Prevents Hunters from accessing hunt information before it starts

2026-05-18 11:41:22 -05:00
parent 08d0b1730a
commit 8ff73cda2b
4 changed files with 39 additions and 12 deletions
--- a/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt
+++ b/src/main/kotlin/net/halfbinary/scavengerhuntapi/service/PhotoService.kt
@@ -36,10 +36,15 @@ class PhotoService(
    private val photoRepository: PhotoRepository,
    private val hunterService: HunterService,
    private val teamService: TeamService,
+    private val huntService: HuntService,
    private val s3StorageService: S3StorageService,
    private val fileProbeService: FileProbeService
 ) {
    fun submitPhoto(huntId: HuntId, itemId: ItemId, email: String, file: MultipartFile) {
+        val hunter = hunterService.getHunterByEmail(email)
+        val hunt = huntService.getHunt(huntId)
+        if (!hunter.isAdmin && !hunt.isOngoing) throw ForbiddenException()
+
        val originalBytes = file.bytes
        val fileType = fileProbeService.getFileType(originalBytes)

@@ -51,7 +56,6 @@ class PhotoService(
            throw BadFileException("Image type is not supported")
        }

-        val hunter = hunterService.getHunterByEmail(email)
        val now = LocalDateTime.now()
        val photo = Photo(
            itemId = itemId,
@@ -76,6 +80,8 @@ class PhotoService(
            ?: throw NotFoundException(PHOTO_NOT_FOUND)

        if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
            val team = try {
                teamService.getTeamForHunterInHunt(huntId, email)
            } catch (_: NotFoundException) {
@@ -121,6 +127,8 @@ class PhotoService(
        val requestingHunter = hunterService.getHunterByEmail(email)

        if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
            val team = try {
                teamService.getTeamForHunterInHunt(huntId, email)
            } catch (_: NotFoundException) {
@@ -142,15 +150,24 @@ class PhotoService(
    }

    fun removePhoto(huntId: HuntId, teamId: TeamId, itemId: ItemId, photoId: PhotoId, email: String) {
+        val requestingHunter = hunterService.getHunterByEmail(email)
+
+        if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
+        }
+
        val photoRecord = photoRepository.findByIdAndItemIdAndHuntId(photoId, itemId, huntId)
            ?: throw NotFoundException(PHOTO_NOT_FOUND)

-        val team = try {
-            teamService.getTeamForHunterInHunt(huntId, email)
-        } catch (_: NotFoundException) {
-            throw ForbiddenException()
+        if (!requestingHunter.isAdmin) {
+            val team = try {
+                teamService.getTeamForHunterInHunt(huntId, email)
+            } catch (_: NotFoundException) {
+                throw ForbiddenException()
+            }
+            if (team.id != teamId) throw ForbiddenException()
        }
-        if (team.id != teamId) throw ForbiddenException()

        if (photoRecord.status == PhotoStatus.APPROVED) throw ConflictException("Cannot remove an approved photo")

@@ -161,6 +178,8 @@ class PhotoService(
        val requestingHunter = hunterService.getHunterByEmail(email)

        if (!requestingHunter.isAdmin) {
+            val hunt = huntService.getHunt(huntId)
+            if (!hunt.isOngoing) throw ForbiddenException()
            val team = try {
                teamService.getTeamForHunterInHunt(huntId, email)
            } catch (_: NotFoundException) {