From caae69e0dd948fb8c35e92977ce40ca03c64bcbb Mon Sep 17 00:00:00 2001
From: Christoph Thelen <christoph.thelen@mni.thm.de>
Date: Sat, 29 Nov 2014 11:18:38 +0100
Subject: [PATCH] Do not trust users when they provide an object

---
 src/main/java/de/thm/arsnova/services/QuestionService.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/thm/arsnova/services/QuestionService.java b/src/main/java/de/thm/arsnova/services/QuestionService.java
index 406be88d0..4c1b2c2d8 100644
--- a/src/main/java/de/thm/arsnova/services/QuestionService.java
+++ b/src/main/java/de/thm/arsnova/services/QuestionService.java
@@ -436,12 +436,13 @@ public class QuestionService implements IQuestionService, ApplicationEventPublis
 	@PreAuthorize("isAuthenticated()")
 	public Answer updateAnswer(final Answer answer) {
 		final User user = userService.getCurrentUser();
-		if (user == null || !user.getUsername().equals(answer.getUser())) {
+		final Answer realAnswer = this.getMyAnswer(answer.getQuestionId());
+		if (user == null || realAnswer == null || !user.getUsername().equals(realAnswer.getUser())) {
 			throw new UnauthorizedException();
 		}
 
 		final Question question = getQuestion(answer.getQuestionId());
-		final Answer result = databaseDao.updateAnswer(answer);
+		final Answer result = databaseDao.updateAnswer(realAnswer);
 		final Session session = databaseDao.getSessionFromKeyword(question.getSessionKeyword());
 		this.publisher.publishEvent(new NewAnswerEvent(this, result, user, question, session));
 
-- 
GitLab