Prevent impersonation of other users when casting votes. 2025 -> 2026

Author: sezanzeb

backend/src/controllers/rating-controller.ts

@@ -55,6 +55,11 @@ export class RatingController {
     @CurrentUser() user: User,
   ): Promise<RatingDTO> {
     const rating = convertBetweenEntityAndDTO(ratingDTO, Rating);
+
+    // Ensure ratings cannot be cast for other users,
+    // write the requesting user into it.
+    rating.user = user;
+
     const createdRating = await this._ratings.createRating(rating, user);
     return convertBetweenEntityAndDTO(createdRating, RatingDTO);
   }

backend/src/services/rating-service.ts

@@ -217,5 +217,9 @@ export class RatingService implements IRatingService {
     if (team.users.includes(user.id.toString())) {
       throw new ForbiddenError("You can't rate your own project")
     }
+
+    if (rating.user.id !== user.id) {
+      throw new ForbiddenError("You can't rate as a different user");
+    }
   }
 }

backend/test/controllers/rating-controller.spec.ts

@@ -48,9 +48,9 @@ describe("RatingController", () => {
   describe("authorization", () => {
     let server: http.Server;
     let port: number;
-    let httpRatingService: MockedService<IRatingService>;
-    let httpSettingsService: MockedService<ISettingsService>;
-    let httpUserService: MockedService<IUserService>;
+    let ratingService: MockedService<IRatingService>;
+    let settingsService: MockedService<ISettingsService>;
+    let userService: MockedService<IUserService>;
 
     const rootUser = Object.assign(new User(), { id: 1, role: UserRole.Root });
     const regularUser = Object.assign(new User(), { id: 2, role: UserRole.User });
@@ -61,20 +61,20 @@ describe("RatingController", () => {
     };
 
     beforeAll(async () => {
-      httpRatingService = new MockRatingService();
-      httpSettingsService = new MockSettingsService();
-      httpUserService = new MockUserService();
+      ratingService = new MockRatingService();
+      settingsService = new MockSettingsService();
+      userService = new MockUserService();
 
-      httpUserService.mocks.findUserByLoginToken.mockImplementation(
+      userService.mocks.findUserByLoginToken.mockImplementation(
         async (token: string) => tokenMap[token] ?? null,
       );
 
-      const httpService = new HttpService(null as any, null as any, httpUserService.instance);
+      const httpService = new HttpService(null as any, null as any, userService.instance);
 
       useContainer({
         get(target: Function) {
           if (target === RatingController) {
-            return new RatingController(httpSettingsService.instance, httpRatingService.instance);
+            return new RatingController(settingsService.instance, ratingService.instance);
           }
           return new (target as any)();
         },
@@ -111,27 +111,34 @@ describe("RatingController", () => {
     });
 
     it("allows requests from User-role users", async () => {
-      expect.assertions(1);
+      expect.assertions(2);
 
-      httpRatingService.mocks.createRating.mockResolvedValue({} as any);
+      ratingService.mocks.createRating.mockResolvedValue({} as any);
 
       const response = await fetch(`http://localhost:${port}/api/ratings/rate`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
           Authorization: "Bearer user-token",
         },
-        body: JSON.stringify({ data: {} }),
+        body: JSON.stringify({ data: { rating: 3, project: { id: 1 }, criterion: { id: 2 } } }),
       });
 
-      // Authorization passed; any status other than 403 is acceptable here
-      expect(response.status).not.toBe(403);
+      expect(response.status).toBe(200);
+      expect(ratingService.mocks.createRating).toHaveBeenCalledWith(
+        expect.objectContaining({
+          project: expect.objectContaining({ id: 1 }),
+          user: expect.objectContaining({ id: regularUser.id }),
+          criterion: expect.objectContaining({ id: 2 }),
+        }),
+        regularUser,
+      );
     });
 
     it("passes authorization for admin (Root) users", async () => {
       expect.assertions(1);
 
