From 55fa1e7670b3905430c441dbb34e8c15e72ead5c Mon Sep 17 00:00:00 2001 From: Linus Gasser Date: Thu, 15 Feb 2024 09:04:49 +0100 Subject: [PATCH] Don't let non-form-owner add voters Also adds a test in the script directory to make sure this doesn't pass anymore. Closes #81 --- scripts/.gitignore | 1 + scripts/local_forms.sh | 1 + scripts/test_admin_nonowner_addvote.sh | 42 ++++++++++++++++++++++++++ web/backend/src/controllers/users.ts | 6 ++++ 4 files changed, 50 insertions(+) create mode 100644 scripts/.gitignore create mode 100755 scripts/test_admin_nonowner_addvote.sh diff --git a/scripts/.gitignore b/scripts/.gitignore new file mode 100644 index 000000000..f1c040d8e --- /dev/null +++ b/scripts/.gitignore @@ -0,0 +1 @@ +formid.env diff --git a/scripts/local_forms.sh b/scripts/local_forms.sh index 1cb5bcdde..24aa138c5 100755 --- a/scripts/local_forms.sh +++ b/scripts/local_forms.sh @@ -6,6 +6,7 @@ SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) echo "add form" RESP=$(curl -sk "$FRONTEND_URL/api/evoting/forms" -X POST -H 'Content-Type: application/json' -b cookies.txt --data-raw $'{"Configuration":{"Title":{"En":"Colours","Fr":"","De":""},"Scaffold":[{"ID":"A7GsJxVJ","Title":{"En":"Colours","Fr":"","De":""},"Order":["GhidLIfw"],"Ranks":[],"Selects":[{"ID":"GhidLIfw","Title":{"En":"RGB","Fr":"","De":"RGB"},"MaxN":3,"MinN":1,"Choices":["{\\"en\\":\\"Red\\",\\"de\\":\\"Rot\\"}","{\\"en\\":\\"Green\\",\\"de\\":\\"Gr\xfcn\\"}","{\\"en\\":\\"Blue\\",\\"de\\":\\"Blau\\"}"],"Hint":{"En":"","Fr":"","De":"RGB"}}],"Texts":[],"Subjects":[]}]}}') FORMID=$(echo "$RESP" | jq -r .FormID) +echo "FORMID=$FORMID" > "$SCRIPT_DIR/formid.env" echo "add permissions - it's normal to have a timeout error after this command" curl -k "$FRONTEND_URL/api/evoting/authorizations" -X PUT -H 'Content-Type: application/json' -b cookies.txt --data "$(jq -cn --arg FormID $FORMID '$ARGS.named')" -m 1 diff --git a/scripts/test_admin_nonowner_addvote.sh b/scripts/test_admin_nonowner_addvote.sh new file mode 100755 index 000000000..26966496d --- /dev/null +++ b/scripts/test_admin_nonowner_addvote.sh @@ -0,0 +1,42 @@ +#!/bin/bash +SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) +"$SCRIPT_DIR/run_local.sh" + +. "$SCRIPT_DIR/local_vars.sh" +SECOND_ADMIN=123321 +echo "Adding $SECOND_ADMIN to admin" +(cd web/backend && npx ts-node src/cli.ts addAdmin --sciper $SECOND_ADMIN | grep -v Executing) + +"$SCRIPT_DIR/local_proxies.sh" +"$SCRIPT_DIR/local_forms.sh" + +. "$SCRIPT_DIR/formid.env" + +tmp_dir=$(mktemp -d) +trap 'rm -rf -- "tmpdir"' EXIT + +tmp_cookie_owner="$tmp_dir/cookie_owner" +curl -k "$FRONTEND_URL/api/get_dev_login/$REACT_APP_SCIPER_ADMIN" -X GET -c "$tmp_cookie_owner" -o /dev/null -s +tmp_cookie_nonowner="$tmp_dir/cookie_nonowner" +curl -k "$FRONTEND_URL/api/get_dev_login/$SECOND_ADMIN" -X GET -c "$tmp_cookie_nonowner" -o /dev/null -s + +echo "This should fail with an error that we're not allowed" +tmp_output="$tmp_dir/output" +curl -s 'http://localhost:3000/api/add_role' \ + -H 'Content-Type: application/json' \ + --data-raw "{\"userId\":444555,\"subject\":\"$FORMID\",\"permission\":\"vote\"}" \ + -b "$tmp_cookie_nonowner" 2>&1 | tee "$tmp_output" +echo + +if ! grep -q "not owner of form" "$tmp_output"; then + echo + echo "ERROR: Reply should be 'not owner of form'" + exit 1 +fi + +echo "This should pass for the owner of the form" +curl 'http://localhost:3000/api/add_role' \ + -H 'Content-Type: application/json' \ + --data-raw "{\"userId\":444555,\"subject\":\"$FORMID\",\"permission\":\"vote\"}" \ + -b "$tmp_cookie_owner" +echo diff --git a/web/backend/src/controllers/users.ts b/web/backend/src/controllers/users.ts index f5239df05..2b0a6f71b 100644 --- a/web/backend/src/controllers/users.ts +++ b/web/backend/src/controllers/users.ts @@ -28,6 +28,12 @@ usersRouter.post('/add_role', (req, res, next) => { return; } + if (req.body.permission === 'vote') { + if (!isAuthorized(req.session.userId, req.body.subject, PERMISSIONS.ACTIONS.OWN)) { + res.status(400).send('Unauthorized - not owner of form'); + } + } + addPolicy(req.body.userId, req.body.subject, req.body.permission) .then(() => { res.set(200).send();