From c9401b87d7e9d1d662e13e8c4970a509db68bb41 Mon Sep 17 00:00:00 2001 From: Ihsan Ullah Date: Thu, 4 May 2023 23:42:47 +0500 Subject: [PATCH] Participant can access private competition without secret key --- src/apps/competitions/views.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/apps/competitions/views.py b/src/apps/competitions/views.py index 7a4045f7f..8d3e46720 100644 --- a/src/apps/competitions/views.py +++ b/src/apps/competitions/views.py @@ -2,7 +2,7 @@ from django.http import Http404 from django.views.generic import TemplateView, DetailView -from .models import Competition +from .models import Competition, CompetitionParticipant class CompetitionManagement(LoginRequiredMixin, TemplateView): @@ -29,8 +29,12 @@ def get_object(self, *args, **kwargs): competition = super().get_object(*args, **kwargs) is_creator = self.request.user.is_superuser or self.request.user == competition.created_by is_collaborator = self.request.user in competition.collaborators.all() + + # get participants from CompetitionParticipant where user=user and competition=competition + is_participant = CompetitionParticipant.objects.filter(user=self.request.user, competition=competition).count() > 0 + valid_secret_key = self.request.GET.get('secret_key') == str(competition.secret_key) - if is_creator or is_collaborator or competition.published or valid_secret_key: + if is_creator or is_collaborator or competition.published or valid_secret_key or is_participant: return competition raise Http404()