-
-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dwc access control #11278
Fix dwc access control #11278
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @AlanWierzchonCA - please could you reach out to me on Slack at https://mautic.org/slack as I need to chat with you about this issue.
Works as expected, after applying the PR I am correctly getting a 403 if I try to hit the create new / delete.
Please also see the PHPSTAN issues which need some attention :)
Codecov Report
@@ Coverage Diff @@
## 4.4 #11278 +/- ##
============================================
+ Coverage 49.37% 49.54% +0.17%
Complexity 35401 35401
============================================
Files 2144 2144
Lines 105532 105533 +1
============================================
+ Hits 52102 52283 +181
+ Misses 53430 53250 -180
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! Please check my comments if it makes sense. I also suggested the fixes for PHPSTAN issues.
if (!$this->get('mautic.security')->isGranted('dynamiccontent:dynamiccontents:deleteown') | ||
&& !$this->get('mautic.security')->isGranted('dynamiccontent:dynamiccontents:deleteother')) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering how the code can know whether the entity can be deleted based on "own" or "other" permissions when the security service doesn't know who created the entity. Shouldn't we use the hasEntityAccess
method instead?
Isn't that exact check slightly bellow this one on line 493?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @escopecz,
on lines 482, 483 the code checks if the logged in user has general permission to delete their own or other dynamic content.
If not, the user should not know if the entity exists or not. It should get 403, not 401.
In line 493 there is a checks base on existting entity Id.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it necessary to check it twice? It seems like a code duplication to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so how do we check if we can return 404 based on validation with the hasEntityAccess at line 493?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should get 403, not 401.
I mean "...not 404" (notfound).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here is an example how "not found" is implemented for landing pages:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But this example does not check whether the user has permission to find out whether the entity exists or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No entity in Mautic checks whether the user has permission to find out whether the entity exists or not. I wouldn't over-complicated this :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, secuirity issues are sometimes overcomplicated and the Department of Security gives many absurd points.
As you wish, I have removed this access checking :)
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
app/bundles/DynamicContentBundle/Tests/Controller/DynamicContentControllerFunctionalTest.php
Outdated
Show resolved
Hide resolved
83a25da
to
f992a95
Compare
Hi @escopecz, @RCheesley I just made fixes and answered questions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing! The code is good to go and the tests are amazing! Thank you for taking care of this and be patient with me. 👍
One last thing so this can be tested and merged. Can you please rebase it on top of 5.x branch and if you want to back-port it to Mautic 4 as well then create a duplicate PR against the 4.4 branch?
f05adbc
to
e1f941d
Compare
Description:
User without privileges can create and delete ’Dynamic Content’
Steps to test this PR:
Create new Role with only Dynamic Content Permissions:
Dynamic Content - User has access to View Own and View Others
Create new User with created Role
Login with created User
request GET https://8080-alanwierzchonca-mautic-h31qcblosf3.ws-eu47.gitpod.io/s/dwc/new
request POST https://8080-alanwierzchonca-mautic-h31qcblosf3.ws-eu47.gitpod.io/s/dwc/delete/1