Potential (minor) security issue when exporting using account_links

[kkoehn]

https://github.com/openHPI/codeharbor/blob/458b7f88c1aef6c09f745c5b705254c9c823ef23/app/controllers/tasks_controller.rb#L193

This looks like you can potential export the task to any account_link, since you just have to supply the id

Todo:

• [x] check
• [x] fix

[MrSerth]

Indeed, that is a problem - I verified it manually. To fix the issue, we probably need to call authorize @account_link in all relevant places. A first check revealed the following:

• [x] CollectsionsController#push_collection https://github.com/openHPI/codeharbor/blob/458b7f88c1aef6c09f745c5b705254c9c823ef23/app/controllers/collections_controller.rb#L73
• [x] TasksController#export_external_start https://github.com/openHPI/codeharbor/blob/458b7f88c1aef6c09f745c5b705254c9c823ef23/app/controllers/tasks_controller.rb#L166
• [x] TasksController#export_external_check https://github.com/openHPI/codeharbor/blob/458b7f88c1aef6c09f745c5b705254c9c823ef23/app/controllers/tasks_controller.rb#L175
• [x] TasksController#export_external_confirm https://github.com/openHPI/codeharbor/blob/458b7f88c1aef6c09f745c5b705254c9c823ef23/app/controllers/tasks_controller.rb#L193

To prevent any consequence of this bug for now, I took immediate action and disabled the export to any account link for now.