-      httpRatingService.mocks.createRating.mockResolvedValue({} as any);
+      ratingService.mocks.createRating.mockResolvedValue({} as any);
 
       const response = await fetch(`http://localhost:${port}/api/ratings/rate`, {
         method: "POST",

backend/test/services/rating-service.spec.ts

@@ -175,6 +175,28 @@ describe("RatingService", () => {
           BadRequestError,
         );
       });
+
+      it("is forbidden to impersonate other users", async () => {
+        expect.assertions(1);
+
+        settingsService.mocks.getSettings.mockResolvedValue(
+          { application: { allowRatingProjects: true } } as any
+        );
+
+        mockProjectsRepo.findOneBy.mockResolvedValue(mockProject);
+        mockTeamsRepo.findOneBy.mockResolvedValue(mockTeam);
+        mockRatingsRepo.findOne.mockResolvedValue(null);
+
+        mockRating.user = {
+          ...mockUser,
+          id: 1234
+        };
+
+        await expect(ratingService.createRating(mockRating, mockUser)).rejects.toThrow(
+          ForbiddenError,
+        );
+      });
+
     });
   });
 

backup/admit.html

@@ -558,7 +558,7 @@
                                                         we're happy to let you
                                                         know that you'll be
                                                         going to be part of
-                                                        <b>Hackaburg 2025! </b>
+                                                        <b>Hackaburg 2026! </b>
                                                       </p>
                                                       <p style="margin: 0"> </p>
                                                       <p style="margin: 0">

frontend/src/components/base/dialog.tsx

@@ -41,7 +41,7 @@ export const SimpleDialog = (props: SimpleDialogProps) => {
       <DialogTitle>Invite a friend to join</DialogTitle>
       <DialogContent>
         <DialogContentText id="alert-dialog-description">
-          Please feel free to invite a friend to join Hackaburg 2025. You can
+          Please feel free to invite a friend to join Hackaburg 2026. You can
           use the following link to invite them.
           <div>
             <TextField
@@ -71,7 +71,7 @@ export const SimpleDialog = (props: SimpleDialogProps) => {
                 WhatsApp
               </MuiButton>
               <MuiButton
-                href="mailto:?subject=Hackaburg 2025&body=I am visiting Hackaburg this year! Join me at https://hackaburg.de"
+                href="mailto:?subject=Hackaburg 2026&body=I am visiting Hackaburg this year! Join me at https://hackaburg.de"
                 variant="outlined"
                 startIcon={<MdOutlineMail />}
                 style={{

frontend/src/components/pages/criterion.tsx

@@ -0,0 +1,100 @@
+import React, { useState } from "react";
+import {
+  Stack,
+  FormControl,
+  RadioGroup,
+  FormControlLabel,
+  Radio,
+  Button,
+  Alert,
+  Typography,
+  Tooltip,
+} from "@mui/material";
+import { api } from "../../hooks/use-api";
+import { useLoginContext } from "../../contexts/login-context";
+
+export const CriterionRating = ({
+  criterion,
+  project,
+}) => {
+  const loginState = useLoginContext();
+  const { user } = loginState;
+
+  const [rating, setRating] = useState<string>("3");
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const handleSubmit = async () => {
+    setIsSubmitting(true);
+    setError(null);
+
+    console.log({ criterion, user, project })
+
+    await api.createRating({
+      criterion: {
+        Id: criterion.id
+      },
+      rating: parseInt(rating),
+      user: {
+        id: user.id
+      },
+      project: {
+        id: project.id
+      },
+    });
+    onRatingSubmitted?.();
+
+    setIsSubmitting(false);
+  };
+
+  return (
+    <div
+      style={{
+        border: "1px solid grey", "border-radius": "5px",
+        padding: "10px",
+        margin: "1rem auto"
+      }}
+    >
+      <Stack
+        direction={{ xs: "column", sm: "row" }}
+        spacing={{ xs: 1, sm: 4 }}
+        alignItems={{ xs: "flex-start", sm: "center" }}
+        justifyContent="center"
+      >
+        <Tooltip title={criterion.description}>
+          <Typography variant="h6" sx={{ cursor: "help" }}>
+            {criterion.title}
+          </Typography>
+        </Tooltip>
+
+        <FormControl component="fieldset">
+          <RadioGroup
+            row
+            value={rating}
+            onChange={(e) => setRating(e.target.value)}
+          >
+            {[1, 2, 3, 4, 5].map((value) => (
+              <FormControlLabel
+                key={value}
+                value={value.toString()}
+                control={<Radio disabled={isSubmitting} />}
+                label={value.toString()}
+              />
+            ))}
+          </RadioGroup>
+        </FormControl>
+
+        <Button
+          variant="contained"
+          onClick={handleSubmit}
+          disabled={isSubmitting}
+          sx={{ alignSelf: { xs: "stretch", sm: "auto" } }}
+        >
+          {isSubmitting ? "Submitting..." : "Submit"}
+        </Button>
+      </Stack>
+
+      {error && <Alert severity="error">{error}</Alert>}
+    </div>
+  );
+};

