From 9840c93bb98e4b5b921d28e4f61a6459d7d02248 Mon Sep 17 00:00:00 2001 From: Menci Date: Sun, 2 Jul 2017 11:51:18 +0800 Subject: [PATCH] Disallow normal users setting the problem id --- modules/problem.js | 26 ++++++++++++++++---------- views/problem_edit.ejs | 2 +- views/problem_import.ejs | 10 ++++++---- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/modules/problem.js b/modules/problem.js index 726a4bd..7847eee 100644 --- a/modules/problem.js +++ b/modules/problem.js @@ -288,11 +288,13 @@ app.post('/problem/:id/edit', async (req, res) => { problem = await Problem.create(); - let customID = parseInt(req.body.id); - if (customID) { - if (await Problem.fromID(customID)) throw new ErrorMessage('ID 已被使用。'); - problem.id = customID; - } else if (id) problem.id = id; + if (await res.locals.user.hasPrivilege('manage_problem')) { + let customID = parseInt(req.body.id); + if (customID) { + if (await Problem.fromID(customID)) throw new ErrorMessage('ID 已被使用。'); + problem.id = customID; + } else if (id) problem.id = id; + } problem.user_id = res.locals.user.id; problem.publicizer_id = res.locals.user.id; @@ -357,6 +359,8 @@ app.get('/problem/:id/import', async (req, res) => { if (!await problem.isAllowedEditBy(res.locals.user)) throw new ErrorMessage('您没有权限进行此操作。'); } + problem.allowedManage = await problem.isAllowedManageBy(res.locals.user); + res.render('problem_import', { problem: problem }); @@ -377,11 +381,13 @@ app.post('/problem/:id/import', async (req, res) => { problem = await Problem.create(); - let customID = parseInt(req.body.id); - if (customID) { - if (await Problem.fromID(customID)) throw new ErrorMessage('ID 已被使用。'); - problem.id = customID; - } else if (id) problem.id = id; + if (await res.locals.user.hasPrivilege('manage_problem')) { + let customID = parseInt(req.body.id); + if (customID) { + if (await Problem.fromID(customID)) throw new ErrorMessage('ID 已被使用。'); + problem.id = customID; + } else if (id) problem.id = id; + } problem.user_id = res.locals.user.id; problem.publicizer_id = res.locals.user.id; diff --git a/views/problem_edit.ejs b/views/problem_edit.ejs index 80bd457..0a33d36 100644 --- a/views/problem_edit.ejs +++ b/views/problem_edit.ejs @@ -13,7 +13,7 @@
- <% if (problem.new || problem.allowedManage) { %> + <% if (problem.allowedManage) { %>
-
- - > -
+ <% if (problem.allowedManage) { %> +
+ + > +
+ <% } %>