diff --git a/app/Http/Controllers/JudgingController.php b/app/Http/Controllers/JudgingController.php index 17a1eaf..9c9132f 100644 --- a/app/Http/Controllers/JudgingController.php +++ b/app/Http/Controllers/JudgingController.php @@ -51,8 +51,9 @@ class JudgingController extends Controller public function saveScoreSheet(Request $request, Entry $entry) { - Gate::authorize('create', [ScoreSheet::class, $entry]); - // TODO verify user is assigned to judge this audition + if ($request->user()->cannot('judge', $entry->audition)) { + abort(403, 'You are not assigned to judge this entry'); + } $scoringGuide = $entry->audition->scoringGuide()->with('subscores')->first(); $scoreValidation = $scoringGuide->validateScores($request->input('score')); if ($scoreValidation != 'success') { @@ -81,6 +82,9 @@ class JudgingController extends Controller public function updateScoreSheet(Request $request, Entry $entry) { + if ($request->user()->cannot('judge', $entry->audition)) { + abort(403, 'You are not assigned to judge this entry'); + } $scoreSheet = ScoreSheet::where('user_id', Auth::id())->where('entry_id', $entry->id)->first(); if (! $scoreSheet) { return redirect()->back()->with('error', 'Attempt to edit non existent entry'); @@ -112,6 +116,9 @@ class JudgingController extends Controller protected function advancementVote(Request $request, Entry $entry) { + if ($request->user()->cannot('judge', $entry->audition)) { + abort(403, 'You are not assigned to judge this entry'); + } if ($entry->for_advancement and auditionSetting('advanceTo')) { $request->validate([ diff --git a/resources/views/judging/entry_score_sheet.blade.php b/resources/views/judging/entry_score_sheet.blade.php index 2e32c93..58fec8c 100644 --- a/resources/views/judging/entry_score_sheet.blade.php +++ b/resources/views/judging/entry_score_sheet.blade.php @@ -1,6 +1,4 @@ - {{-- TODO A user should only be able to get this form for an entry they're actually assigned to judge--}} - @php $oldScores = session()->get('oldScores') ?? null; @endphp