search

Cloud-CV / EvalAI

:cloud: :rocket: :bar_chart: :chart_with_upwards_trend: Evaluating state of the art in AI
https://eval.ai
Other
1.75k stars 780 forks source link

Check challenge phase is corresponding to challenge in update submission API #4229

Open gchhablani opened 9 months ago

gchhablani commented 9 months ago

Here, we do check for whether the host is accessing the challenge: https://github.com/Cloud-CV/EvalAI/blob/master/apps/jobs/views.py#L1117-L1121

    if not is_user_a_staff(request.user) and not is_user_a_host_of_challenge(request.user, challenge_pk):
        response_data = {
            "error": "Sorry, you are not authorized to make this request!"
        }
        return Response(response_data, status=status.HTTP_400_BAD_REQUEST)

But, we don't verify whether the other details (challenge phase) are corresponding to that challenge PK: https://github.com/Cloud-CV/EvalAI/blob/8bf1c3dca1f753bcb59dbe12b1f340383755eb60/apps/jobs/views.py#L1124

        challenge_phase_pk = request.data.get("challenge_phase")

We need to fix this.

khadeom commented 9 months ago

Hey @gchhablani, looked into this issue a bit, could you please explain some more? Can other users access the update_submission API except for host users? How can challenger_phase_pk be used here to further improve the API?

manikanta1213 commented 7 months ago

Hey @gchhablani Can I work on this issue?

Rahulxx01 commented 7 months ago

Hello I am interested in this issue can I fix this? @gchhablani

I have already completed on issue assigned to me and submitted a PR review pending and want to work on this issue.

Thank You Rahul Yadav

KimVianney commented 6 months ago

@gchhablani Please assign this issue to me