Permalink
Browse files

Fix: IDOR vulnerability

  • Loading branch information...
valdis committed Jun 30, 2017
1 parent 59d2b80 commit 5c27040a83d753ac667dc1e2372f88e19e30f7f4
@@ -116,7 +116,7 @@ def generate_csv_for(yielder, memberships, community)
def removes_itself?(ids, current_admin_user)
ids ||= []
ids.include?(current_admin_user.id) && current_admin_user.is_marketplace_admin?
ids.include?(current_admin_user.id) && current_admin_user.is_marketplace_admin?(@current_community)
end
def sort_column
@@ -169,7 +169,7 @@ def initialize_feature_flags
user_id: @current_user&.id,
request: request,
is_admin: Maybe(@current_user).is_admin?.or_else(false),
is_marketplace_admin: Maybe(@current_user).is_marketplace_admin?.or_else(false))
is_marketplace_admin: Maybe(@current_user).is_marketplace_admin?(@current_community).or_else(false))
end
# Ensure that user accepts terms of community and has a valid email
@@ -206,7 +206,7 @@ def ensure_consent_given
def ensure_user_belongs_to_community
return unless @current_user
if !@current_user.has_admin_rights? && @current_user.accepted_community != @current_community
if !@current_user.has_admin_rights?(@current_community) && @current_user.accepted_community != @current_community
logger.info(
"Automatically logged out user that doesn't belong to community",
@@ -343,7 +343,7 @@ def cannot_access_without_confirmation
end
def fetch_community_admin_status
@is_current_community_admin = @current_user && @current_user.has_admin_rights?
@is_current_community_admin = (@current_user && @current_user.has_admin_rights?(@current_community))
end
def fetch_community_plan_expiration_status
@@ -507,7 +507,7 @@ def display_onboarding_topbar?
return true if @current_user.is_admin?
# Show for admins if their status is accepted
@current_user.is_marketplace_admin? &&
@current_user.is_marketplace_admin?(@current_community) &&
@current_user.community_membership.accepted?
end
@@ -21,7 +21,7 @@ def create
def destroy
@comment = @current_community.listings.find(params[:listing_id]).comments.find(params[:id])
if current_user?(@comment.author) || @current_user.has_admin_rights?
if current_user?(@comment.author) || @current_user.has_admin_rights?(@current_community)
@comment.destroy
respond_to do |format|
format.html { redirect_to listing_path(params[:listing_id]) }
@@ -47,7 +47,7 @@ def show
Analytics.record_event(flash, "AccountConfirmed")
if @current_user && @current_user.has_admin_rights?
if @current_user && @current_user.has_admin_rights?(@current_community)
report_to_gtm({event: "admin_email_confirmed"})
redirect_to admin_getting_started_guide_path and return
elsif @current_user # normal logged in user
@@ -49,7 +49,7 @@ def create
def render_form(form = nil)
render action: :new, locals: feedback_locals(form).merge({
has_admin_rights: @current_user && @current_user.has_admin_rights?
has_admin_rights: @current_user && @current_user.has_admin_rights?(@current_community)
})
end
@@ -289,14 +289,14 @@ def create_auth_context(user:, community:)
{
marketplaceId: community.uuid_object.to_s,
actorId: (user&.uuid_object || UUIDUtils.v0_uuid).to_s,
actorRole: role(user)
actorRole: role(user, community)
}
end
def role(user)
def role(user, community)
if user.nil?
nil
elsif user.has_admin_rights?
elsif user.has_admin_rights?(community)
:admin
else
:user
@@ -18,7 +18,7 @@ def new
view_locals = {
invitation_limit: invitation_limit,
has_admin_rights: @current_user.has_admin_rights?
has_admin_rights: @current_user.has_admin_rights?(@current_community)
}
render locals: onboarding_popup_locals.merge(view_locals)
@@ -112,7 +112,7 @@ def new_image(params, url)
def authorized_to_destroy?(image)
if image.listing.present? && image.listing.community_id == @current_community.id
# Listing is present: We are deleting image from saved listing
image.listing.author == @current_user || @current_user.has_admin_rights?
image.listing.author == @current_user || @current_user.has_admin_rights?(@current_community)
else
# Listing is not present: We are deleting image from a new unsaved listing
image.author == @current_user
@@ -130,7 +130,7 @@ def ensure_authorized_to_add!
if listing.nil?
