Skip to content

fix: prevent unauthorized match winner setting and add state validation#112

Merged
lukepolo merged 3 commits intomainfrom
fix/set-match-winner-permission-and-state-validation
Mar 8, 2026
Merged

fix: prevent unauthorized match winner setting and add state validation#112
lukepolo merged 3 commits intomainfrom
fix/set-match-winner-permission-and-state-validation

Conversation

@Flegma
Copy link
Copy Markdown
Contributor

@Flegma Flegma commented Mar 6, 2026

Summary

  • Fix inverted permission checks in setMatchWinner and forfeitMatch that allowed non-organizers to set winners/forfeit while blocking organizers
  • Add match state validation to setMatchWinner — rejects matches in terminal states (Finished, Canceled, Forfeit, Tie, Surrendered) or pre-start states (Scheduled, PickingPlayers)
  • Add match state validation to forfeitMatch — rejects matches already in terminal states

Closes 5stackgg/5stack-panel#312

Test plan

  • Verify non-organizer users cannot set match winner or forfeit
  • Verify organizers can set winner on active matches (WaitingForCheckIn, Veto, WaitingForServer, Live)
  • Verify setting winner is rejected on matches that haven't started or already ended
  • Verify forfeiting is rejected on matches that already ended

Flegma added 2 commits March 6, 2026 09:17
@Flegma
fix: prevent unauthorized match winner setting and add state validation
7c5ae53 
Fix inverted permission checks in setMatchWinner and forfeitMatch that
allowed non-organizers to set winners/forfeit while blocking organizers.
Add match state validation to reject winner setting on matches that
haven't started or already ended, and reject forfeiting ended matches.

Closes #312
@Flegma
refactor: extract shared terminal match status constants
6ec1a4d 
Replace duplicated terminal status strings across 4 locations in
matches.controller.ts with shared static class constants.
@Flegma Flegma requested a review from lukepolo March 6, 2026 08:26
lukepolo
lukepolo reviewed Mar 6, 2026
View reviewed changes
Comment thread src/matches/matches.controller.ts Outdated
@Flegma
fix: allow setting match winner in any state
bc6fc9e 
Remove state validation from setMatchWinner per review feedback —
organizers should be able to set the winner regardless of match state.
Remove unused TERMINAL_OR_PRE_START_STATUSES constant.
@lukepolo lukepolo merged commit 00e9913 into main Mar 8, 2026
1 check passed
@lukepolo lukepolo deleted the fix/set-match-winner-permission-and-state-validation branch March 8, 2026 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukepolo lukepolo lukepolo left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] User can set win without starting match

2 participants

@Flegma @lukepolo