Merge pull request QingdaoU#89 from BBBob/master

修复越权访问漏洞
maplefater · Aug 11, 2017 · cda6099 · cda6099
2 parents f51eb03 + a82f294
commit cda6099
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/contest/views.py b/contest/views.py
@@ -359,7 +359,7 @@ def contest_problem_page(request, contest_id, contest_problem_id):
     """
     contest = Contest.objects.get(id=contest_id)
     try:
-        problem = ContestProblem.objects.get(id=contest_problem_id, visible=True)
+        problem = ContestProblem.objects.get(contest=contest, id=contest_problem_id, visible=True)
     except ContestProblem.DoesNotExist:
         return error_page(request, u"比赛题目不存在")
     warning = u"您已经提交过本题的正确答案，重复提交可能造成时间累计。"