From 6ea9bdb7eaada02defd470c366e047f1704a3ff2 Mon Sep 17 00:00:00 2001
From: Claude Brisson <claude@renegat.net>
Date: Fri, 22 Dec 2023 17:23:52 +0100
Subject: [PATCH] Add sanity checks on pairing PUT api call

---
 .../org/jeudego/pairgoth/api/PairingHandler.kt       | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/api-webapp/src/main/kotlin/org/jeudego/pairgoth/api/PairingHandler.kt b/api-webapp/src/main/kotlin/org/jeudego/pairgoth/api/PairingHandler.kt
index 5c3e5dd..8edc824 100644
--- a/api-webapp/src/main/kotlin/org/jeudego/pairgoth/api/PairingHandler.kt
+++ b/api-webapp/src/main/kotlin/org/jeudego/pairgoth/api/PairingHandler.kt
@@ -63,9 +63,19 @@ object PairingHandler: PairgothApiHandler {
         // only allow last round (if players have not been paired in the last round, it *may* be possible to be more laxist...)
         if (round != tournament.lastRound()) badRequest("cannot edit pairings in other rounds but the last")
         val payload = getObjectPayload(request)
-        val game = tournament.games(round)[payload.getInt("id")] ?: badRequest("invalid game id")
+        val gameId = payload.getInt("id") ?: badRequest("invalid game id")
+        val game = tournament.games(round)[gameId] ?: badRequest("invalid game id")
+        val playing = (tournament.games(round).values).filter { it.id != gameId }.flatMap {
+            listOf(it.black, it.white)
+        }.toSet()
         game.black = payload.getID("b") ?: badRequest("missing black player id")
         game.white = payload.getID("w") ?: badRequest("missing white player id")
+        val black = tournament.pairables[game.black] ?: badRequest("invalid black player id")
+        val white = tournament.pairables[game.black] ?: badRequest("invalid white player id")
+        if (black.skip.contains(round)) badRequest("black is not playing this round")
+        if (white.skip.contains(round)) badRequest("white is not playing this round")
+        if (playing.contains(black.id)) badRequest("black is already in another game")
+        if (playing.contains(white.id)) badRequest("white is already in another game")
         if (payload.containsKey("h")) game.handicap = payload.getString("h")?.toIntOrNull() ?:  badRequest("invalid handicap")
         tournament.dispatchEvent(gameUpdated, Json.Object("round" to round, "game" to game.toJson()))
         return Json.Object("success" to true)