From 73e5c76e7521b1ab583d114e700c86fd59d1ca53 Mon Sep 17 00:00:00 2001
From: Quaternions <krakow20@gmail.com>
Date: Wed, 19 Mar 2025 18:05:34 -0700
Subject: [PATCH] submissions: reject reset unless validator is stale

---
 pkg/service/submissions.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/pkg/service/submissions.go b/pkg/service/submissions.go
index b4bca23..0b7b4e7 100644
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"time"
 
 	"git.itzana.me/strafesnet/go-grpc/maps"
 	"git.itzana.me/strafesnet/maps-service/pkg/api"
@@ -459,6 +460,16 @@ func (svc *Service) ActionSubmissionValidated(ctx context.Context, params api.Ac
 		return ErrPermissionDenied
 	}
 
+	// check when submission was updated
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
+		// the last time the submission was updated must be longer than 10 seconds ago
+		return ErrPermissionDenied
+	}
+
 	// transaction
 	smap := datastore.Optional()
 	smap.Add("status_id", model.StatusValidated)
@@ -530,6 +541,16 @@ func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params api.Act
 		return ErrPermissionDenied
 	}
 
+	// check when submission was updated
+	submission, err := svc.DB.Submissions().Get(ctx, params.SubmissionID)
+	if err != nil {
+		return err
+	}
+	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
+		// the last time the submission was updated must be longer than 10 seconds ago
+		return ErrPermissionDenied
+	}
+
 	// transaction
 	smap := datastore.Optional()
 	smap.Add("status_id", model.StatusAccepted)