Admin interface: Set correct csrf tokens so groups and participations can now...

Admin interface: Set correct csrf tokens so groups and participations can now be deleted. Fixes #116

Admin interface: Set correct csrf tokens so groups and participations can now...
Admin interface: Set correct csrf tokens so groups and participations can now be deleted. Fixes #116
f0deebc5 · Robert Czechowski · 0985868a · f0deebc5
Commit f0deebc5 authored Oct 19, 2020 by Robert Czechowski
--- a/src/core.rs
+++ b/src/core.rs
@@ -1247,6 +1247,8 @@ pub fn admin_show_user<T: MedalConnection>(conn: &T, user_id: i32, session_token
    let mut data = json_val::Map::new();

    let (user, opt_group) = conn.get_user_and_group_by_id(user_id).ok_or(MedalError::AccessDenied)?;
+    // TODO: This is not nice, the fill_user_data is meant to fill the data of the user being logged in right now!
+    // Need to find a better solution for this, so we have no longer to replace the CSRF token here
    fill_user_data(&user, &mut data);
    data.insert("logincode".to_string(), to_json(&user.logincode));
    data.insert("userid".to_string(), to_json(&user.id));
@@ -1267,7 +1269,6 @@ pub fn admin_show_user<T: MedalConnection>(conn: &T, user_id: i32, session_token
                                 code: g.groupcode.clone() })
            .collect();
    data.insert("group".to_string(), to_json(&v));
-    data.insert("csrf_token".to_string(), to_json(&session.csrf_token));

    let parts = conn.get_all_participations_complete(user_id);

@@ -1275,6 +1276,7 @@ pub fn admin_show_user<T: MedalConnection>(conn: &T, user_id: i32, session_token

    data.insert("participations".to_string(), to_json(&pi));

+    data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
    Ok(("admin_user".to_string(), data))
 }

@@ -1307,11 +1309,11 @@ pub fn admin_delete_user<T: MedalConnection>(conn: &T, user_id: i32, session_tok
 }

 pub fn admin_show_group<T: MedalConnection>(conn: &T, group_id: i32, session_token: &str) -> MedalValueResult {
-    conn.get_session(&session_token)
-        .ensure_logged_in()
-        .ok_or(MedalError::NotLoggedIn)?
-        .ensure_admin()
-        .ok_or(MedalError::AccessDenied)?;
+    let session = conn.get_session(&session_token)
+                      .ensure_logged_in()
+                      .ok_or(MedalError::NotLoggedIn)?
+                      .ensure_admin()
+                      .ok_or(MedalError::AccessDenied)?;

    let group = conn.get_group_complete(group_id).unwrap(); // TODO handle error

@@ -1341,6 +1343,7 @@ pub fn admin_show_group<T: MedalConnection>(conn: &T, group_id: i32, session_tok
    data.insert("group_admin_firstname".to_string(), to_json(&user.firstname));
    data.insert("group_admin_lastname".to_string(), to_json(&user.lastname));

+    data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
    Ok(("admin_group".to_string(), data))
 }

@@ -1370,11 +1373,11 @@ pub fn admin_delete_group<T: MedalConnection>(conn: &T, group_id: i32, session_t

 pub fn admin_show_participation<T: MedalConnection>(conn: &T, user_id: i32, contest_id: i32, session_token: &str)
                                                    -> MedalValueResult {
-    conn.get_session(&session_token)
-        .ensure_logged_in()
-        .ok_or(MedalError::NotLoggedIn)?
-        .ensure_admin()
-        .ok_or(MedalError::AccessDenied)?;
+    let session = conn.get_session(&session_token)
+                      .ensure_logged_in()
+                      .ok_or(MedalError::NotLoggedIn)?
+                      .ensure_admin()
+                      .ok_or(MedalError::AccessDenied)?;

    let contest = conn.get_contest_by_id_complete(contest_id);

@@ -1408,6 +1411,7 @@ pub fn admin_show_participation<T: MedalConnection>(conn: &T, user_id: i32, cont
    data.insert("start_date".to_string(),
                to_json(&self::time::strftime("%FT%T%z", &self::time::at(participation.start)).unwrap()));

+    data.insert("csrf_token".to_string(), to_json(&session.csrf_token));
    Ok(("admin_participation".to_string(), data))
 }