9bafc28aa8615a8972cc385 Mon Sep 17 00:00:00 2001
From: Adrian Kunz <a.kunz@uni-kassel.de>
Date: Fri, 26 Jan 2024 10:56:46 +0100
Subject: [PATCH 3/3] fix(assignments-service): Hide assignment tasks before
 deadline has passed

---
 .../assignments/src/assignment/assignment.service.ts  | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/services/apps/assignments/src/assignment/assignment.service.ts b/services/apps/assignments/src/assignment/assignment.service.ts
index 9e66b1ff..36077e79 100644
--- a/services/apps/assignments/src/assignment/assignment.service.ts
+++ b/services/apps/assignments/src/assignment/assignment.service.ts
@@ -32,17 +32,20 @@ export class AssignmentService extends MongooseRepository<Assignment> {
   }
 
   /**
-   * Removes all information from the assignment that is should be hidden from unauthorized users.
+   * Removes all information from the assignment that should be hidden from unauthorized users.
    * Note that some information will always be hidden (e.g. GitHub token, OpenAI API Key) via Mongoose transforms.
    * @param assignment the assignment to mask.
-   * **Do not pass `AssignmentDocument`, as it will lead to unwanted extra fields.**
+   * **Do not pass `AssignmentDocument` (use `.toObject()` first), as it will lead to unwanted extra fields.**
    * @returns the masked assignment
    */
   mask(assignment: Assignment): ReadAssignmentDto {
-    const {token, tasks, classroom, ...rest} = assignment;
+    const {token: _token, tasks: _tasks, classroom: _classroom, ...rest} = assignment;
+    const tasks = assignment.deadline && assignment.deadline.valueOf() > Date.now()
+      ? [] // hide tasks if deadline is in the future
+      : assignment.tasks.map(t => this.maskTask(t));
     return {
       ...rest,
-      tasks: assignment.tasks.map(t => this.maskTask(t)),
+      tasks,
     };
   }