fix security check and question_json bug in async mode

Author: sethbern

bases/rsptx/assignment_server_api/assignment_builder/src/components/routes/AssignmentBuilder/components/exercises/AssignmentExercisesList/AssignmentExercisesTable.tsx

@@ -365,7 +365,7 @@ export const AssignmentExercisesTable = ({
                 <Dropdown
                   className="editable-table-dropdown"
                   value={data.use_llm && hasApiKey ? "LLM" : "Standard"}
-                  onChange={(e) => updateAssignmentQuestions([{ ...data, use_llm: e.value === "LLM" }])}
+                  onChange={(e) => updateAssignmentQuestions([{ ...data, question_json: JSON.stringify(data.question_json), use_llm: e.value === "LLM" }])}
                   options={[
                     { label: "Standard", value: "Standard" },
                     { label: "LLM", value: "LLM", disabled: !hasApiKey }

bases/rsptx/web2py_server/applications/runestone/controllers/peer.py

@@ -155,7 +155,14 @@ def dashboard():
 def toggle_async():
     response.headers["content-type"] = "application/json"
     assignment_id = request.vars.assignment_id
+    if not assignment_id:
+        return json.dumps({"ok": False, "error": "missing assignment_id"})
     assignment = db(db.assignments.id == assignment_id).select().first()
+    if not assignment:
+        return json.dumps({"ok": False, "error": "assignment not found"})
+    course = db(db.courses.course_name == auth.user.course_name).select().first()
+    if not course or assignment.course != course.id:
+        return json.dumps({"ok": False, "error": "assignment does not belong to your course"})
     new_value = not (assignment.peer_async_visible or False)
     db(db.assignments.id == assignment_id).update(peer_async_visible=new_value)
     db.commit()