Skip to content
/ api Public

fix: prevent unauthorized match winner setting and add state validation#112

Open
Flegma wants to merge 3 commits intomainfrom
fix/set-match-winner-permission-and-state-validation
Open

fix: prevent unauthorized match winner setting and add state validation#112
Flegma wants to merge 3 commits intomainfrom
fix/set-match-winner-permission-and-state-validation

Conversation

@Flegma
Copy link
Contributor

@Flegma Flegma commented Mar 6, 2026

Summary

  • Fix inverted permission checks in setMatchWinner and forfeitMatch that allowed non-organizers to set winners/forfeit while blocking organizers
  • Add match state validation to setMatchWinner — rejects matches in terminal states (Finished, Canceled, Forfeit, Tie, Surrendered) or pre-start states (Scheduled, PickingPlayers)
  • Add match state validation to forfeitMatch — rejects matches already in terminal states

Closes 5stackgg/5stack-panel#312

Test plan

  • Verify non-organizer users cannot set match winner or forfeit
  • Verify organizers can set winner on active matches (WaitingForCheckIn, Veto, WaitingForServer, Live)
  • Verify setting winner is rejected on matches that haven't started or already ended
  • Verify forfeiting is rejected on matches that already ended

Flegma added 2 commits March 6, 2026 09:17
@Flegma
fix: prevent unauthorized match winner setting and add state validation
7c5ae53 
Fix inverted permission checks in setMatchWinner and forfeitMatch that
allowed non-organizers to set winners/forfeit while blocking organizers.
Add match state validation to reject winner setting on matches that
haven't started or already ended, and reject forfeiting ended matches.

Closes #312
@Flegma
refactor: extract shared terminal match status constants
6ec1a4d 
Replace duplicated terminal status strings across 4 locations in
matches.controller.ts with shared static class constants.
@Flegma Flegma requested a review from lukepolo March 6, 2026 08:26
lukepolo
lukepolo reviewed Mar 6, 2026
View reviewed changes
src/matches/matches.controller.ts Outdated
throw Error("match not found");
}

if (MatchesController.TERMINAL_OR_PRE_START_STATUSES.includes(matchToSetWinner.status)) {
Copy link
Contributor

@lukepolo lukepolo Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should be able to set the winner in any state

Copy link
Contributor Author

@Flegma Flegma Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be fixed now, check latest commit

@Flegma
fix: allow setting match winner in any state
bc6fc9e 
Remove state validation from setMatchWinner per review feedback —
organizers should be able to set the winner regardless of match state.
Remove unused TERMINAL_OR_PRE_START_STATUSES constant.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukepolo lukepolo lukepolo left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] User can set win without starting match

2 participants

@Flegma @lukepolo