frontend/src/components/pages/read-only-project.tsx

@@ -6,10 +6,11 @@ import { Page } from "./page";
 import { Button } from "../base/button";
 import { RoundedImage } from "../base/image";
 import { Divider } from "../base/divider";
-import { useApi } from "../../hooks/use-api";
+import { useApi, api } from "../../hooks/use-api";
 import { useLoginContext } from "../../contexts/login-context";
 import { TeamDTO } from "../../api/types/dto";
 import { PageHeader } from "../base/page-header";
+import { CriterionRating } from "./criterion";
 
 const HeaderContainer = styled(NonGrowingFlexContainer)`
   justify-content: space-between;
@@ -29,6 +30,31 @@ export const ReadOnlyProject = ({ project }) => {
   const [description, setDescription] = React.useState("");
   const [image, setImage] = React.useState("");
   const [allowRating, setAllowRating] = React.useState(false);
+  const [criteria, setCriteria] = React.useState([]);
+  const [allUsers, setAllUsers] = React.useState([]);
+
+  React.useEffect(() => {
+    if (project) {
+      setId(project.id);
+      setTitle(project.title);
+      setDescription(project.description);
+      setImage(project.image);
+      setAllowRating(project.allowRating);
+    }
+  }, [project]);
+
+  React.useEffect(
+    () => {
+      api.getAllUsers().then((allUsers) => {
+        setAllUsers(allUsers)
+      });
+
+      api.getAllCriteria().then((criteria) => {
+        setCriteria(criteria)
+      });
+    },
+    []
+  );
 
   const {
     value: didUpdateProject,
@@ -54,28 +80,13 @@ export const ReadOnlyProject = ({ project }) => {
     [id, title, description, image, allowRating],
   );
 
-  const { value: allUsers } = useApi(
-    async (apiClient) => apiClient.getAllUsers(),
-    [],
-  );
-
   const handleSubmit = React.useCallback((event: React.SyntheticEvent) => {
     event.preventDefault();
   }, []);
 
   const updateProjectDone =
     Boolean(didUpdateProject) && !updateProjectInProgress && !updateProjectError;
 
-  React.useEffect(() => {
-    if (project) {
-      setId(project.id);
-      setTitle(project.title);
-      setDescription(project.description);
-      setImage(project.image);
-      setAllowRating(project.allowRating);
-    }
-  }, [project]);
-
   return (
     <Page>
       <PageHeader pageTitle={project?.title}/>
@@ -90,6 +101,15 @@ export const ReadOnlyProject = ({ project }) => {
           <p>{project?.description}</p>
         </FlexRowContainer>
       </div>
+      <div>
+        <h2 style={{ "margin-top": "4rem" }}>Rate this Project</h2>
+        Hover the criterion for more information.
+        Rate criteria high, if you think the project did well in this regard.
+        {criteria.map(criterion => <CriterionRating
+          criterion={criterion}
+          project={project}
+        />)}
+      </div>
     </Page>
   );
 };

frontend/src/components/pages/status.tsx

@@ -98,7 +98,7 @@ export const Status = () => {
                 <InternalLink to={Routes.ProfileForm}>
                   profile form
                 </InternalLink>
-                , any time between <b>01.03.205 - 31.04.2025</b>
+                , any time between <b>01.03.2026 - 31.04.2026</b>
               </Text>
             </>
           )}
@@ -145,14 +145,14 @@ export const Status = () => {
             <>
               <Text style={{ fontSize: "1.15rem" }}>
                 We will come back to you and send you a acceptance mail until{" "}
-                <b>01.05.2025</b>.
+                <b>01.05.2026</b>.
               </Text>
             </>
           )}
           {user?.confirmed && (
             <>
               <Text style={{ fontSize: "1.15rem" }}>
-                Congratulations! You got accepted for Hackaburg 2025. 🎉
+                Congratulations! You got accepted for Hackaburg 2026. 🎉
               </Text>
             </>
           )}
@@ -173,7 +173,7 @@ export const Status = () => {
             <>
               <Text style={{ fontSize: "1.15rem" }}>
                 If you got accepted, you need to confirm your spot until{" "}
-                <b>08.05.2025</b>
+                <b>08.05.2026</b>
                 {user?.admitted && (
                   <>
                     {" "}

frontend/src/components/routers/sidebar/sidebar.tsx

@@ -106,7 +106,7 @@ export const Sidebar = () => {
         <H1 style={{ color: "white" }}>HACKABURG</H1>
         <H2 style={{ color: "white" }}>CONTROL CENTER</H2>
         <p style={{ color: "white" }}>
-          All important information about <br></br>the <b>Hackaburg 2025</b>{" "}
+          All important information about <br></br>the <b>Hackaburg 2026</b>{" "}
           event
         </p>
       </div>