-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(fix): Add permission checks to template method and publication #3606
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aaronjudd good catch. Pretty sloppy of me not to remember that we use templates for the PDP as well. Fixed by permitting all users to subscribe to templates (previous functionality) but keeping the role check in the update method. |
return Templates.update({ | ||
_id: templateId, | ||
type: "email" | ||
type: "email", | ||
shopId: shopId // Ensure that the template we're attempting to update is owned by the active shop. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💯
lgtm |
As a shop admin I am able to execute the method for templates that are not mine but the method uses the active shop ID so I am prevented from actually doing anything harmful. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested. Verified fixed.
Approved by @zenweasel and @jshimko
Adds permission checks to the
template/email/update
server method.I've tested and verified that as an admin you can still view and modify email templates.
I've also tested and verified that users without the
reaction-templates
role for the primary shop cannot view or subscribe to the templates, and cannot modify them.We currently do not use shop specific templates, the default marketplace install of Reaction disables template editing for shops and uses the primary shop's templates for all emails. I've added this code to be compatible with marketplace shops, but it's not enabled right now anyway, and there's not a great way to test that.
To test:
reaction-templates
role you can still view and modify templates.template/email/update
method from the client console. Verify that you are not able to do so successfully.