Hail Mary update for the Score controller.v1.0

Try to prevent scores editing from modifying scores of a different session.
author: Marius Peter <marius.peter@tutanota.com> 2025-01-01 20:44:32 +0100
committer: Marius Peter <wtt@marius-peter.com> 2025-01-02 13:51:16 +0100
commit: 175111f9d84354dce00503525649197e9acb6382 (patch)
tree: 7ad0823a1b5c21d36972f1c3c50be3e3cffcd8cd /app/controllers
parent: f68deabfffb146d0194d9a490d9e12a505e1bf1f (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/app/controllers/scores_controller.rb b/app/controllers/scores_controller.rb
index 7c46165..16e0e44 100644
--- a/app/controllers/scores_controller.rb
+++ b/app/controllers/scores_controller.rb
@@ -1,6 +1,7 @@
 class ScoresController < ApplicationController
   allow_unauthenticated_access
   before_action :set_tartiflette, only: [ :new, :create, :edit_all, :update_all ]
+  before_action :ensure_session_id, only: [:edit_all, :update_all]
 
   def new
   end
@@ -10,7 +11,7 @@ class ScoresController < ApplicationController
   end
 
   def edit_all
-    @scores = @tartiflette.scores
+    @scores = @tartiflette.scores.where(session_id: session[:id])
   end
 
   def update_all
@@ -23,6 +24,10 @@ class ScoresController < ApplicationController
     @tartiflette = Tartiflette.find(params[:tartiflette_id])
   end
 
+  def ensure_session_id
+    session[:id] ||= SecureRandom.uuid
+  end
+
   def scores_params
     params.require(:scores).permit!.to_h
   end
author	Marius Peter <marius.peter@tutanota.com>	2025-01-01 20:44:32 +0100
committer	Marius Peter <wtt@marius-peter.com>	2025-01-02 13:51:16 +0100
commit	175111f9d84354dce00503525649197e9acb6382 (patch)
tree	7ad0823a1b5c21d36972f1c3c50be3e3cffcd8cd /app/controllers
parent	f68deabfffb146d0194d9a490d9e12a505e1bf1f (diff)