Search function exposes data leakage and a security issue

[ernsyn]

Hi Matt,

First of all, good work on 21-points. Been using your project to learn up on JHipster and it really helps.

Anyway, was going through the code and it occurred to me that even if I'm logged in as myself (john), and if I go to "Daily Points" and do a search with the following search parameter - o*, all points that match that parameter will appear. Not just mine. (See screenshot below)

I was even able to edit the fields of a Point entry that belongs to others and save successfully. (I reverted what I edited so as not to tamper with other user's data).

So there are 2 issues here -

1. Searching allows a user to search for all items that belongs to all users; not just himself/herself (Not sure how to fix this)
2. Once I was able to see other user's data, I was able to edit and save successfully. (Should be easily fixable)

[mraible]

You are correct. This is a problem we should fix. The code should be similar to what I used in my JHipster 5 tutorial: https://github.com/mraible/jhipster5-demo/blob/master/README.adoc#lock-it-down

…

On Oct 26, 2018, at 09:26, ernsyn ***@***.***> wrote: Hi Matt, First of all, good work on 21-points. Been using your project to learn up on JHipster and it really helps. Anyway, was going through the code and it occurred to me that even if I'm logged in as myself (john), and if I go to "Daily Points" and do a search with the following search parameter - o*, all points that match that parameter will appear. Not just mine. (See screenshot below) I was even able to edit the fields of a Point entry that belongs to others and save successfully. (I reverted what I edited so as not to tamper with other user's data). So there are 2 issues here - Searching allows a user to search for all items that belongs to all users; not just himself/herself (Not sure how to fix this) Once I was able to see other user's data, I was able to edit and save successfully. (Should be easily fixable) — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[ernsyn]

I looked through the link you shared. This fixes issue number 2. Any idea how issue number 1 can be fixed?

[ruddell]

You can use the below QueryBuilder to restrict based on the current username if not an admin (same as the getAllPoints endpoint):

BoolQueryBuilder queryBuilder = QueryBuilders.boolQuery().must(queryStringQuery(query));
if (!SecurityUtils.isCurrentUserInRole(AuthoritiesConstants.ADMIN)) {
    queryBuilder = queryBuilder.filter(matchQuery("user.login", SecurityUtils.getCurrentUserLogin().get()));
}
Page<Points> page = pointsSearchRepository.search(queryBuilder, pageable);

[ernsyn]

Thanks @ruddell . Tried it and it works like a charm.

@mraible I'd be happy to provide a PR for this if you do not have the time for ti. Do let me know.

Cheers.

[mraible]

@ernsyn A PR would be great. I'm trying to crawl my way out of a mountain of email after being on the road for two weeks.

[ernsyn]

@mraible no problem. I'll come up with a PR as soon as possible.

[ernsyn]

Sorry for not doing the PR earlier @mraible. Was planning to do so this weekend. Thanks for closing this issue.

[mraible]

No worries! I found the time and enjoyed the experience. 😊

…

On Nov 1, 2018, at 18:26, ernsyn ***@***.***> wrote: Sorry for not doing the PR earlier @mraible. Was planning to do so this weekend. Thanks for closing this issue. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.