Move dangerous routes into a new scope

source-academy · Sep 10, 2024 · b39dc56 · b39dc56
1 parent 23a7487
commit b39dc56
Showing 1 changed file with 21 additions and 26 deletions.
diff --git a/lib/cadet_web/router.ex b/lib/cadet_web/router.ex
@@ -28,6 +28,10 @@ defmodule CadetWeb.Router do
     plug(:ensure_role, [:staff, :admin])
   end
 
+  pipeline :ensure_admin do
+    plug(:ensure_role, [:admin])
+  end
+
   scope "/", CadetWeb do
     get("/.well-known/jwks.json", JWKSController, :index)
   end
@@ -119,20 +123,12 @@ defmodule CadetWeb.Router do
     get("/team/:assessmentid", TeamController, :index)
   end
 
-  # Admin pages
+  # Admin pages (Access: All staff)
   scope "/v2/courses/:course_id/admin", CadetWeb do
     pipe_through([:api, :auth, :ensure_auth, :course, :ensure_staff])
 
     resources("/sourcecast", AdminSourcecastController, only: [:create, :delete])
 
-    get("/assets/:foldername", AdminAssetsController, :index)
-    post("/assets/:foldername/*filename", AdminAssetsController, :upload)
-    delete("/assets/:foldername/*filename", AdminAssetsController, :delete)
-
-    post("/assessments", AdminAssessmentsController, :create)
-    post("/assessments/:assessmentid", AdminAssessmentsController, :update)
-    delete("/assessments/:assessmentid", AdminAssessmentsController, :delete)
-
     get(
       "/assessments/:assessmentid/popularVoteLeaderboard",
       AdminAssessmentsController,
@@ -148,14 +144,6 @@ defmodule CadetWeb.Router do
     get("/grading", AdminGradingController, :index)
     get("/grading/summary", AdminGradingController, :grading_summary)
 
-    post("/grading/:assessmentid/publish_all_grades", AdminGradingController, :publish_all_grades)
-
-    post(
-      "/grading/:assessmentid/unpublish_all_grades",
-      AdminGradingController,
-      :unpublish_all_grades
-    )
-
     get("/grading/:submissionid", AdminGradingController, :show)
     post("/grading/:submissionid/unsubmit", AdminGradingController, :unsubmit)
     post("/grading/:submissionid/unpublish_grades", AdminGradingController, :unpublish_grades)
@@ -184,8 +172,6 @@ defmodule CadetWeb.Router do
 
     # The admin route for getting total xp of a specific user
     get("/users/:course_reg_id/total_xp", AdminUserController, :combined_total_xp)
-    put("/users/:course_reg_id/role", AdminUserController, :update_role)
-    delete("/users/:course_reg_id", AdminUserController, :delete_user)
     get("/users/:course_reg_id/goals", AdminGoalsController, :index_goals_with_progress)
     post("/users/:course_reg_id/goals/:uuid/progress", AdminGoalsController, :update_progress)
 
@@ -209,14 +195,29 @@ defmodule CadetWeb.Router do
     post("/teams/upload", AdminTeamsController, :bulk_upload)
   end
 
-  # Admin pages
+  # Admin pages (Access: Course administrators only - these routes can cause substantial damage)
   scope "/v2/courses/:course_id/admin", CadetWeb do
     pipe_through([:api, :auth, :ensure_auth, :course, :ensure_admin])
 
+    get("/assets/:foldername", AdminAssetsController, :index)
+    post("/assets/:foldername/*filename", AdminAssetsController, :upload)
+    delete("/assets/:foldername/*filename", AdminAssetsController, :delete)
+
     post("/assessments", AdminAssessmentsController, :create)
     post("/assessments/:assessmentid", AdminAssessmentsController, :update)
     delete("/assessments/:assessmentid", AdminAssessmentsController, :delete)
 
+    post("/grading/:assessmentid/publish_all_grades", AdminGradingController, :publish_all_grades)
+
+    post(
+      "/grading/:assessmentid/unpublish_all_grades",
+      AdminGradingController,
+      :unpublish_all_grades
+    )
+
+    put("/users/:course_reg_id/role", AdminUserController, :update_role)
+    delete("/users/:course_reg_id", AdminUserController, :delete_user)
+
     put("/config", AdminCoursesController, :update_course_config)
     # TODO: Missing corresponding Swagger path entry
     get("/config/assessment_configs", AdminCoursesController, :get_assessment_configs)
@@ -227,12 +228,6 @@ defmodule CadetWeb.Router do
       AdminCoursesController,
       :delete_assessment_config
     )
-
-    get("/teams", AdminTeamsController, :index)
-    post("/teams", AdminTeamsController, :create)
-    delete("/teams/:teamid", AdminTeamsController, :delete)
-    put("/teams/:teamid", AdminTeamsController, :update)
-    post("/teams/upload", AdminTeamsController, :bulk_upload)
   end
 
   # Other scopes may use custom stacks.