maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): закрыть IDOR курсов/уроков/назначений/раздачи (Спринт1 #1)

Browse Source 
- courses: requireOwnership(created_by) на PUT/DELETE/duplicate/publish-all
  и все мутации секций — учитель больше не может править/удалять чужой курс.
- lessonController.create: проверка владения курсом перед вставкой урока.
- assign/unassign курса классу: проверка владения классом (_ownsClass).
- materials.share по userId: получатель должен быть учеником учителя
  (класс или teacher_students), иначе 403.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Maxim Dolgolyov
2026-06-12 21:52:56 +03:00
parent 5d3db90b5d
commit 840bb823b9
4 changed files with 35 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/src/routes/courses.js
+12 -8
View File
@@ -1,8 +1,12 @@
const express = require('express');
const router = express.Router();
const { authMiddleware, requireRole, requirePermission } = require('../middleware/auth');
const { requireOwnership } = require('../middleware/ownership');
const c = require('../controllers/courseController');
// Владение курсом по :id (created_by). Закрывает IDOR на правки/удаление/секции.
const ownCourse = requireOwnership({ table: 'courses', ownerField: 'created_by' });
router.use(authMiddleware);
// Course listing & special
@@ -15,16 +19,16 @@ router.get('/:id/analytics', requireRole('teacher','admin'), c.analytics);
// Course mutations
router.post('/', requireRole('teacher','admin'), requirePermission('courses.manage'), c.create);
router.post('/:id/duplicate', requireRole('teacher','admin'), requirePermission('courses.manage'), c.duplicate);
router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), c.publishAll);
router.put('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), c.update);
router.delete('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), c.remove);
router.post('/:id/duplicate', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.duplicate);
router.patch('/:id/publish-all', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.publishAll);
router.put('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.update);
router.delete('/:id', requireRole('teacher','admin'), requirePermission('courses.manage'), ownCourse, c.remove);
// Sections
// Sections (владение родительским курсом по :id)
router.get('/:id/sections', requireRole('teacher','admin'), c.listSections);
router.post('/:id/sections', requireRole('teacher','admin'), c.createSection);
router.put('/:id/sections/:sid', requireRole('teacher','admin'), c.updateSection);
router.delete('/:id/sections/:sid', requireRole('teacher','admin'), c.deleteSection);
router.post('/:id/sections', requireRole('teacher','admin'), ownCourse, c.createSection);
router.put('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.updateSection);
router.delete('/:id/sections/:sid', requireRole('teacher','admin'), ownCourse, c.deleteSection);
// Class courses
router.get('/class/:classId', c.listClassCourses);