From 840bb823b983d91b118d7d17bb020d3ac989263f Mon Sep 17 00:00:00 2001
From: Maxim Dolgolyov <maxim.dolgolyov@gmail.com>
Date: Fri, 12 Jun 2026 21:52:56 +0300
Subject: [PATCH] =?UTF-8?q?fix(security):=20=D0=B7=D0=B0=D0=BA=D1=80=D1=8B?=
 =?UTF-8?q?=D1=82=D1=8C=20IDOR=20=D0=BA=D1=83=D1=80=D1=81=D0=BE=D0=B2/?=
 =?UTF-8?q?=D1=83=D1=80=D0=BE=D0=BA=D0=BE=D0=B2/=D0=BD=D0=B0=D0=B7=D0=BD?=
 =?UTF-8?q?=D0=B0=D1=87=D0=B5=D0=BD=D0=B8=D0=B9/=D1=80=D0=B0=D0=B7=D0=B4?=
 =?UTF-8?q?=D0=B0=D1=87=D0=B8=20(=D0=A1=D0=BF=D1=80=D0=B8=D0=BD=D1=821=20#?=
 =?UTF-8?q?1)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- courses: requireOwnership(created_by) на PUT/DELETE/duplicate/publish-all
  и все мутации секций — учитель больше не может править/удалять чужой курс.
- lessonController.create: проверка владения курсом перед вставкой урока.
- assign/unassign курса классу: проверка владения классом (_ownsClass).
- materials.share по userId: получатель должен быть учеником учителя
  (класс или teacher_students), иначе 403.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 backend/src/controllers/courseController.js   |  9 +++++++++
 backend/src/controllers/lessonController.js   |  6 ++++--
 .../controllers/studentMaterialsController.js | 11 +++++++++-
 backend/src/routes/courses.js                 | 20 +++++++++++--------
 4 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/backend/src/controllers/courseController.js b/backend/src/controllers/courseController.js
index e61f5c1..49339bb 100644
--- a/backend/src/controllers/courseController.js
+++ b/backend/src/controllers/courseController.js
@@ -479,10 +479,18 @@ function listClassCourses(req, res) {
   res.json(rows.map(r => ({ ...courseRow(r), deadline: r.deadline })));
 }
 
+// Учитель управляет назначениями только своих классов (админ — любых).
+function _ownsClass(req, classId) {
+  if (req.user.role === 'admin') return true;
+  const cls = db.prepare('SELECT teacher_id FROM classes WHERE id = ?').get(classId);
+  return !!cls && cls.teacher_id === req.user.id;
+}
+
 function assignCourseToClass(req, res) {
   const { classId } = req.params;
   const { courseId, deadline } = req.body;
   if (!courseId) return res.status(400).json({ error: 'courseId required' });
+  if (!_ownsClass(req, classId)) return res.status(403).json({ error: 'Нет доступа к классу' });
   try {
     db.prepare(`
       INSERT INTO class_courses (class_id, course_id, deadline, assigned_by)
@@ -494,6 +502,7 @@ function assignCourseToClass(req, res) {
 }
 
 function unassignCourseFromClass(req, res) {
+  if (!_ownsClass(req, req.params.classId)) return res.status(403).json({ error: 'Нет доступа к классу' });
   db.prepare('DELETE FROM class_courses WHERE class_id = ? AND course_id = ?').run(req.params.classId, req.params.courseId);
   res.json({ ok: true });
 }
diff --git a/backend/src/controllers/lessonController.js b/backend/src/controllers/lessonController.js
index 7e404af..177c842 100644
--- a/backend/src/controllers/lessonController.js
+++ b/backend/src/controllers/lessonController.js
@@ -95,8 +95,10 @@ function create(req, res) {
   const { courseId, title, orderIndex, sectionId } = req.body;
   if (!courseId || !title)
     return res.status(400).json({ error: 'courseId and title required' });
-  if (!db.prepare('SELECT id FROM courses WHERE id = ?').get(courseId))
-    return res.status(404).json({ error: 'Course not found' });
+  const course = db.prepare('SELECT id, created_by FROM courses WHERE id = ?').get(courseId);
+  if (!course) return res.status(404).json({ error: 'Course not found' });
+  if (req.user.role !== 'admin' && course.created_by !== req.user.id)
+    return res.status(403).json({ error: 'Forbidden' });
 
