Closed jmgasper closed 1 year ago
@suppermancool - This one failed in QA. Have a look at:
TCConnCopilot / Appirio123
doesn't have any role on that challenge, but they see the download button.
@jmgasper the TCConnCopilot have user id = 40158994 . That user id exists in the resources array of challenge 9131c5da-6ed9-4186-9a1b-4de31df5ba17
:
@suppermancool - Yeah, I see it now, thanks. If you don't give an Authorization
header to the resources API, it only returns submitters, which is what I was seeing. Sorry about that.
The submissions API is blocking submission download of submissions for challenges that a user doesn't have access to (like a copilot opening up another copilot's challenge in WM), but we still show the download button.
Instead, let's block this so it doesn't even attempt to download. When loading a challenge, we should look at the resources array for the challenge, and if the logged in user is in the resources API, then they can see the download buttons, but if they aren't in the resources array, we'll hide the download button.