All routes with CryptoIds are verified now, see #233

src/Foundation.hs

@@ -1427,6 +1427,7 @@ routeNormalizers =
   , ncSchool
   , ncCourse
   , ncSheet
+  , verifySubmission
   ]
   where
     normalizeRender route = route <$ do
@@ -1464,6 +1465,15 @@ routeNormalizers =
       Entity _ Sheet{..} <- MaybeT . lift . getBy $ CourseSheet cid shn
       hasChanged shn sheetName
       return $ CSheetR tid ssh csh sheetName subRoute
+    verifySubmission = maybeOrig $ \route -> do
+      CSubmissionR _tid _ssh _csh _shn cID sr <- return route
+      sId <- decrypt cID
+      Submission{submissionSheet}   <- lift . lift $ get404 sId
+      Sheet{sheetCourse, sheetName} <- lift . lift $ get404 submissionSheet
+      Course{courseTerm, courseSchool, courseShorthand} <- lift . lift $ get404 sheetCourse
+      let newRoute = CSubmissionR courseTerm courseSchool courseShorthand sheetName cID sr
+      tell . Any $ route /= newRoute
+      return newRoute
 
 
 -- How to run database actions.

src/Handler/Corrections.hs

@@ -788,13 +788,6 @@ postSAssignR tid ssh csh shn cID = do
   sId <- decrypt cID
   (currentCorrector, sheetCorrectors) <- runDB $ do
     Submission{submissionRatingBy, submissionSheet} <- get404 sId
-    -- Beginn Verify that CryptoId matches ordinary prameters, see #233
-    -- Necessarry, since authorisation checks those parameters only, but can be changed by user!
-    Sheet{sheetCourse, sheetName} <- get404 submissionSheet
-    Course{courseTerm, courseSchool, courseShorthand} <- get404 sheetCourse
-    let cidMatches = and [tid==courseTerm, ssh==courseSchool, csh==courseShorthand, shn==sheetName]
-    unless cidMatches $ invalidArgsI [MsgErrorCryptoIdMismatch] -- maybe remove message if refactored
-    -- End Verification
     sheetCorrectors <- map (sheetCorrectorUser . entityVal) <$> selectList [SheetCorrectorSheet ==. submissionSheet] []
     userCorrector <- traverse getJustEntity submissionRatingBy
     return (userCorrector, maybe id (:) submissionRatingBy sheetCorrectors)