Skip to content

Fix permissions for updating earned certifications #2495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timyates merged 2 commits into from
Jun 14, 2024
Merged

Fix permissions for updating earned certifications #2495

timyates merged 2 commits into from
Jun 14, 2024

Conversation

@timyates
Copy link
Contributor

@timyates timyates commented Jun 12, 2024

Previously we checked the owner of the passed in object, but not the owner of the db object in the case of an update.

This meant that people could effectively change ownership of earned certifications from someone else to themselves.

This commit makes the change so we check both the object in flight, and the object at rest for updates.

@timyates
Fix permissions for updating earned certifications
0f67afd 
Previously we checked the owner of the passed in object, but not the owner of the db object in the case of an update.

This meant that people could effectively change ownership of earned certifications from someone else to themselves.

This commit makes the change so we check both the object in flight, and the object at rest for updates.
@timyates timyates added bug Something isn't working server security Security related issues labels Jun 12, 2024
@timyates timyates requested a review from mkimberlin June 12, 2024 12:49
@timyates timyates self-assigned this Jun 12, 2024
timyates
timyates commented Jun 12, 2024
View reviewed changes
.../java/com/objectcomputing/checkins/services/certification/EarnedCertificationRepository.java
Copy link
Contributor Author

@timyates timyates Jun 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also changed the join from LEFT JOIN to JOIN, this is a no-op I believe as there cannot be one without the other, however JOIN is more correct

@timyates timyates merged commit 2ceec47 into develop Jun 14, 2024
@timyates timyates deleted the bugfix-certification-permission-fix branch June 14, 2024 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mvolkmann mvolkmann mvolkmann approved these changes

@mkimberlin mkimberlin mkimberlin approved these changes

+1 more reviewer

@vhscom vhscom vhscom approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@timyates timyates

Labels

bug Something isn't working security Security related issues server

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@timyates @mvolkmann @mkimberlin @vhscom