jmgasper
commented
1 year ago @suppermancool - This one failed in QA. Have a look at:
TCConnCopilot / Appirio123 doesn't have any role on that challenge, but they see the download button.
Closed jmgasper closed 1 year ago
jmgasper
commented
1 year ago @suppermancool - This one failed in QA. Have a look at:
TCConnCopilot / Appirio123 doesn't have any role on that challenge, but they see the download button.
suppermancool
commented
1 year ago @jmgasper the TCConnCopilot have user id = 40158994 . That user id exists in the resources array of challenge 9131c5da-6ed9-4186-9a1b-4de31df5ba17:
jmgasper
commented
1 year ago @suppermancool - Yeah, I see it now, thanks. If you don't give an Authorization header to the resources API, it only returns submitters, which is what I was seeing. Sorry about that.
The submissions API is blocking submission download of submissions for challenges that a user doesn't have access to (like a copilot opening up another copilot's challenge in WM), but we still show the download button.
Instead, let's block this so it doesn't even attempt to download. When loading a challenge, we should look at the resources array for the challenge, and if the logged in user is in the resources API, then they can see the download buttons, but if they aren't in the resources array, we'll hide the download button.