From 96006d532a392eeca2d350d1811f8e8ab9625bda Mon Sep 17 00:00:00 2001
From: David Wang <67977275+dwang3851@users.noreply.github.com>
Date: Mon, 18 Nov 2024 15:27:45 -0500
Subject: [PATCH] Merge commit from fork

(cherry picked from commit 3894ff0a3ecc45161ce62fd2c08939efa5581054)

Co-authored-by: Nicholas Myers <32116122+NicholasMy@users.noreply.github.com>
---
 app/controllers/assessment/grading.rb | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/controllers/assessment/grading.rb b/app/controllers/assessment/grading.rb
index 7ad0fa0c7..f429215f1 100755
--- a/app/controllers/assessment/grading.rb
+++ b/app/controllers/assessment/grading.rb
@@ -237,6 +237,7 @@ def quickSetScore
     # find existing score for this problem, if there's one
     # otherwise, create it
     score = Score.find_or_initialize_by_submission_id_and_problem_id(sub_id, prob_id)
+    return head :forbidden unless submission_belongs_to_current_course(score.submission)
 
     score.grader_id = @cud.id
     score.score = params[:score].to_f
@@ -266,6 +267,7 @@ def quickSetScoreDetails
     # find existing score for this problem, if there's one
     # otherwise, create it
     score = Score.find_or_initialize_by_submission_id_and_problem_id(sub_id, prob_id)
+    return head :forbidden unless submission_belongs_to_current_course(score.submission)
 
     score.grader_id = @cud.id
     score.feedback = params[:feedback]
@@ -286,6 +288,7 @@ def quickSetScoreDetails
 
   def submission_popover
     submission = Submission.find_by(id: params[:submission_id].to_i)
+    return head :forbidden unless submission_belongs_to_current_course(submission)
     if submission
       render partial: "popover", locals: { s: submission }
     else
@@ -300,6 +303,7 @@ def score_grader_info
       redirect_to action: :show
       return
     end
+    return head :forbidden unless submission_belongs_to_current_course(score.submission)
 
     grader = (if score then score.grader else nil end)
     grader_info = ""
@@ -321,8 +325,10 @@ def quickGetTotal
 
     # get submission and problem IDs
     sub_id = params[:submission_id].to_i
+    submission = Submission.find(sub_id)
+    return head :forbidden unless submission_belongs_to_current_course(submission)
 
-    render plain: Submission.find(sub_id).final_score(@cud)
+    render plain: submission.final_score(@cud)
   end
 
   def statistics
@@ -538,4 +544,13 @@ def load_gradesheet_data
     @submissions = cache.latest_submissions.values
     @section_filter = params[:section]
   end
+
+  def submission_belongs_to_current_course(submission)
+    # Returns true if the provided submission belongs to the current @course, false otherwise.
+    # This is used to ensure a user can only view or modify scores in courses where they have
+    # permission, since the  `action_auth_level ***, :course_assistant` only verifies that they're
+    # a CA for the course in the URL. It doesn't verify that the score they're trying to modify
+    # is in a course they're a CA in.
+    submission.course_user_datum.course == @course
+  end
 end