Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUU] Add missing permission check on product actions #12868

Merged
merged 1 commit into from
Sep 18, 2024
Merged

[BUU] Add missing permission check on product actions #12868

merged 1 commit into from
Sep 18, 2024

Conversation

rioug
Copy link
Collaborator

@rioug rioug commented Sep 18, 2024

What? Why?

Some of the Bulk product edit page actions where missing permission check, so someone could potentially delete product they are not managing. This PR add the missing permission checks

NOTE, this PR #12867 will make unauthorised error more obvious to the user

What should we test?

This should probably be tested by a dev, as it requires use of the developer tools

As an enterprise user :

  • Navigate to Bulk Product Edit page
  • Open the developer tools, update a clone link href , and add a product id the current user isn't managing
  • With the developer tool console open, Click on the updated clone link
  • in the developer tools console, you should see an unauthorised error, and the page will reload

Release notes

Changelog Category (reviewers may add a label for the release notes):

  • User facing changes
  • API changes (V0, V1, DFC or Webhook)
  • Technical changes only
  • Feature toggled

The title of the pull request will be included in the release notes.

Dependencies

Documentation updates

@rioug rioug added the user facing changes Thes pull requests affect the user experience label Sep 18, 2024
@rioug
Copy link
Collaborator Author

rioug commented Sep 18, 2024

See result of the test below :

updated_link

Updated the clone link to point to id 27 which the user is not allowed to managed

after_click_link

Result in 401 error in the console

chahmedejaz
chahmedejaz approved these changes Sep 18, 2024
View reviewed changes
Copy link
Collaborator

@chahmedejaz chahmedejaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for adding these checks. Now we are going to be hack-proof 😬

@sigmundpetersen sigmundpetersen added the dev-test A dev need to test this one label Sep 18, 2024
@dacook dacook self-requested a review September 18, 2024 06:46
dacook
dacook approved these changes Sep 18, 2024
View reviewed changes
Copy link
Member

@dacook dacook left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, it's wonderful to have a request spec for products_v3_controller.

Hopefully next time we work on these we can add some specs for success cases also.

It's worth noting that these specs don't check if the actions themselves weren't prevented (eg the record could still get deleted and we wouldn't know). But at least we're testing more than before.

spec/requests/admin/products_v3_spec.rb
include AuthenticationHelper

let(:user) { create(:user) }
let(:headers) { { Accept: "text/vnd.turbo-stream.html" } }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, it would be nice if the turbo gem gave us shortcuts like it does for controller specs (format: :turbo_stream)

spec/requests/admin/products_v3_spec.rb
end
end

describe "DELETE /admin/product_v3/destroy_variant/:id" do
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hum, I think destroy_variant should have been on a variant controller.. but that's nothing to do with this PR of course.

spec/requests/admin/products_v3_spec.rb

expect(response).to redirect_to('/unauthorized')
end
end
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I notice that we're not checking that the product wasn't actually deleted.

@dacook
Copy link
Member

dacook commented Sep 18, 2024

I think there's no need for further dev testing ✅

I would say it's "Technical changes only", because it's not something a user can see without hacking.

@sigmundpetersen sigmundpetersen changed the title [BUU ]Add missing permission check on buu actions [BUU] Add missing permission check on buu actions Sep 18, 2024
@dacook dacook added technical changes only These pull requests do not contain user facing changes and are grouped in release notes and removed user facing changes Thes pull requests affect the user experience labels Sep 18, 2024
@dacook dacook changed the title [BUU] Add missing permission check on buu actions [BUU] Add missing permission check on product actions Sep 18, 2024
@dacook dacook merged commit 4822a9e into openfoodfoundation:master Sep 18, 2024
58 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dacook dacook dacook approved these changes

@chahmedejaz chahmedejaz chahmedejaz approved these changes

Assignees

@rioug rioug

Labels
dev-test A dev need to test this one technical changes only These pull requests do not contain user facing changes and are grouped in release notes
Projects
OFN Delivery board
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rioug @dacook @chahmedejaz @sigmundpetersen