From f4ee28c618f0989beff70ca72e59073d29639e88 Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 15 Dec 2016 13:05:59 -0700 Subject: [PATCH 1/5] allow non-admin folks to list their comments --- client/coral-framework/actions/user.js | 2 +- routes/api/comments/index.js | 23 +++++++++++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/client/coral-framework/actions/user.js b/client/coral-framework/actions/user.js index 69f4882bb..0ee8659d8 100644 --- a/client/coral-framework/actions/user.js +++ b/client/coral-framework/actions/user.js @@ -32,7 +32,7 @@ export const saveBio = (user_id, formData) => dispatch => { export const fetchCommentsByUserId = userId => { return (dispatch) => { dispatch({type: actions.COMMENTS_BY_USER_REQUEST}); - return coralApi(`/comments?user_id${userId}`) + return coralApi(`/comments?user_id=${userId}`) .then(({comments, assets}) => { comments.forEach(comment => dispatch(addItem(comment, 'comments'))); diff --git a/routes/api/comments/index.js b/routes/api/comments/index.js index 8f21a9488..a14b6bba0 100644 --- a/routes/api/comments/index.js +++ b/routes/api/comments/index.js @@ -9,7 +9,7 @@ const _ = require('lodash'); const router = express.Router(); -router.get('/', authorization.needed('admin'), (req, res, next) => { +router.get('/', (req, res, next) => { const { status = null, @@ -18,6 +18,18 @@ router.get('/', authorization.needed('admin'), (req, res, next) => { user_id = null } = req.query; + // everything on this route requires admin privileges besides listing comments for owner of said comments + if (!authorization.has(req.user, 'admin') && !user_id) { + next(authorization.ErrNotAuthorized); + return; + } + + // only return comment lists for the owner of the comments + if (req.user.id !== user_id) { + next(authorization.ErrNotAuthorized); + return; + } + /** * This adds the asset_id requirement to the query if the asset_id is defined. */ @@ -31,10 +43,13 @@ router.get('/', authorization.needed('admin'), (req, res, next) => { let query; - if (status) { - query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status)); - } else if (user_id) { + // the check for user_id MUST be first here. + // otherwise this will be a vulnerability if you pass user_id and something else, + // the app will return admin-level data without the proper checks + if (user_id) { query = Comment.findByUserId(user_id); + } else if (status) { + query = assetIDWrap(Comment.findByStatus(status === 'new' ? null : status)); } else if (action_type) { query = Comment .findIdsByActionType(action_type) From 39fdd168fae3d07e0210fb6be8a5e5ead4ee08ff Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 15 Dec 2016 13:18:28 -0700 Subject: [PATCH 2/5] admins can still view all comment streams --- routes/api/comments/index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/routes/api/comments/index.js b/routes/api/comments/index.js index a14b6bba0..90b8b40f2 100644 --- a/routes/api/comments/index.js +++ b/routes/api/comments/index.js @@ -24,8 +24,8 @@ router.get('/', (req, res, next) => { return; } - // only return comment lists for the owner of the comments - if (req.user.id !== user_id) { + // if the user is not an admin, only return comment list for the owner of the comments + if (req.user.id !== user_id && !authorization.has(req.user, 'admin')) { next(authorization.ErrNotAuthorized); return; } From 1ea284d4282bc98f2c7cfdce4e7cc0360dd4c70b Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 15 Dec 2016 13:43:06 -0700 Subject: [PATCH 3/5] remove fromJS call --- client/coral-framework/reducers/user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/client/coral-framework/reducers/user.js b/client/coral-framework/reducers/user.js index 6e9f3529c..6bdf2a9d6 100644 --- a/client/coral-framework/reducers/user.js +++ b/client/coral-framework/reducers/user.js @@ -34,9 +34,9 @@ export default function user (state = initialState, action) { return state .set('settings', action.settings); case actions.COMMENTS_BY_USER_SUCCESS: - return state.set('myComments', fromJS(action.comments)); + return state.set('myComments', action.comments); case assetActions.MULTIPLE_ASSETS_SUCCESS: - return state.set('myAssets', fromJS(action.assets)); + return state.set('myAssets', action.assets); default : return state; } From 6f0de84144671bc9d8c8118bd0993d25a5c3d4ca Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 15 Dec 2016 14:03:54 -0700 Subject: [PATCH 4/5] fix lint --- client/coral-framework/reducers/user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/coral-framework/reducers/user.js b/client/coral-framework/reducers/user.js index 6bdf2a9d6..bd5f78e87 100644 --- a/client/coral-framework/reducers/user.js +++ b/client/coral-framework/reducers/user.js @@ -1,4 +1,4 @@ -import {Map, fromJS} from 'immutable'; +import {Map} from 'immutable'; import * as authActions from '../constants/auth'; import * as actions from '../constants/user'; import * as assetActions from '../constants/assets'; From 203d35e6d10b7281e02aae0b77c21f6239b1549f Mon Sep 17 00:00:00 2001 From: Riley Davis Date: Thu, 15 Dec 2016 14:33:33 -0700 Subject: [PATCH 5/5] link to comment instead of article --- client/coral-plugin-history/Comment.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/coral-plugin-history/Comment.js b/client/coral-plugin-history/Comment.js index c54a0feef..37a93df13 100644 --- a/client/coral-plugin-history/Comment.js +++ b/client/coral-plugin-history/Comment.js @@ -6,7 +6,7 @@ const Comment = props => { return (