TD-4702 Download self-assessment certificate link URL can be manipulated and able to download other user valid certificates

sherif-olaboye · sherif-olaboye · commit eae4fb4348bc · 2024-09-06T16:52:43.000+01:00
diff --git a/DigitalLearningSolutions.Web/Controllers/LearningPortalController/SelfAssessment.cs b/DigitalLearningSolutions.Web/Controllers/LearningPortalController/SelfAssessment.cs
@@ -1652,26 +1652,15 @@ public IActionResult CompetencySelfAssessmentCertificate(int CandidateAssessment
         {
             int supervisorDelegateId = 0;
             var adminId = User.GetAdminId();
-           var competencymaindata = selfAssessmentService.GetCompetencySelfAssessmentCertificate(CandidateAssessmentId);
-            if ((competencymaindata == null)|| ( competencymaindata.LearnerId != User.GetUserIdKnownNotNull()) || (CandidateAssessmentId == 0))
+            var userId = User.GetUserIdKnownNotNull();
+            var competencymaindata = selfAssessmentService.GetCompetencySelfAssessmentCertificate(CandidateAssessmentId);
+            if ((competencymaindata == null)|| ( competencymaindata.LearnerId != User.GetUserIdKnownNotNull()) || (CandidateAssessmentId == 0) || (userId != competencymaindata.LearnerId))
             {
                 return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
             }
             var delegateUserId = competencymaindata.LearnerId;
-            if (vocabulary == "Supervise")
-            {
-                var supervisorDelegateDetails = supervisorService.GetSupervisorDelegateDetailsForAdminId(adminId.Value);
-             var checkSupervisorDelegate = supervisorDelegateDetails.Where(x=> x.DelegateUserID == competencymaindata.LearnerId).FirstOrDefault();
-                if (checkSupervisorDelegate == null)
-                {
-                    return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
-                }
-                var supervisorDelegate = supervisorService.GetSupervisorDelegate(User.GetAdminIdKnownNotNull(), delegateUserId);
-                supervisorDelegateId = supervisorDelegate.ID;
-            }
-            var recentResults = selfAssessmentService.GetMostRecentResults(competencymaindata.SelfAssessmentID, competencymaindata.LearnerDelegateAccountId).ToList();
+             var recentResults = selfAssessmentService.GetMostRecentResults(competencymaindata.SelfAssessmentID, competencymaindata.LearnerDelegateAccountId).ToList();
             var supervisorSignOffs = selfAssessmentService.GetSupervisorSignOffsForCandidateAssessment(competencymaindata.SelfAssessmentID, delegateUserId);
-
             if (!CertificateHelper.CanViewCertificate(recentResults, supervisorSignOffs))
             {
                 return RedirectToAction("StatusCode", "LearningSolutions", new { code = 401 });
@@ -1720,8 +1709,9 @@ public IActionResult CompetencySelfAssessmentCertificate(int CandidateAssessment
             var model = new CompetencySelfAssessmentCertificateViewModel(competencymaindata, competencycount, vocabulary, accessors, activitySummaryCompetencySelfAssesment, sumQuestions, sumVerifiedCount, supervisorDelegateId);
             return View("SelfAssessments/CompetencySelfAssessmentCertificate", model);
         }
-        [Route("DownloadCertificate")]
-        public async Task<IActionResult> DownloadCertificate(int candidateAssessmentId)
+
+        [Route("/LearningPortal/selfAssessments/{CandidateAssessmentId:int}/{vocabulary}/DownloadCertificate")]
+        public async Task<IActionResult> DownloadCertificate(int candidateAssessmentId, string vocabulary)
         {
             PdfReportStatusResponse pdfReportStatusResponse = new PdfReportStatusResponse();
             var delegateId = User.GetCandidateIdKnownNotNull();
@@ -1730,6 +1720,19 @@ public async Task<IActionResult> DownloadCertificate(int candidateAssessmentId)
             {
                 return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
             }
+            if (vocabulary == "Proficiencies")
+            {
+                var userId = User.GetUserIdKnownNotNull();
+                if(userId != competencymaindata.LearnerId ) return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
+
+            }
+            if (vocabulary == "ProfileAssessment")
+            {
+                var adminId = User.GetAdminId();
+                var supervisorDelegateDetails = supervisorService.GetSupervisorDelegateDetailsForAdminId(adminId.Value);
+                var checkSupervisorDelegate = supervisorDelegateDetails.Where(x => x.DelegateUserID == competencymaindata.LearnerId).FirstOrDefault();
+                if (checkSupervisorDelegate == null) return RedirectToAction("StatusCode", "LearningSolutions", new { code = 403 });
+            }
             var delegateUserId = competencymaindata.LearnerId;
             var competencycount = selfAssessmentService.GetCompetencyCountSelfAssessmentCertificate(candidateAssessmentId);
             var accessors = selfAssessmentService.GetAccessor(competencymaindata.SelfAssessmentID, competencymaindata.LearnerId);
@@ -1739,6 +1742,11 @@ public async Task<IActionResult> DownloadCertificate(int candidateAssessmentId)
             var competencyIds = recentResults.Select(c => c.Id).ToArray();
             var competencyFlags = frameworkService.GetSelectedCompetencyFlagsByCompetecyIds(competencyIds);
             var competencies = CompetencyFilterHelper.FilterCompetencies(recentResults, competencyFlags, null);
+            var supervisorSignOffs = selfAssessmentService.GetSupervisorSignOffsForCandidateAssessment(competencymaindata.SelfAssessmentID, delegateUserId);
+            if (!CertificateHelper.CanViewCertificate(recentResults, supervisorSignOffs))
+            {
+                return RedirectToAction("StatusCode", "LearningSolutions", new { code = 401 });
+            }
             foreach (var competency in competencies)
             {
                 competency.QuestionLabel = assessment.QuestionLabel;
diff --git a/DigitalLearningSolutions.Web/Views/LearningPortal/SelfAssessments/CompetencySelfAssessmentCertificate.cshtml b/DigitalLearningSolutions.Web/Views/LearningPortal/SelfAssessments/CompetencySelfAssessmentCertificate.cshtml
@@ -80,6 +80,7 @@
             <a class="nhsuk-button "
                asp-controller="LearningPortal"
                asp-route-candidateAssessmentId="@Model.CompetencySelfAssessmentCertificates.CandidateAssessmentID"
+               asp-route-vocabulary="@Model.VocabPlural"
                asp-action="DownloadCertificate"
                role="button">
                 Download certificate
