Fix contest submissions permission.

modules/problem.js

@@ -621,8 +621,9 @@ app.post('/problem/:id/submit', app.multer.fields([{ name: 'answer', maxCount: 1
     }
 
     let contest_id = parseInt(req.query.contest_id);
+    let contest;
     if (contest_id) {
-      let contest = await Contest.fromID(contest_id);
+      contest = await Contest.fromID(contest_id);
       if (!contest) throw new ErrorMessage('无此比赛。');
       if ((!contest.isRunning()) && (!await contest.isSupervisior(curUser))) throw new ErrorMessage('比赛未开始或已结束。');
       let problems_id = await contest.getProblems();
@@ -648,7 +649,7 @@ app.post('/problem/:id/submit', app.multer.fields([{ name: 'answer', maxCount: 1
       throw new ErrorMessage(`无法开始评测：${err.toString()}`);
     }
 
-    if (contest_id) {
+    if (contest && (!await contest.isSupervisior(curUser))) {
       res.redirect(syzoj.utils.makeUrl(['contest', contest_id, 'submissions']));
     } else {
       res.redirect(syzoj.utils.makeUrl(['submission', judge_state.id]));

modules/submission.js

@@ -135,14 +135,16 @@ app.get('/submission/:id', async (req, res) => {
     const id = parseInt(req.params.id);
     const judge = await JudgeState.fromID(id);
     if (!judge) throw new ErrorMessage("提交记录 ID 不正确。");
-    if (!await judge.isAllowedVisitBy(res.locals.user)) throw new ErrorMessage('您没有权限进行此操作。');
+    const curUser = res.locals.user;
+    if (!await judge.isAllowedVisitBy(curUser)) throw new ErrorMessage('您没有权限进行此操作。');
 
     let contest;
     if (judge.type === 1) {
       contest = await Contest.fromID(judge.type_info);
       contest.ended = contest.isEnded();
 
-      if (!contest.ended && !await judge.problem.isAllowedEditBy(res.locals.user)) {
+      if (!contest.ended &&
+        !(await judge.problem.isAllowedEditBy(res.locals.user) || await contest.isSupervisior(curUser))) {
         throw new Error("对不起，在比赛结束之前，您不能查看评测结果。");
       }
     }