Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Git user config page can be accessed without user signed in #34603

Closed
1 task done
riteshkew opened this issue Jul 1, 2024 · 4 comments · Fixed by #34873
Closed
1 task done

[Bug]: Git user config page can be accessed without user signed in #34603

riteshkew opened this issue Jul 1, 2024 · 4 comments · Fixed by #34873
Assignees
@brayn003 @riteshkew
Labels
Bug Something isn't working Customer Success Issues that the success team cares about Git Platform Pod Issues related to the git & the app platform Git Product Issues related to version control product High This issue blocks a user from building or impacts a lot of users Needs Triaging Needs attention from maintainers to triage Platform Administration Pod Issues related to platform administration & management Production User Profile Issues related to a user profile

Comments

@riteshkew
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Description

When we go to app.appsmith.com/profile, the pages can be accessed without the user logging in.
Ideally it should be redirected to login page.

Steps To Reproduce

  1. Open incognito window
  2. Open app.appsmith.com/profile
  3. Go to Git user config
  4. After sometime it redirects to login page.
  5. Go back using browser control and it shows up the form for Git user config. In a throttled environment, page is accessible.

Public Sample App

No response

Environment

Production

Severity

High (Blocker to building or releasing)

Issue video log

No response

Version

Cloud - 1.29
@riteshkew riteshkew added Bug Something isn't working Needs Triaging Needs attention from maintainers to triage Git Product Issues related to version control product Git Platform Pod Issues related to the git & the app platform Customer Success Issues that the success team cares about User Profile Issues related to a user profile labels Jul 1, 2024
@Nikhil-Nandagopal Nikhil-Nandagopal added High This issue blocks a user from building or impacts a lot of users Production labels Jul 1, 2024
@github-actions github-actions bot added the Platform Administration Pod Issues related to platform administration & management label Jul 1, 2024
@SunnyTitus
Copy link

Hi @riteshkew , @Nikhil-Nandagopal

Please find the possible solution through my findings:

"To secure the Git user config page, we need to implement route protection on the frontend using a higher-order component to check for user authentication and redirect unauthenticated users to the login page. On the backend, we will use Spring Security to ensure that only authenticated users can access the /profile endpoint. This solution ensures that sensitive configuration settings are protected from unauthorized access."

Our team will be working on this issue and update accordingly.

@Shivam-z
Copy link
Contributor

@SunnyTitus @Nikhil-Nandagopal I am picking up this issue.

Approach:
In the profile page there is a tab with two tablist:

  • General tab (default tab)
  • Git config tabl

Observation:
User - > unauthorized
When the user is in the profile page with the general tab selected by default , it is showing the general tab and also not redirecting to the sign in page.

When we click on the git config tab , it redirects us to the sign in page.

Possible Reason: when git config page mounts it calls this protected endpoint:
https://dev.appsmith.com/api/v1/git/profile/default which is missing when general tab mounts.

Screenshot from 2024-07-10 10-00-43

Solving Approach:
We can call this protected endpoint when the general tab page also mounts to protect this page from unauthorized users.

@brayn003
Copy link
Contributor

Hi @Shivam-z, thank you for showing an interest in solving this issue. Please go ahead and raise a PR, I will help you with review and testing once it is done.

@Shivam-z Shivam-z mentioned this issue Jul 11, 2024
Merged
2 tasks
@Shivam-z
Copy link
Contributor

Hi @brayn003 , I have raised a PR for this issue. Can you take a look at it? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brayn003 brayn003

@riteshkew riteshkew

Labels
Bug Something isn't working Customer Success Issues that the success team cares about Git Platform Pod Issues related to the git & the app platform Git Product Issues related to version control product High This issue blocks a user from building or impacts a lot of users Needs Triaging Needs attention from maintainers to triage Platform Administration Pod Issues related to platform administration & management Production User Profile Issues related to a user profile
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: fixed git config route protection using fetchGlobalGitConfigInit… Shivam-z/appsmith
5 participants
@Nikhil-Nandagopal @brayn003 @riteshkew @Shivam-z @SunnyTitus