From 2847a3bc5292bf5e519f5c8e6131b021e9f66422 Mon Sep 17 00:00:00 2001
From: Karol Kaczmarek <kaczla@gmail.com>
Date: Sat, 11 Jul 2020 15:18:02 +0200
Subject: [PATCH] Secure annotation results page

---
 Foundation.hs | 5 +++++
 config/routes | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/Foundation.hs b/Foundation.hs
index 7eb3948..55825bc 100644
--- a/Foundation.hs
+++ b/Foundation.hs
@@ -169,6 +169,11 @@ instance Yesod App where
     isAuthorized (ChallengeDiscussionR _) _ = regularAuthorization
     isAuthorized (ChallengeDiscussionFeedR _) _ = regularAuthorization
 
+    isAuthorized ListAnnotationsR _ = isAdmin
+    isAuthorized (AnnotationTaskR _) _ = regularAuthorization
+    isAuthorized (AnnotationTaskDecisionR _ _ _) _ = regularAuthorization
+    isAuthorized (AnnotationTaskResultsR _) _ = isAdmin
+
     isAuthorized Presentation4RealR _ = regularAuthorization
     isAuthorized PresentationPSNC2019R _ = regularAuthorization
     isAuthorized GonitoInClassR _ = regularAuthorization
diff --git a/config/routes b/config/routes
index bcee45a..3516862 100644
--- a/config/routes
+++ b/config/routes
@@ -30,7 +30,7 @@
 -- trigger by JSON payload (from e.g. GitLab or Gogs)
 /trigger-by-webhook/#Text/#Text TriggerByWebhookR POST
 
-/list-anotations ListAnnotationsR GET
+/list-annotations ListAnnotationsR GET
 /annotation/#{AnnotationTaskId} AnnotationTaskR GET
 /annotation/decision/#{AnnotationTaskId}/#{AnnotationItemId}/#{AnnotationLabelId} AnnotationTaskDecisionR POST
 /annotation/results/#{AnnotationTaskId} AnnotationTaskResultsR GET