-
-
Notifications
You must be signed in to change notification settings - Fork 655
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create Organization Security Bug #1061
Comments
pls assign this to me |
@kb-0311 You may resolve this issue using the Just apply the role directive on the createOrganization mutation like so
|
@anshgoyalevil Yes but that will not be enough from a modular development perspective imo.
Along with roleDirectives in gql I will also be adding an extra utility Also speaking of the roleDirectives, there is a slight mistake with the thrown error-> the error should be |
@kb-0311 You're changing the errors thrown by the server. If the clients check the error for different types to trigger a particular UI behaviour you'll be breaking their functionality. Make sure to remember this. |
@xoldyckk Yes, I will make sure to change the talawa-admin app and talawa-mobile app accordingly. |
@xoldyckk could you pls remove the unapproved label too ? |
Describe the bug
A clear and concise description of what the bug is.
In the talawa-admin portal the users needs to be a verified
SUPERADMIN
to get access to the portal logically. In the Dashboard of talawa-admin Portal , there is a create organization function.In short a user needs to be a super admin to create an organization according to the logic. However, in the backend no check is provided for the user role before creating an organization , thus enabling any one (USER, ADMIN , SUPERADMIN etc )to create an
organization.
This is a security bug.
This is security by obfuscation where capabilities are not presented to the user, but are still available.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Only super admins should be allowed to create new organizations.
Actual behavior
A clear and concise description of how the code performed w.r.t expectations.
Right now anyone can technically create new organizations.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional details
Add any other context or screenshots about the feature request here.
Potential internship candidates
Please read this if you are planning to apply for a Palisadoes Foundation internship PalisadoesFoundation/talawa#359
//SIgn up as a brand new default user
//Logged in as that user
// Created a brand new organization as
userType:USER
The text was updated successfully, but these errors were encountered: