Skip to content

Fix: Enforce permissions check on challenge creation (#4859) #5018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Kitan-Dara06 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix: Enforce permissions check on challenge creation (#4859) #5018

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
82d2236
Fix: Enforce permissions check on challenge creation (#4859)
Kitan-Dara06 Feb 17, 2026
e2fba64
Fix permissions and update tests for zip creation
Kitan-Dara06 Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions apps/challenges/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1213,6 +1213,47 @@ def create_challenge_using_zip_file(request, challenge_host_team_pk):
Creates a challenge using a zip file.
"""
challenge_host_team = get_challenge_host_team_model(challenge_host_team_pk)
print(f"\n[DEBUG] Request User: {request.user} (ID: {request.user.id})")
print(f"[DEBUG] Target Team: {challenge_host_team} (ID: {challenge_host_team.id})")

# Check what actually exists in the DB
exists = ChallengeHost.objects.filter(user=request.user, team_name=challenge_host_team).exists()
print(f"[DEBUG] Does Membership Exist? {exists}")

if exists:
m = ChallengeHost.objects.get(user=request.user, team_name=challenge_host_team)
print(f"[DEBUG] Found Membership! Status: {m.status}, Permissions: {m.permissions}")
else:
# Print ALL members of this team to see who is actually there
all_members = ChallengeHost.objects.filter(team_name=challenge_host_team)
print(f"[DEBUG] ACTUAL Team Members: {[m.user.username for m in all_members]}")

try:
membership = ChallengeHost.objects.get(
user=request.user,
team_name=challenge_host_team, # Note: The field name is 'team_name' in the model
)
except ChallengeHost.DoesNotExist:
return Response(
{"error": "You are not a member of this host team"},
status=status.HTTP_403_FORBIDDEN,
)

# 1. Check if they accepted the invite
if membership.status != ChallengeHost.ACCEPTED:
return Response(
{"error": "You must accept the team invitation first."},
status=status.HTTP_403_FORBIDDEN,
)

# 2. Check if they have ADMIN or WRITE permissions
ALLOWED_PERMISSIONS = [ChallengeHost.ADMIN, ChallengeHost.WRITE]
if membership.permissions not in ALLOWED_PERMISSIONS:
return Response(
{"error": "You do not have permission to create challenges."},
status=status.HTTP_403_FORBIDDEN,
)


if request.data.get("is_challenge_template"):
is_challenge_template = True
Expand Down