Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#890 - Prevent filtering users by role if requestor doesn't have "list_users" capability #900

Merged
merged 2 commits into from
Jul 11, 2019
Merged

#890 - Prevent filtering users by role if requestor doesn't have "list_users" capability #900

merged 2 commits into from
Jul 11, 2019

Conversation

jasonbahl
Copy link
Collaborator

What does this implement/fix? Explain your changes.

Public requests shouldn't be able to filter users by role. This ensures that if the users connection is filtered

Before this, an unauthenticated user could make a request like the following:

query getUsers{
  users(where:{role:ADMINISTRATOR}){
    edges{
      node{
        userId
        name
      }
    }
  }
}

Get a response like:

{
  "data": {
    "users": {
      "edges": [
        {
          "node": {
            "userId": 1,
            "name": "root"
          }
        }
      ]
    }
  }
}

And the requestor would be able to determine which users are admins.

With this fix, the same request could be sent and the following response would be provided:

{
  "errors": [
    {
      "message": "Sorry, you are not allowed to filter users by role.",
      "category": "user",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "path": [
        "users"
      ]
    }
  ],
  "data": {
    "users": null
  },
}

Does this close any currently open issues?

closes #890

Any other comments?

Includes tests!

Where has this been tested?

Operating System: Mac OSX 10.14.5
WordPress Version: WP 5.2.2

@jasonbahl jasonbahl self-assigned this Jul 10, 2019
@codecov
Copy link

codecov bot commented Jul 10, 2019
edited

Codecov Report

Merging #900 into develop will increase coverage by <.01%.
The diff coverage is 70%.

Impacted file tree graph

@@            Coverage Diff             @@
##           develop    #900      +/-   ##
==========================================
+ Coverage     60.8%   60.8%   +<.01%     
==========================================
  Files          132     132              
  Lines         7809    7817       +8     
==========================================
+ Hits          4748    4753       +5     
- Misses        3061    3064       +3
Impacted Files Coverage Δ
src/Data/Connection/UserConnectionResolver.php 72.09% <70%> (-2.2%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c299157...5232908. Read the comment docs.

@jasonbahl jasonbahl merged commit 0d4409f into wp-graphql:develop Jul 11, 2019
@jasonbahl jasonbahl mentioned this pull request Aug 7, 2019
Closed
@eugelogic eugelogic mentioned this pull request Apr 8, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@CodeProKid CodeProKid Awaiting requested review from CodeProKid

@hughdevore hughdevore Awaiting requested review from hughdevore

@kidunot89 kidunot89 Awaiting requested review from kidunot89

Assignees

@jasonbahl jasonbahl

Labels
scope: security scope: tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

User Role Queries: Improper Access Violation
1 participant
@jasonbahl