Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId #3575

Merged
merged 5 commits into from
Dec 20, 2023
Merged

[AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId #3575

merged 5 commits into from
Dec 20, 2023

Conversation

r-tome
Copy link
Contributor

@r-tome r-tome commented Dec 14, 2023
edited
Loading

Type of change

- [X] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

CollectionsController.Get would throw a NotFoundException if the user was assigned to collections in multiple organizations.

Code changes

  • file.ext: Description of what was changed and why

Before you submit

  • Please check for formatting errors (dotnet format --verify-no-changes) (required)
  • If making database changes - make sure you also update Entity Framework queries and/or migrations
  • Please add unit tests where it makes sense to do so (encouraged but not required)
  • If this change requires a documentation update - notify the documentation team
  • If this change has particular deployment requirements - notify the DevOps team

@r-tome r-tome marked this pull request as ready for review December 14, 2023 15:49
@r-tome r-tome requested a review from eliykat December 14, 2023 15:49
eliykat
eliykat reviewed Dec 15, 2023
View reviewed changes
src/Api/Controllers/CollectionsController.cs Outdated
Comment on lines 612 to 615
var assignedCollections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value, FlexibleCollectionsIsEnabled);
orgCollections = assignedCollections.Where(c => c.OrganizationId == orgId).ToList();
var readAuthorized = (await _authorizationService.AuthorizeAsync(User, orgCollections, BulkCollectionOperations.Read)).Succeeded;
if (!readAuthorized)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still think this is problematic. orgCollections will be all collections the user is assigned to for that org, but not necessarily all they have manage permissions for. So the authorizationService call could still fail.

The idea of this endpoint is "give me all the collections the user is allowed to read". If they can't read all, that basically means just the ones they have manage permissions for. If they don't have any, then it returns an empty ListResponseModel. It should basically never throw.

Therefore I think you just want to do orgCollections = assignedCollections.Where(c => c.OrganizationId == orgId && c.Manage).ToList(); without any further call to AuthorizationService.

Yes it's unfortunate that this is effectively repeating auth logic that we're trying to centralize in the handler, but handlers don't do filtering. It's breaking the abstraction a little, but I think we gotta.

Tagging @shane-melton as he was in these discussions as well.

If (if!) my suggestions here are correct, I think it would also apply to the other "filtering" endpoint here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds about right. We did have this discussion for this other endpoint here. I went ahead and did those modifications, let me know what you think.

@eliykat eliykat requested a review from shane-melton December 15, 2023 07:25
@r-tome r-tome requested review from a team as code owners December 15, 2023 15:53
@r-tome r-tome requested a review from eliykat December 15, 2023 16:21
eliykat
eliykat approved these changes Dec 18, 2023
View reviewed changes
Copy link
Member

@eliykat eliykat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! Thanks for following up on this

@r-tome r-tome changed the title Fix CollectionsController.Get auth check by just checking collections for the requested orgId [AC-1981] Fix CollectionsController.Get auth check by just checking collections for the requested orgId Dec 18, 2023
@r-tome r-tome merged commit 72ebb5e into main Dec 20, 2023
41 checks passed
@r-tome r-tome deleted the ac/ac-1139/filter-assigned-collections branch December 20, 2023 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shane-melton shane-melton shane-melton approved these changes

@eliykat eliykat eliykat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@r-tome @shane-melton @eliykat