Fix unsafe references to session without conference

This leads to problems when sessions have the same ref_id across conferences.

Fix unsafe references to session without conference
fd346995 · Felix Eckhofer · 9a6df2a0 · fd346995 · fd346995 · fd346995
Unverified Commit fd346995 authored 3 months ago by Felix Eckhofer
--- a/app/controllers/assignments_controller.rb
+++ b/app/controllers/assignments_controller.rb
@@ -22,8 +22,8 @@ class AssignmentsController < ApplicationController
      return
    end

-    @session = Session.find_by(ref_id: params[:session_ref_id])
    @conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference: @conference, ref_id: params[:session_ref_id])
    @user = User.find(params[:user_id])
    @assignment = Assignment.new(user: @user, session: @session)

@@ -115,7 +115,8 @@ class AssignmentsController < ApplicationController
  private

  def set_session
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
  end

  def set_users

--- a/app/controllers/candidates_controller.rb
+++ b/app/controllers/candidates_controller.rb
@@ -4,8 +4,8 @@ class CandidatesController < ApplicationController
  before_action :authorize_shiftcoordinator, except: [:create, :destroy_self]

  def create
-    @session = Session.find_by(ref_id: params[:session_ref_id])
    @conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference: @conference, ref_id: params[:session_ref_id])
    @candidate = Candidate.find_or_initialize_by(user: current_user, session: @session).tap do |candidate_|
      candidate_.note = params[:note]
      candidate_.save!
@@ -35,13 +35,15 @@ class CandidatesController < ApplicationController
  end

  def destroy
+    conference = Conference.find_by(slug: params[:conference_slug])
    @candidate = Candidate.find(params[:id])
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
    destroy_candidate(@session, @candidate)
  end

  def destroy_self
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
    @candidate = Candidate.find_by(user: current_user, session: @session)
    destroy_candidate(@session, @candidate)
  end

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -19,7 +19,7 @@ class SessionsController < ApplicationController

  def show
    @conference = Conference.find_by(slug: params[:slug])
-    @session = Session.includes(:stage).find_by(ref_id: params[:ref_id])
+    @session = Session.includes(:stage).find_by(conference: @conference, ref_id: params[:ref_id])
    @users = User.all
  end
 end