Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(security): secure segments queries #495

Merged
merged 5 commits into from Jul 2, 2021
Merged

feat(security): secure segments queries #495

merged 5 commits into from Jul 2, 2021

Conversation

Thenkei
Copy link
Member

@Thenkei Thenkei commented Jun 17, 2021

Pull Request checklist:

  • Write an explicit title for the Pull Request, following Conventional Commits specification
  • Create automatic tests
  • No automatic tests failures
  • Test manually the implemented changes
  • Review my own code (indentation, syntax, style, simplicity, readability)
  • Wonder if you can improve the existing code

Thenkei
Thenkei commented Jun 18, 2021
View reviewed changes
app/services/forest_liana/permissions_checker.rb
Comment on lines +71 to +75
refresh_rendering_cache if rendering_cache_expired?

# NOTICE: In this case we need to check that that query is allowed
if @collection_list_parameters[:segmentQuery].present?
return false unless segment_query_allowed?
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relevant code.

Thenkei
Thenkei commented Jun 18, 2021
View reviewed changes
app/services/forest_liana/permissions_checker.rb
Comment on lines +161 to 168
def segment_query_allowed?
segments_queries_permissions = get_segments_in_permissions

return false unless segments_queries_permissions

# NOTICE: @query_request_info matching an existing segment query
return segments_queries_permissions.include? @collection_list_parameters[:segmentQuery]
end
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Relevant code for checking query segments allowed

@Thenkei Thenkei requested a review from DrRaider June 18, 2021 08:57
@forest-bot
Copy link
Member

Task linked: CU-kta2t2 P2 - Segments - "query segments" queries are not validated by the API

@Thenkei Thenkei assigned Thenkei and unassigned DrRaider Jul 2, 2021
@Thenkei Thenkei merged commit 571f889 into beta Jul 2, 2021
@Thenkei Thenkei deleted the feat/security-segments-permissions branch July 2, 2021 07:55
forest-bot added a commit that referenced this pull request Jul 2, 2021
@forest-bot
chore(release): 7.0.0-beta.3 [skip ci]
f3abfd4 
# [7.0.0-beta.3](v7.0.0-beta.2...v7.0.0-beta.3) (2021-07-02)

### Features

* **security:** secure segments queries ([#495](#495)) ([571f889](571f889))
@forest-bot
Copy link
Member

🎉 This PR is included in version 7.0.0-beta.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

forest-bot added a commit that referenced this pull request Jul 20, 2021
@forest-bot
chore(release): 7.0.0 [skip ci]
7618379 
# [7.0.0](v6.6.2...v7.0.0) (2021-07-20)

### Bug Fixes

* **dependency:** now using forestadmin-jsonapi-serializers instead of the jsonapi-serializers gem ([#475](#475)) ([3feea36](3feea36))

### chore

* **force-release:** now using forestadmin-jsonapi-serializers instead of the jsonapi-serializers gem ([#464](#464)) ([00ee2a4](00ee2a4))

### Features

* **scopes:** enforce scopes restrictions on a wider range of requests ([#488](#488)) ([66825a3](66825a3))
* smart action hooks now have access to the http request ([#499](#499)) ([5cd4a0e](5cd4a0e))
* **hooks:** developers can dynamically add or remove smart actions fields ([#465](#465)) ([970f3d8](970f3d8))
* **security:** secure segments queries ([#495](#495)) ([571f889](571f889))

### BREAKING CHANGES

* record is no longer send to the hook midleware & values option on smart action is no longer supported
* **hooks:** fields parameters on hook function is no longer a map of field, it is now an array.
change hook is no longer choosen by the field name, field need to have hook defined inside it definition by addin a props hook.
* **dependency:** Switch from jsonapi-serializers to forestadmin-jsonapi-serializers to serialize data to the JSONAPI format, mainly to avoid conflict with the jsonapi-serializer library
* **force-release:** Switch from jsonapi-serializers to forestadmin-jsonapi-serializers to serialize data to the JSONAPI format, mainly to avoid conflict with the jsonapi-serializer library
@forest-bot
Copy link
Member

🎉 This PR is included in version 7.0.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DrRaider DrRaider DrRaider approved these changes

Assignees

@Thenkei Thenkei

Labels
released on @beta released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Thenkei @forest-bot @DrRaider