You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
if not is_user_a_staff(request.user) and not is_user_a_host_of_challenge(request.user, challenge_pk):
response_data = {
"error": "Sorry, you are not authorized to make this request!"
}
return Response(response_data, status=status.HTTP_400_BAD_REQUEST)
But, we don't verify whether the other details (challenge phase) are corresponding to that challenge PK:
Hey @gchhablani, looked into this issue a bit, could you please explain some more? Can other users access the update_submission API except for host users? How can challenger_phase_pk be used here to further improve the API?
Here, we do check for whether the host is accessing the challenge: https://github.com/Cloud-CV/EvalAI/blob/master/apps/jobs/views.py#L1117-L1121
But, we don't verify whether the other details (challenge phase) are corresponding to that challenge PK:
EvalAI/apps/jobs/views.py
Line 1124 in 8bf1c3d
We need to fix this.
The text was updated successfully, but these errors were encountered: