EvalAI icon indicating copy to clipboard operation
EvalAI copied to clipboard

Published 20 hours ago verified publisher icon Cloud-CV

Check challenge phase is corresponding to challenge in update submission API

Open gchhablani opened this issue 1 year ago • 4 comments

Here, we do check for whether the host is accessing the challenge: https://github.com/Cloud-CV/EvalAI/blob/master/apps/jobs/views.py#L1117-L1121

    if not is_user_a_staff(request.user) and not is_user_a_host_of_challenge(request.user, challenge_pk):
        response_data = {
            "error": "Sorry, you are not authorized to make this request!"
        }
        return Response(response_data, status=status.HTTP_400_BAD_REQUEST)

But, we don't verify whether the other details (challenge phase) are corresponding to that challenge PK: https://github.com/Cloud-CV/EvalAI/blob/8bf1c3dca1f753bcb59dbe12b1f340383755eb60/apps/jobs/views.py#L1124

        challenge_phase_pk = request.data.get("challenge_phase")

We need to fix this.

gchhablani avatar Nov 28 '23 08:11 gchhablani

Hey @gchhablani, looked into this issue a bit, could you please explain some more? Can other users access the update_submission API except for host users? How can challenger_phase_pk be used here to further improve the API?

khadeom avatar Dec 17 '23 13:12 khadeom

Hey @gchhablani Can I work on this issue?

manikanta1213 avatar Feb 13 '24 01:02 manikanta1213

Hello I am interested in this issue can I fix this? @gchhablani

I have already completed on issue assigned to me and submitted a PR review pending and want to work on this issue.

Thank You Rahul Yadav

Rahulxx01 avatar Feb 19 '24 18:02 Rahulxx01

@gchhablani Please assign this issue to me

KimVianney avatar Mar 11 '24 18:03 KimVianney