Skip to content

Fix: prevent joining games already in progress#2626

Open
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
xovishnukosuri:fix/prevent-joining-started-games
Open

Fix: prevent joining games already in progress#2626
xovishnukosuri wants to merge 1 commit intoOWASP:masterfrom
xovishnukosuri:fix/prevent-joining-started-games

Conversation

@xovishnukosuri
Copy link

@xovishnukosuri xovishnukosuri commented Mar 14, 2026

Summary

Fixes #2521

  • Players could join a game after it had started by navigating directly to /games/:game_id/players/new, allowing them to watch the game in real time and vote on cards without being dealt any cards themselves.
  • Added a started_at check in PlayerLive.Index.apply_action(:new, ...) to redirect users away from the join form if the game has already started.
  • Added a defense-in-depth started_at check in PlayerLive.FormComponent.save_player(:new, ...) to reject player creation even if the form was loaded before the game started (race condition).

Changes

  • copi.owasp.org/lib/copi_web/live/player_live/index.ex — check game.started_at in apply_action(:new, ...) and redirect with error flash
  • copi.owasp.org/lib/copi_web/live/player_live/form_component.ex — re-fetch game in save_player(:new, ...) and reject if started_at is set

Test plan

  • Create a game, add 3+ players, start the game
  • Try navigating to /games/:game_id/players/new — should be redirected to the game page with an error flash
  • Verify existing join flow still works for games that have not started
  • Verify edge case: open join form, then start game in another tab, then submit join form — should be rejected

🤖 Generated with Claude Code

@claude
Fix: prevent players from joining games already in progress
a98dd59 
Closes OWASP#2521. Players could join a game after it had started by
navigating directly to the join URL, allowing them to watch and vote
without being dealt any cards. This adds a started_at check in both
the join page mount (PlayerLive.Index) and the player creation handler
(PlayerLive.FormComponent) to block joining started games.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rewtd rewtd Awaiting requested review from rewtd rewtd is a code owner

@sydseter sydseter Awaiting requested review from sydseter sydseter is a code owner

@cw-owasp cw-owasp Awaiting requested review from cw-owasp cw-owasp is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: knowing a game_id allows you to join (and vote in) games already started

1 participant

@xovishnukosuri