From 175111f9d84354dce00503525649197e9acb6382 Mon Sep 17 00:00:00 2001
From: Marius Peter <marius.peter@tutanota.com>
Date: Wed, 1 Jan 2025 20:44:32 +0100
Subject: Hail Mary update for the Score controller.

Try to prevent scores editing from modifying scores of a different
session.
---
 app/controllers/scores_controller.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/controllers/scores_controller.rb b/app/controllers/scores_controller.rb
index 7c46165..16e0e44 100644
--- a/app/controllers/scores_controller.rb
+++ b/app/controllers/scores_controller.rb
@@ -1,6 +1,7 @@
 class ScoresController < ApplicationController
   allow_unauthenticated_access
   before_action :set_tartiflette, only: [ :new, :create, :edit_all, :update_all ]
+  before_action :ensure_session_id, only: [:edit_all, :update_all]
 
   def new
   end
@@ -10,7 +11,7 @@ class ScoresController < ApplicationController
   end
 
   def edit_all
-    @scores = @tartiflette.scores
+    @scores = @tartiflette.scores.where(session_id: session[:id])
   end
 
   def update_all
@@ -23,6 +24,10 @@ class ScoresController < ApplicationController
     @tartiflette = Tartiflette.find(params[:tartiflette_id])
   end
 
+  def ensure_session_id
+    session[:id] ||= SecureRandom.uuid
+  end
+
   def scores_params
     params.require(:scores).permit!.to_h
   end
-- 
cgit v1.2.3