-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix upload image error for merchant store owner #2918
Merged
Merged
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
bb27df0
Fix security.defineMethod's incorrect call of getShopId
impactmass 0738ca6
Merge branch 'marketplace' into seun-fix-image-upload
impactmass badb44a
Merge branch 'marketplace' into seun-fix-image-upload
impactmass aee33e4
Merge branch 'marketplace' into seun-fix-image-upload
spencern 728e7ba
Merge branch 'marketplace' into seun-fix-image-upload
spencern 60f782c
Merge branch 'marketplace' into seun-fix-image-upload
spencern a2983ce
Merge branch 'marketplace' into seun-fix-image-upload
spencern 1c9f221
Pass userId to ifShopIdMatchesThisId and ifShopIdMatches; add comments
impactmass 6ab000b
Merge branch 'marketplace' into seun-fix-image-upload
impactmass c5cc4bc
Merge branch 'marketplace' into seun-fix-image-upload
spencern 5045b38
Merge branch 'marketplace' into seun-fix-image-upload
spencern 38ffb9b
Merge branch 'marketplace' into seun-fix-image-upload
spencern File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great catch - I thought that
getShopIdwas finding the user preferred shop, but it seems that there was a case with CFS uploads where the correct shopId was not getting found. Presumably because Meteor.userId() was not available.Thanks for adding the comments too. 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a separate security review here because this code directly affects allow/deny methods:
This update from using the default
getShopIdto passing in theuserIdchanges the shop that the passed in role (arg.role) is being checked for. This results in the user's active shop being checked against in cases where that shop is different than the default shop.Any place where we're
allowing db operations from the client has potential to be a security hole, so it's imperative that we're checking both that a user has the correct role - which this is doing for the active shop, and that the document being updated belongs to the shop that we are checking the role of the user for. As long as those two things are in alignment, we shouldn't see any security vulnerabilities such as permitting a user with a role forshopAto affect a document that belongs toshopB.In this PR, we're changing
ifFileBelongsToShopas well asifHasRoleForActiveShop, but we're not changingifShopIdMatchesorifShopIdMatchesThisIdMy only concern here would be that somehow we end up checking the user roles against
shopAand checking that a document belongs to a different shop,shopBwhich would permit a user to perform an operation against a file they don't own.I believe that we should update
ifShopIdMatchesandifShopIdMatchesThisIdto have theuserIdexplicitly passed as well, even though they are likely getting the correct shopId anyway.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I'll get back to this shortly asap