submissions: submitter cannot accept their own submission

2025-03-19 18:12:18 -07:00 · 2025-03-19 18:12:18 -07:00 · 6748cb4324
commit 6748cb4324
parent 73e5c76e75
1 changed files with 16 additions and 1 deletions
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@ -496,10 +496,25 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 		return ErrPermissionDenied
 	}

+	// read submission (this could be done with a transaction WHERE clause)
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+
+	has_role, err = userInfo.IsSubmitter(uint64(submission.Submitter))
+	if err != nil {
+		return err
+	}
+	// check if caller is NOT the submitter
+	if has_role {
+		return ErrPermissionDenied
+	}
+
 	// transaction
 	smap := datastore.Optional()
 	smap.Add("status_id", model.StatusValidating)
-	submission, err := svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusAccepted}, smap)
+	submission, err = svc.DB.Submissions().IfStatusThenUpdateAndGet(ctx, params.SubmissionID, []model.Status{model.StatusSubmitted, model.StatusAccepted}, smap)
 	if err != nil {
 		return err
 	}