:not_found
elsif listing.author == @current_user || @current_user.has_admin_rights?
elsif listing.author == @current_user || @current_user.has_admin_rights?(@current_community)
:authorized
else
:unauthorized
@@ -547,7 +547,7 @@ def show_in_updates_email
def ensure_current_user_is_listing_author(error_message)
@listing = Listing.find(params[:id])
return if current_user?(@listing.author) || @current_user.has_admin_rights?
return if current_user?(@listing.author) || @current_user.has_admin_rights?(@current_community)
flash[:error] = error_message
redirect_to @listing and return
end
@@ -882,7 +882,7 @@ def is_answer_value_blank(value)
def is_authorized_to_post
if @current_community.require_verification_to_post_listings?
unless @current_user.has_admin_rights? || @current_community_membership.can_post_listings?
unless @current_user.has_admin_rights?(@current_community) || @current_community_membership.can_post_listings?
redirect_to verification_required_listings_path
end
end
@@ -920,7 +920,7 @@ def payment_setup_status(community:, user:, listing:, payment_type:, process:)
when matches([:paypal])
can_post = PaypalHelper.community_ready_for_payments?(community.id)
error_msg =
if user.has_admin_rights?
if user.has_admin_rights?(community)
t("listings.new.community_not_configured_for_payments_admin",
payment_settings_link: view_context.link_to(
t("listings.new.payment_settings_link"),
@@ -127,7 +127,7 @@ def show
.map { |tx_with_conv| [tx_with_conv, :participant] }
m_admin =
Maybe(@current_user.has_admin_rights?)
Maybe(@current_user.has_admin_rights?(@current_community))
.select { |can_show| can_show }
.map {
MarketplaceService::Transaction::Query.transaction_with_conversation(
@@ -613,7 +613,7 @@ def author_link(listing)
end
def with_invite_link(&block)
if @current_user && (@current_user.has_admin_rights? || @current_community.users_can_invite_new_users)
if @current_user && (@current_user.has_admin_rights?(@current_community) || @current_community.users_can_invite_new_users)
block.call()
end
end
@@ -314,7 +314,7 @@ def welcome_email(person, community, regular_email=nil, test_email=false)
@test_email = test_email
@show_branding_info = !PlanService::API::Api.plans.get_current(community_id: community.id).data[:features][:whitelabel]
subject = if @recipient.has_admin_rights? && !@test_email
subject = if @recipient.has_admin_rights?(@current_community) && !@test_email
t("emails.welcome_email_marketplace_creator.welcome_email_subject_for_marketplace_creator")
else
t("emails.welcome_email.welcome_email_subject", :community => community.full_name(recipient.locale), :person => PersonViewUtils.person_display_name_for_type(person, "first_name_only"))
@@ -88,7 +88,7 @@ def paypal_new_payment(transaction, seller_model = nil, buyer_model = nil, commu
user_id: seller_model.id,
request: OpenStruct.new(session: {}, params: []), #fake request, will provide fake .session and .params
is_admin: seller_model.is_admin?,
is_marketplace_admin: seller_model.is_marketplace_admin?) # TODO: remove when :currency_formatting flag is removed
is_marketplace_admin: seller_model.is_marketplace_admin?(community)) # TODO: remove when :currency_formatting flag is removed
premailer_mail(:to => seller_model.confirmed_notification_emails_to,
:from => community_specific_sender(community),
:subject => t("emails.new_payment.new_payment")) do |format|
@@ -131,7 +131,7 @@ def paypal_receipt_to_payer(transaction, seller_model = nil, buyer_model = nil,
user_id: buyer_model.id,
request: OpenStruct.new(session: {}, params: []), #fake request, will provide fake .session and .params
is_admin: buyer_model.is_admin?,
is_marketplace_admin: buyer_model.is_marketplace_admin?) # TODO: remove when :currency_formatting flag is removed
is_marketplace_admin: buyer_model.is_marketplace_admin?(community)) # TODO: remove when :currency_formatting flag is removed
premailer_mail(:to => buyer_model.confirmed_notification_emails_to,
:from => community_specific_sender(community),
:subject => t("emails.receipt_to_payer.receipt_of_payment")) { |format|
View
@@ -386,7 +386,7 @@ def admin_emails
end
def allows_user_to_send_invitations?(user)
(users_can_invite_new_users && user.member_of?(self)) || user.has_admin_rights?
