Skip to content

fix(security): restrict exam answer key access to authors and admins#215

Open
Sairaj2033 wants to merge 1 commit into
Sitaram8472:mainfrom
Sairaj2033:fix-exam-key-exposure
Open

fix(security): restrict exam answer key access to authors and admins#215
Sairaj2033 wants to merge 1 commit into
Sitaram8472:mainfrom
Sairaj2033:fix-exam-key-exposure

Conversation

@Sairaj2033

Copy link
Copy Markdown
Contributor

Linked Issue

Fixes #206

Description

Critical Security Patch: Fixed an authorization vulnerability in controllers/examController.js. Previously, GET /api/exams/:id lacked an ownership check, allowing any authenticated teacher to view the correctAnswer keys for exams created by other teachers. An authorization layer has been added to ensure that only the original authoring teacher or a system administrator can access the unfiltered exam document containing the sensitive answer keys.

Type of Change

  • Security patch
  • Bug fix

Contributor for ECSoC & ELUSOC 2026 🚀

@Sairaj2033

Copy link
Copy Markdown
Contributor Author

@Sitaram8472 here is the fix for issue , you can review it

@Sitaram8472

Copy link
Copy Markdown
Owner

solve merge conflicts @Sairaj2033

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ECSoC_2026 & ELUSoC_2026 Security: Exam Answer Keys Exposed to All Teachers

2 participants