Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict Access to Apps/API Keys #99

Closed
1 task done
nelsonic opened this issue Sep 7, 2020 · 5 comments
Closed
1 task done

Restrict Access to Apps/API Keys #99

nelsonic opened this issue Sep 7, 2020 · 5 comments
Assignees
@nelsonic
Labels
chore a tedious but necessary task often paying technical debt enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour technical A technical issue that requires understanding of the code, infrastructure or dependencies

Comments

@nelsonic
Copy link
Member

nelsonic commented Sep 7, 2020
edited
Loading

At present we allow anyone to view any App/API Key:

auth/lib/auth_web/controllers/app_controller.ex

Lines 27 to 59 in 87c52d6

def show(conn, %{"id" => id}) do
app = App.get_app!(id)
render(conn, "show.html", app: app)
end
def edit(conn, %{"id" => id}) do
app = App.get_app!(id)
changeset = App.change_app(app)
render(conn, "edit.html", app: app, changeset: changeset)
end
def update(conn, %{"id" => id, "app" => app_params}) do
app = App.get_app!(id)
case App.update_app(app, app_params) do
{:ok, app} ->
conn
|> put_flash(:info, "App updated successfully.")
|> redirect(to: Routes.app_path(conn, :show, app))
{:error, %Ecto.Changeset{} = changeset} ->
render(conn, "edit.html", app: app, changeset: changeset)
end
end
def delete(conn, %{"id" => id}) do
app = App.get_app!(id)
{:ok, _app} = App.delete_app(app)
conn
|> put_flash(:info, "App deleted successfully.")
|> redirect(to: Routes.app_path(conn, :index))
end

These are the default CRUD functions created in #95
We need to allow only the person that created the App/API Key (and the superadmin) to view/edit/update/delete it.

Todo

  • Create a helper function that automatically rejects the request if person is not allowed to view/edit/update/delete the content.
@nelsonic nelsonic added enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour chore a tedious but necessary task often paying technical debt technical A technical issue that requires understanding of the code, infrastructure or dependencies labels Sep 7, 2020
@nelsonic nelsonic changed the title Prevent People from Viewing Apps they don't Own Restrict Access to Apps/API Keys Sep 7, 2020
@nelsonic nelsonic self-assigned this Sep 8, 2020
This was referenced Sep 8, 2020
Closed
Merged
@nelsonic
Copy link
Member Author

nelsonic commented Sep 8, 2020

This is what I will be working on tomorrow morning ... ⏳
But for now ... 😴

@nelsonic
Copy link
Member Author

nelsonic commented Sep 9, 2020

A non-admin person should only be able to see their own App(s) http://localhost:4000/apps
image

Currently, they can see everyone's Apps ...
Let's fix that!

@nelsonic
Copy link
Member Author

non-admin can only see their own app:
image

Admin can see all apps:
image

might add some detail to this table to help differentiate apps in the future.
But for now the restriction works which is what I wanted/needed. ✅

nelsonic added a commit that referenced this issue Sep 10, 2020
@nelsonic
Restrict access to apps on all CRUD routes #99
3190d72
nelsonic added a commit that referenced this issue Sep 10, 2020
@nelsonic
update test methods to put/delete instead of get for #99;
8ec7669
nelsonic added a commit that referenced this issue Sep 10, 2020
@nelsonic
update faulty logic for restricted apps resources #99
cb45d38
@th0mas
Copy link
Collaborator

th0mas commented Sep 14, 2020

Access to roles is not currently restricted, allowing anyone to create/edit/delete roles for any app - I'm guessing this isn't intended behaviour?

@nelsonic
Copy link
Member Author

Hi @th0mas! longer-term we don't want everyone seeing everyone else's roles, agreed.
If you don't mind, please open a new/separate issue specific to Roles so we can address it.
Thanks! ☀️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nelsonic nelsonic

Labels
chore a tedious but necessary task often paying technical debt enhancement New feature or enhancement of existing functionality T1h Time Estimate 1 Hour technical A technical issue that requires understanding of the code, infrastructure or dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nelsonic @th0mas