(users_can_invite_new_users && user.member_of?(self)) || user.has_admin_rights?(self)
end
def has_customizations?
View
@@ -425,12 +425,12 @@ def consent
community_membership.consent
end
def is_marketplace_admin?
community_membership.admin?
def is_marketplace_admin?(community)
community_membership.community_id == community.id && community_membership.admin?
end
def has_admin_rights?
is_admin? || is_marketplace_admin?
def has_admin_rights?(community)
is_admin? || is_marketplace_admin?(community)
end
def should_receive?(email_type)
@@ -103,7 +103,7 @@ def paypal_preferences_updated(setup_status, community)
def listing_created(setup_status, listing)
if !setup_status[:listing] &&
listing&.author&.is_marketplace_admin?
listing&.author&.is_marketplace_admin?(Community.find(@community_id))
:listing
end
end
@@ -18,7 +18,7 @@ def authorized_to_view?
return false unless listing_belongs_to_community?
if user_logged_in?
user_member_of_community? || @user.has_admin_rights?
user_member_of_community? || @user.has_admin_rights?(@community)
else
public_community?
end
@@ -31,7 +31,7 @@ def set_from_model(community: nil, person: nil)
role =
if person.nil?
nil
elsif person.has_admin_rights?
elsif person.has_admin_rights?(community)
:admin
else
:user
@@ -65,7 +65,7 @@ def topbar_props(community:, path_after_locale_change:, user: nil, search_placeh
},
user: {
loggedInUsername: user&.username,
isAdmin: user&.has_admin_rights? || false,
isAdmin: user&.has_admin_rights?(community) || false,
},
unReadMessagesCount: MarketplaceService::Inbox::Query.notification_count(user&.id, community.id)
}
@@ -108,7 +108,7 @@ def links(community:, user:, locale_param:, host_with_port:)
}
]
if user&.has_admin_rights? || community.users_can_invite_new_users
if user&.has_admin_rights?(community) || community.users_can_invite_new_users
links << {
link: paths.new_invitation_path(locale: locale_param),
title: I18n.t("header.invite"),
@@ -56,7 +56,7 @@
%td= l(membership.created_at, :format => :short_date)
- if @current_community.require_verification_to_post_listings
%td{:style => "text-align: center"}= check_box_tag "posting-allowed[#{member.id}]", member.id, membership.can_post_listings, :class => "admin-members-can-post-listings"
%td{:style => "text-align: center"}= check_box_tag "is_admin[#{member.id}]", member.id, member.is_marketplace_admin?, :class => "admin-members-is-admin", :disabled => member.eql?(@current_user)
%td{:style => "text-align: center"}= check_box_tag "is_admin[#{member.id}]", member.id, member.is_marketplace_admin?(@current_community), :class => "admin-members-is-admin", :disabled => member.eql?(@current_user)
%td{:style => "text-align: center"}
= link_to(icon_tag("cross"), ban_admin_community_community_membership_path(@current_community.id, membership.id), method: :put, :data => {:confirm => t("admin.communities.manage_members.ban_user_confirmation")}, :class => "admin-members-remove-user")
@@ -5,7 +5,7 @@
- contact_support_link = link_to t("sessions.confirmation_pending.contact_support_link_text"), "mailto:#{support_email}"
- admin_dashboard_link = link_to t("sessions.confirmation_pending.admin_dashboard_link_text"), admin_getting_started_guide_path
- if @current_user.has_admin_rights?
- if @current_user.has_admin_rights?(@current_community)
%h2= t("sessions.confirmation_pending.account_confirmation_instructions_title_admin")
%p= t("sessions.confirmation_pending.before_full_access_you_need_to_confirm_email")
%p= t("sessions.confirmation_pending.before_confirmation_only_access_admin_dashboard", {admin_dashboard_link: admin_dashboard_link}).html_safe
@@ -21,7 +21,7 @@
var userInfo = new amplitude.Identify()
.set('community_id', <%= community.id %>)
.set('marketplace_uuid', '<%= community.uuid_object.to_s %>')
.set('admin', <%= (user&.is_marketplace_admin? || false).to_json %>);
.set('admin', <%= (user&.is_marketplace_admin?(@current_community) || false).to_json %>);
<% if plan %>
userInfo.set('plan_status', '<%= plan[:status] %>');
@@ -27,7 +27,7 @@
= icon_map_tag(icons, "redirect", ["icon-with-text"])
= menu_link.title(I18n.locale)
- if @current_user && @current_community && @current_user.has_admin_rights?