   const r = db.prepare(
     'INSERT INTO lessons (course_id, title, order_index, section_id) VALUES (?, ?, ?, ?)'
diff --git a/backend/src/controllers/studentMaterialsController.js b/backend/src/controllers/studentMaterialsController.js
index 7d06dc3..0f7f6ca 100644
--- a/backend/src/controllers/studentMaterialsController.js
+++ b/backend/src/controllers/studentMaterialsController.js
@@ -148,7 +148,16 @@ function share(req, res) {
     recipients = db.prepare('SELECT user_id FROM class_members WHERE class_id = ?').all(b.classId).map(r => r.user_id);
   } else if (b.userId) {
     const uid = Number(b.userId);
-    if (Number.isFinite(uid)) recipients = [uid];
+    if (!Number.isFinite(uid)) return res.status(400).json({ error: 'bad userId' });
+    // Раздавать можно только своему ученику (в своём классе или в teacher_students).
+    if (req.user.role !== 'admin') {
+      const linked = db.prepare(
+        `SELECT 1 FROM class_members cm JOIN classes c ON c.id = cm.class_id WHERE cm.user_id = ? AND c.teacher_id = ?
+         UNION SELECT 1 FROM teacher_students WHERE student_id = ? AND teacher_id = ? LIMIT 1`
+      ).get(uid, req.user.id, uid, req.user.id);
+      if (!linked) return res.status(403).json({ error: 'Этот ученик не привязан к вам' });
+    }
+    recipients = [uid];
   } else {
     return res.status(400).json({ error: 'classId or userId required' });
   }
diff --git a/backend/src/routes/courses.js b/backend/src/routes/courses.js
index eab2154..b4fe1d9 100644
--- a/backend/src/routes/courses.js
+++ b/backend/src/routes/courses.js
@@ -1,8 +1,12 @@
 const express = require('express');
 const router  = express.Router();
 const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
+const { requireOwnership } = require('../middleware/ownership');
 const c = require('../controllers/courseController');
 
+// Владение курсом по :id (created_by). Закрывает IDOR на правки/удаление/секции.
+const ownCourse = requireOwnership({ table: 'courses', ownerField: 'created_by' });
+
 router.use(authMiddleware);
 
 // Course listing & special
@@ -15,16 +19,16 @@ router.get('/:id/analytics', requireRole('teacher','admin'), c.analytics);
 
 // Course mutations
 router.post('/',            requireRole('teacher','admin'), requirePermission('courses.manage'), c.create);
-router.post('/:id/duplicate',    requireRole('teacher','admin'), requirePermission('courses.manage'), c.duplicate);
-router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), c.publishAll);
-router.put('/:id',               requireRole('teacher','admin'), requirePermission('courses.manage'), c.update);
-router.delete('/:id',       requireRole('teacher','admin'), requirePermission('courses.manage'), c.remove);
+router.post('/:id/duplicate',    requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.duplicate);
+router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.publishAll);
+router.put('/:id',               requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.update);
+router.delete('/:id',       requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.remove);
 
-// Sections
+// Sections (владение родительским курсом по :id)
 router.get('/:id/sections',         requireRole('teacher','admin'), c.listSections);
-router.post('/:id/sections',        requireRole('teacher','admin'), c.createSection);
-router.put('/:id/sections/:sid',    requireRole('teacher','admin'), c.updateSection);
-router.delete('/:id/sections/:sid', requireRole('teacher','admin'), c.deleteSection);
+router.post('/:id/sections',        requireRole('teacher','admin'), ownCourse, c.createSection);
+router.put('/:id/sections/:sid',    requireRole('teacher','admin'), ownCourse, c.updateSection);
+router.delete('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.deleteSection);
 
 // Class courses
 router.get('/class/:classId',              c.listClassCourses);