Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Users can't view non-owner api #1605

Closed
marla-singer opened this issue Sep 21, 2016 · 4 comments
Closed

Users can't view non-owner api #1605

marla-singer opened this issue Sep 21, 2016 · 4 comments
Assignees
@frenchbread
Labels
bug
Milestone
Sprint 32

Comments

@marla-singer
Copy link
Contributor

marla-singer commented Sep 21, 2016
edited by bajiat

Users can't view the api page, which they are not the owners. Is it bug or feature?

Step to reproduce:

  1. Create the new user without administrator roles
  2. Go to [https://nightly.apinf.io/api/AfYunEcjD3QaEb5D7](my api view)

Found result: Spinner always switch on and api view isn't showed

Expected Result: Api view must be showed
@marla-singer marla-singer mentioned this issue Sep 21, 2016
Merged
@bajiat bajiat mentioned this issue Sep 23, 2016
Closed
@bajiat
Copy link
Contributor

bajiat commented Sep 26, 2016

@frenchbread Would you be interested in this task?

@frenchbread frenchbread self-assigned this Sep 26, 2016
@frenchbread
Copy link
Contributor

@bajiat self-assigned

@bajiat bajiat added this to the Sprint 32 milestone Sep 26, 2016
@bajiat bajiat mentioned this issue Sep 29, 2016
Closed
@frenchbread
Copy link
Contributor

This issue happening for a reason not being able to fetch ProxyBackend document since it contains user privileges check.

Here is a publication that causes this bug:

Meteor.publish('apiProxySettings', function (apiId) {
  // TODO: determine how to use 'api.userCanEdit()' helper
  // which uses 'Meteor.userId()' instead of 'this.userId'

  // Placeholders for manager and admin checks
  let userIsManager, userIsAdmin;

  // Get current userId
  const userId = this.userId;

  // Check that user is logged in
  if (userId) {
    // Get API document
    const api = Apis.findOne(apiId);

    // Check if user is API manager
    userIsManager = _.includes(api.managerIds, userId);

    // Check if user is administrator
    userIsAdmin = Roles.userIsInRole(userId, ['admin']);

    // Check if user is authorized to access API proxy settings
    if (userIsManager || userIsAdmin) {
      return ProxyBackends.find({ apiId });
    }
  }
});

@brylie What can you suggest here? I think it's okay to return proxy backend data no-matter how's viewing it (authorised or non-authorised user). If we don't want to share this publication to non-authorised user, we'll have to block access to the entire API page (e.g. to redirect user or rise 404 page)

@brylie
Copy link
Contributor

brylie commented Sep 29, 2016
edited

@frenchbread we may need to call this.ready() in the else statement, so that the publication tells any waiting subscriptions that it has completed:

...
// Check that user is logged in
if (userId) {
  ...
} else {
  // Tell awaiting subscriptions that publication is done
  return this.ready();
}


See, Meteor Guide: [Publications and Data Loading - Complex authorization](https://guide.meteor.com/data-loading.html#complex-auth)

@frenchbread frenchbread mentioned this issue Sep 30, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@frenchbread frenchbread

Labels
bug
Projects
None yet
Milestone
Sprint 32
Development

No branches or pull requests
4 participants
@brylie @frenchbread @bajiat @marla-singer