require authorization for uploading files

szabgab · May 30, 2021 · fc0dafd · fc0dafd
1 parent afd83e7
commit fc0dafd
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 8 deletions.
diff --git a/lib/Course/Management.pm b/lib/Course/Management.pm
@@ -61,12 +61,12 @@ sub startup ($self) {
     $r->get('/')->to('main#welcome');
     $r->post('/login')->to('main#login');
     $r->get('/login/:code')->to('main#login_get');
+    $r->get('/logout')->to('main#logout');
 
     # protected
     $authorized->get('/')->to('course#list_courses');
     $authorized->get('/:id')->to('course#list_exercises');
-    $r->post('/upload')->to('course#upload');
-    $r->get('/logout')->to('main#logout');
+    $authorized->post('/:id/upload')->to('course#upload');
 
     $admin_authorized->get('/')->to('admin#list_courses');
     $admin_authorized->get('/:id')->to('admin#list_solutions');

diff --git a/t/upload.t b/t/upload.t
@@ -26,9 +26,8 @@ subtest upload_no_upload_dir => sub {
     my $content = 'bar';
     my $upload = {
         $course_config->[0]{exercises}[0]{files}[0] => {content => $content, filename => 'baz.txt'},
-        id => $course_config->[0]{id},
     };
-    $t->post_ok('/upload' => form => $upload)->status_is(500);
+    $t->post_ok("/course/$course_config->[0]{id}/upload" => form => $upload)->status_is(500);
     #diag $t->tx->res->body;
     $t->content_like(qr{Upload directory not configured});
 };
@@ -50,9 +49,8 @@ subtest upload => sub {
     my $content = 'bar';
     my $upload = {
         $course_config->[0]{exercises}[0]{files}[0] => {content => $content, filename => 'baz.txt'},
-        id => $course_config->[0]{id},
     };
-    $t->post_ok('/upload' => form => $upload)->status_is(200);
+    $t->post_ok("/course/$course_config->[0]{id}/upload" => form => $upload)->status_is(200);
     #diag $t->tx->res->body;
     $t->content_like(qr{Uploaded});
     (my $exercise_name = $course_config->[0]{exercises}[0]{url}) =~ s{[:/]+}{_}g;

diff --git a/templates/course/list_exercises.html.ep b/templates/course/list_exercises.html.ep
@@ -3,8 +3,7 @@
 
 
 <p>
-  <form method="POST" action="/upload" enctype="multipart/form-data">
-  <input type="hidden" name="id" value="<%= $course->{id} %>">
+  <form method="POST" action="/course/<%= $course->{id} %>/upload" enctype="multipart/form-data">
   <input type="submit" value="Upload">
 
   <ul id="exercises">