- if @current_user && @current_community && @current_user.has_admin_rights?(@current_community)
= link_to admin_details_edit_path do
= icon_map_tag(icons, "admin", ["icon-with-text"])
= t("layouts.logged_in.admin")
@@ -1,4 +1,4 @@
- if @current_user && @current_user.has_admin_rights?
- if @current_user && @current_user.has_admin_rights?(@current_community)
%p
%a{:id => "edit_link", :href => "/editor" + request.path, :data => { :save_url => mercury_update_path }}
.icon-with-text-container
@@ -32,7 +32,7 @@
= render partial: 'layouts/global_header', locals: header_props()
- if logged_in? && @display_expiration_notice
- if @current_user.has_admin_rights?
- if @current_user.has_admin_rights?(@current_community)
= render partial: "layouts/admin_expiration_notice", locals: {external_plan_service_login_url: admin_plan_path}
- else
= render partial: "layouts/expiration_notice", locals: {contact_owner_link: new_user_feedback_path}
@@ -4,7 +4,7 @@
%h3
= link_to_unless comment.author.deleted?, PersonViewUtils.person_display_name(comment.author, @current_community), comment.author
%small= time_ago(comment.created_at)
- if @current_user && (current_user?(comment.author) || @current_user.has_admin_rights?)
- if @current_user && (current_user?(comment.author) || @current_user.has_admin_rights?(@current_community))
%small= link_to t('listings.comment.delete'), listing_comment_path(:listing_id => comment.listing.id, :id => comment.id), {method: :delete, data: { confirm: t('listings.comment.are_you_sure') }, :remote => :true}
.comment-content
- text_with_line_breaks do
@@ -1,5 +1,5 @@
- is_author = current_user?(@listing.author)
- is_marketplace_admin = Maybe(@current_user).has_admin_rights?.or_else(false)
- is_marketplace_admin = Maybe(@current_user).has_admin_rights?(@current_community).or_else(false)
- is_authorized = is_author || is_marketplace_admin
- show_manage_availability = is_authorized && availability_enabled
@@ -11,7 +11,7 @@
%tr
%td{:width => "7.5%"}
%td{:valign => "top", :width => "85%", :style => "font-family:Helvetica Neue, Helvetica, Arial, sans-serif; font-weight:400; font-size:14px; padding: 10px 0 40px 0; text-align: left; line-height:22px;"}
- if @recipient.has_admin_rights? && !@test_email
- if @recipient.has_admin_rights?(@current_community) && !@test_email
= render :partial => "admin/communities/welcome_email_for_marketplace_creator"
- else
%p= t("emails.common.hey", :name => PersonViewUtils.person_display_name_for_type(@recipient, "first_name_only"))
@@ -23,7 +23,7 @@
%td{:width => "7.5%"}
- if @show_branding_info
= render :partial => "layouts/email_non_whitelabel_branding", locals: {link_to_sharetribe: "https://www.sharetribe.com/?utm_source=#{@current_community.ident}.sharetribe.com&utm_medium=email&utm_campaign=nowl-emails-welcome"}
- unless @recipient.has_admin_rights? && !@test_email
- unless @recipient.has_admin_rights?(@current_community) && !@test_email
%tr
%td{:style => "text-align: center;width:100%;max-width:602px;padding: 0 45px;"}
%p{:style => "margin-top:15px;margin-bottom:15px;font-family:helvetica,arial,sans-serif;font-size:12px;color:#464646;"}
@@ -4,7 +4,7 @@ module Authentication
def can_edit?
@current_user = current_person
@current_community = CurrentMarketplaceResolver.resolve_from_host(request.host, URLUtils.strip_port_from_host(APP_CONFIG.domain))
@current_user && @current_community && @current_user.has_admin_rights?
@current_user && @current_community && @current_user.has_admin_rights?(@current_community)
end
end
end

0 comments on commit 5c27040

Please sign in to comment.