Skip to content
This repository was archived by the owner on Feb 17, 2019. It is now read-only.

Issue/59/put me#64

Open
slytter wants to merge 14 commits into
masterfrom
issue/59/put-me
Open

Issue/59/put me#64
slytter wants to merge 14 commits into
masterfrom
issue/59/put-me

Conversation

@slytter

@slytter slytter commented Mar 14, 2017

Copy link
Copy Markdown
Contributor

Fixes #59

@slytter

slytter commented Mar 14, 2017

Copy link
Copy Markdown
Contributor Author

Also unit test.

@kparkov kparkov left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All unit tests are failing...

@slytter

slytter commented Jun 6, 2017

Copy link
Copy Markdown
Contributor Author

Unit tests needs to be fixed.

@slytter slytter self-assigned this Jun 6, 2017
@slytter

slytter commented Jun 15, 2017

Copy link
Copy Markdown
Contributor Author

I had to merge #70 into this branch to fix unit test issues that was fixes in #70.
All unit tests are now passing.

If I am admin@users, I can post a user with any privilege, thereby creating
a security hole which allows me to gain access to everything - as long as
I can create users administratively.

The error can most likely be attributed to commenting out a central piece
of middleware:

https://github.com/bitkompagniet/mugs/pull/64/files#diff-457f38d417a80e0636ff11bb65028830L12

@kparkov kparkov left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make edits to ensure the integrity of the security model.

Comment thread api/controllers/insert.js Outdated
requireUserAdmin(),
ensureFirstLastname(),
validateBodyRoleAssignments(),
// validateBodyRoleAssignments(),

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Be very careful when commenting out middleware inclusions. Was it just for testing purposes, or did you consider it obsolete? I have added a test that demonstrates a severe security breach when posting users administratively. Please update and run the tests.

@slytter

slytter commented Jun 21, 2017

Copy link
Copy Markdown
Contributor Author

I can't really wrap my head around this error. Lets look at it next time

@slytter

slytter commented Jul 3, 2017

Copy link
Copy Markdown
Contributor Author

When you have the time, please review the newest changes @kparkov.

filteredRoles = req.body.roles.filter((role) => {
if (typeof role === 'object') {
if (!role.scope && role.role) {
return null;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.filters callback skal returnere en boolean. Man returnerer ikke objektet, kun om det skal inkluderes i resultatet. I dette tilfælde virker det alligevel, fordi null er falsy, og role er truthy.

let addExtraRoles = null;
let filteredRoles;
if (req.body.roles) {
filteredRoles = req.body.roles.filter((role) => {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hele udsagnet kan reduceres til:

const _ = require('lodash');

filteredRoles = req.body.roles.filter((role) => !((_.isPlainObject(role) && (!role.scope && role.role)) || (_.isString(role) && role.indexOf('@') === -1)));

console.log('identity');
console.log(req.identity.roles.toArray());
console.log('role');
console.log(role);

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fjern altid console.log før merge.

}

if (addExtraRoles) req.body.roles = addExtraRoles;
// if (addExtraRoles) req.body.roles = addExtraRoles;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Efterlad ikke udkommenteret kode. Hellere bare slette det. Det findes jo i git history.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants