Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't let valuators update investments #3776

Merged
merged 1 commit into from
Oct 18, 2019
Merged

Don't let valuators update investments #3776

merged 1 commit into from
Oct 18, 2019

Conversation

javierm
Copy link
Member

@javierm javierm commented Oct 18, 2019

References

Background

There were some confusing definitions regarding the valuation of budget investments. In the controller, CommentableActions was included, which includes the update action, and in the abilities, a valuator was given permission to update an investment.

However, the action to update an investment didn't work because there is no route defined to do so. The ability was defined so valuators could access the "edit" action.

But then we added permission for regular users to update budget investments, and these permissions were allowing valuators to update another user's investment.

Objectives

Don't let valuators update other user's investments in the public area.

Notes

After this change, everything seems to work properly because the valuation budget investments controller has its own authorization rules, not depending on abilities. We should probably change that, but it's out of the scope of this pull request.

@javierm
Don't let valuators update investments
f5b60e0 
There were some confusing definitions regarding the valuation of budget
investments.

In the controller, `CommentableActions` was included, which includes the
update action.

In the abilities, a valuator was given permission to update an
investment.

However, the action to update an investment didn't work because there is
no route defined to do so.

The ability was defined so valuators could access the "edit" action,
which will not call the "update" action but the "valuate" action. Since
internally "edit" and "update" use the same permission, it worked.

But then we added permission for regular users to update budget
investments, and these permissions were allowing valuators to update
another user's investment.

After this change, everything seems to work properly since we check
authorization in the controller itself instead of using abilities.
@javierm javierm added the security Pull requests that address a security vulnerability label Oct 18, 2019
@javierm javierm self-assigned this Oct 18, 2019
@javierm javierm added this to Reviewing in Roadmap via automation Oct 18, 2019
@javierm javierm merged commit 11f1bee into master Oct 18, 2019
Roadmap automation moved this from Reviewing to Release 1.1.0 Oct 18, 2019
@javierm javierm deleted the valuator_edit_investment branch October 18, 2019 19:32
smarques pushed a commit to venetochevogliamo/consul that referenced this pull request Apr 29, 2020
@javierm
Merge pull request consuldemocracy#3776 from consul/valuator_edit_inv…
496a7f1 
…estment

Don't let valuators update investments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@javierm javierm

Labels
security Pull requests that address a security vulnerability
Projects
No open projects
Roadmap
  
Release 1.1.0
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@javierm