From 1aa4c7690892fb458d2c61ff86739f368e34769d Mon Sep 17 00:00:00 2001
From: Joy Song <85699876+jhs-panda@users.noreply.github.com>
Date: Sun, 24 Nov 2024 14:46:55 -0500
Subject: [PATCH] Merge commit from fork

---
 app/controllers/users_controller.rb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index adcd6b0c..e0bc0573 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -165,6 +165,11 @@ def edit
   action_auth_level :download_all_submissions, :student
   def download_all_submissions
     user = User.find(params[:id])
+    # user can only download their own submissions
+    if user != current_user
+      flash[:error] = "Permission denied: You are not allowed to download submissions of this user."
+      redirect_to(user_path(current_user)) && return
+    end
     submissions = if params[:final]
                     Submission.latest.where(course_user_datum: CourseUserDatum.where(user_id: user))
                   else