From 5da0c7bf1ea10476fa03fea3f53f4e5f25f5abf9 Mon Sep 17 00:00:00 2001
From: Vasilica Olariu <olariu.vasilica@gmail.com>
Date: Thu, 27 Feb 2025 13:36:56 +0200
Subject: [PATCH] Apply restrictions to all challenges

---
 src/common/helper.js            |  2 +-
 src/services/ArtifactService.js | 18 ++----------------
 2 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/src/common/helper.js b/src/common/helper.js
index 26e48fa..6ef5823 100755
--- a/src/common/helper.js
+++ b/src/common/helper.js
@@ -550,7 +550,7 @@ async function checkCreateAccess (authUser, memberId, challengeDetails) {
  * @param {Object} authUser the user
  * @param {Array} resources the challenge resources
  */
-const getChallengeAccessLevel = async (authUser, challengeId) => {
+async function getChallengeAccessLevel (authUser, challengeId) {
   if (authUser.isMachine) {
     return { hasFullAccess: true }
   }
diff --git a/src/services/ArtifactService.js b/src/services/ArtifactService.js
index dec9713..95480a5 100644
--- a/src/services/ArtifactService.js
+++ b/src/services/ArtifactService.js
@@ -44,16 +44,9 @@ async function downloadArtifact (authUser, submissionId, fileName) {
   // Check the validness of Submission ID
   const submission = await HelperService._checkRef({ submissionId })
 
-  let challenge
-  try {
-    challenge = await commonHelper.getChallenge(submission.challengeId)
-  } catch (e) {
-    throw new errors.NotFoundError(`Could not load challenge: ${submission.challengeId}.\n Details: ${_.get(e, 'message')}`)
-  }
-
   const { hasFullAccess, isSubmitter, hasNoAccess } = await commonHelper.getChallengeAccessLevel(authUser, submission.challengeId)
 
-  if (hasNoAccess || (isSubmitter && challenge.isMM && submission.memberId.toString() !== authUser.userId.toString())) {
+  if (hasNoAccess || (isSubmitter && submission.memberId.toString() !== authUser.userId.toString())) {
     throw new errors.HttpStatusError(403, 'You are not allowed to download this submission artifact.')
   }
 
@@ -94,16 +87,9 @@ async function listArtifacts (authUser, submissionId) {
   // Check the validness of Submission ID
   const submission = await HelperService._checkRef({ submissionId })
 
-  let challenge
-  try {
-    challenge = await commonHelper.getChallenge(submission.challengeId)
-  } catch (e) {
-    throw new errors.NotFoundError(`Could not load challenge: ${submission.challengeId}.\n Details: ${_.get(e, 'message')}`)
-  }
-
   const { hasFullAccess, isSubmitter, hasNoAccess } = await commonHelper.getChallengeAccessLevel(authUser, submission.challengeId)
 
-  if (hasNoAccess || (isSubmitter && challenge.isMM && submission.memberId.toString() !== authUser.userId.toString())) {
+  if (hasNoAccess || (isSubmitter && submission.memberId.toString() !== authUser.userId.toString())) {
     throw new errors.HttpStatusError(403, 'You are not allowed to access this submission artifact.')
   }