From fd346995783c79639dd81448113d49aba9569573 Mon Sep 17 00:00:00 2001
From: Felix Eckhofer <felix@eckhofer.com>
Date: Sat, 21 Dec 2024 03:42:46 +0100
Subject: [PATCH] Fix unsafe references to session without conference

This leads to problems when sessions have the same ref_id across
conferences.
---
 app/controllers/assignments_controller.rb | 5 +++--
 app/controllers/candidates_controller.rb  | 8 +++++---
 app/controllers/sessions_controller.rb    | 2 +-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/app/controllers/assignments_controller.rb b/app/controllers/assignments_controller.rb
index 6270499..49111fa 100644
--- a/app/controllers/assignments_controller.rb
+++ b/app/controllers/assignments_controller.rb
@@ -22,8 +22,8 @@ class AssignmentsController < ApplicationController
       return
     end
 
-    @session = Session.find_by(ref_id: params[:session_ref_id])
     @conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference: @conference, ref_id: params[:session_ref_id])
     @user = User.find(params[:user_id])
     @assignment = Assignment.new(user: @user, session: @session)
 
@@ -115,7 +115,8 @@ class AssignmentsController < ApplicationController
   private
 
   def set_session
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
   end
 
   def set_users
diff --git a/app/controllers/candidates_controller.rb b/app/controllers/candidates_controller.rb
index 94bff98..c5f3f04 100644
--- a/app/controllers/candidates_controller.rb
+++ b/app/controllers/candidates_controller.rb
@@ -4,8 +4,8 @@ class CandidatesController < ApplicationController
   before_action :authorize_shiftcoordinator, except: [:create, :destroy_self]
 
   def create
-    @session = Session.find_by(ref_id: params[:session_ref_id])
     @conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference: @conference, ref_id: params[:session_ref_id])
     @candidate = Candidate.find_or_initialize_by(user: current_user, session: @session).tap do |candidate_|
       candidate_.note = params[:note]
       candidate_.save!
@@ -35,13 +35,15 @@ class CandidatesController < ApplicationController
   end
 
   def destroy
+    conference = Conference.find_by(slug: params[:conference_slug])
     @candidate = Candidate.find(params[:id])
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
     destroy_candidate(@session, @candidate)
   end
 
   def destroy_self
-    @session = Session.find_by(ref_id: params[:session_ref_id])
+    conference = Conference.find_by(slug: params[:conference_slug])
+    @session = Session.find_by(conference:, ref_id: params[:session_ref_id])
     @candidate = Candidate.find_by(user: current_user, session: @session)
     destroy_candidate(@session, @candidate)
   end
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 2feb7ef..e0aa59e 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -19,7 +19,7 @@ class SessionsController < ApplicationController
 
   def show
     @conference = Conference.find_by(slug: params[:slug])
-    @session = Session.includes(:stage).find_by(ref_id: params[:ref_id])
+    @session = Session.includes(:stage).find_by(conference: @conference, ref_id: params[:ref_id])
     @users = User.all
   end
 end
-- 
GitLab