Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: remove permission for Guest to list users #1028

Merged
merged 3 commits into from
Aug 31, 2022
Merged

fix: remove permission for Guest to list users #1028

merged 3 commits into from
Aug 31, 2022

Conversation

nguyen102
Copy link
Contributor

Issue #, if available:

Description of changes:
fix: remove permission for Guest to list users

Checklist:

  • Have you successfully deployed to an AWS account with your changes?
  • Have you written new tests for your core changes, as applicable?
  • Have you successfully tested with your changes locally?
  • If new dependencies have been added, have they been pinned to specific versions?
  • Is this change also required on the AWS Solution version?
  • Have you updated openapi.yaml if you made updates to API definition (including add, delete or update parameter and request data schema)?
  • If you had to run manual tests, have you considered automating those tests by adding them to end-to-end tests?
  • If you are updating the changelog and vending out a new release, have you updated versionNumber and versionDate in .defaults.yml

AS review ticket id:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@nguyen102 nguyen102 requested a review from a team as a code owner August 31, 2022 20:16
@nguyen102 nguyen102 changed the base branch from mainline to develop August 31, 2022 20:17
kpark277
kpark277 reviewed Aug 31, 2022
View reviewed changes
Copy link
Contributor

@kpark277 kpark277 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this break any e2e tests? So guests can still reach the Users tab, but they will just get an empty table?

kpark277
kpark277 previously approved these changes Aug 31, 2022
View reviewed changes
@codecov
Copy link

codecov bot commented Aug 31, 2022
edited
Loading

Codecov Report

Merging #1028 (4330da8) into develop (a60b89f) will increase coverage by 6.20%.
The diff coverage is n/a.

❗ Current head 4330da8 differs from pull request most recent head e05561b. Consider uploading reports for the commit e05561b to get more accurate results

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #1028      +/-   ##
===========================================
+ Coverage    51.70%   57.90%   +6.20%     
===========================================
  Files          295      177     -118     
  Lines        16895    11271    -5624     
  Branches      2628     1726     -902     
===========================================
- Hits          8735     6527    -2208     
+ Misses        7170     4223    -2947     
+ Partials       990      521     -469
Impacted Files Coverage Δ
lib/utils/composite-error.js 6.97% <0.00%> (-9.31%) ⬇️
lib/user/user-service.js 64.61% <0.00%> (-5.98%) ⬇️
src/helpers/api.js 0.00% <0.00%> (-0.86%) ⬇️
src/helpers/settings.js 100.00% <0.00%> (ø)
src/models/forms/AddUserForm.js 100.00% <0.00%> (ø)
src/helpers/errors.js
lib/helpers/transforms.js
lib/environment-type/env-type-candidate-service.js
lib/steps/__test__/__fixtures__/cloudformation.js
lib/utils/metric.js
... and 117 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a60b89f...e05561b. Read the comment docs.

Bingjiling
Bingjiling reviewed Aug 31, 2022
View reviewed changes
addons/addon-base/packages/services/lib/user/user-authz-service.js Outdated
@@ -49,6 +51,13 @@ class UserAuthzService extends Service {
}

// Protected methods
async authorizeList(requestContext) {
if (requestContext.principal.userRole === 'guest') {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a differentiation between internal v.s. external guest here?

Copy link
Contributor

@SanketD92 SanketD92 Aug 31, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, both are different. @nguyen102 should we add internal guest here as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. I updated the code to deny access for internal-guest as well

@nguyen102 nguyen102 merged commit e88eca4 into awslabs:develop Aug 31, 2022
@nguyen102 nguyen102 deleted the fix/guest-user-access branch June 5, 2023 19:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Bingjiling Bingjiling Bingjiling left review comments

@SanketD92 SanketD92 SanketD92 approved these changes

@kpark277 kpark277 kpark277 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nguyen102 @Bingjiling @SanketD92 @kpark277