app/Policies/OwnershipTrait contains a bug, i think

Bubka / 2FAuth

A Web app to manage your Two-Factor Authentication (2FA) accounts and generate their security codes

https://docs.2fauth.app/

GNU Affero General Public License v3.0

2.12k stars 142 forks source link

app/Policies/OwnershipTrait contains a bug, i think #320

Closed doctor-beat closed 6 months ago

doctor-beat commented 6 months ago

Version

2FAuth – v5.0.4

Details & Steps to reproduce

app/Policies/OwnershipTrait line 16 contains a bug, i think. In my case the $item->user_id is a string with does not make it triple equal to $user->id

When i wrap the $item->user_id in a intval() the class starts working.

It appears to bethe same issue as described here: https://github.com/Bubka/2FAuth/issues/305

Expectation

no errors when clicking the sfauth key.

Error & Logs

No response

Execution environment

No response

Containerization

[ ] Docker

Additional information

No response

Bubka commented 6 months ago

Hi,

what db are you using? I can't reproduce using mysql.

edit: also tested with sqlite, can't reproduce either

Bubka commented 6 months ago

Can you please confirm you have this line in log files (see /2fauth/storage/logs/*.log:

User ID #x cannot view twofaccount ID #y

doctor-beat commented 6 months ago

Hi,

we are on mysql, both columns in db are in fact integer types
php 8.2
yes those are in the logs and are what triggered me to locate the issue:

[2024-03-12 16:38:55] production.NOTICE: User isOwner of with ID #integer vs twofaccount ID #string: [2024-03-12 16:38:55] production.NOTICE: User ID #3 cannot view twofaccount ID #3 [2024-03-12 16:40:45] production.NOTICE: User isOwner of with ID #integer vs twofaccount ID #string:

I have added an extra line of logging for personal debugging

Bubka commented 6 months ago

Ok, thx for the env setup. I´m going to make more testing, I would like to understand why types are not consistent from one setup to another 🤔

doctor-beat commented 6 months ago

yes, thanks. I i can be of any help let me know. I am a java//php dev as well.

Bubka commented 6 months ago

Well, I cannot reproduce, even with the exact same setup. What page do you load while debugging the trait?

Bubka commented 6 months ago

Could you please try this fix for me ?

Edit 2fauth_install_dir/app/Models/TwoFAccount.php. Line 148, set the $casts like this:

    protected $casts = [
        'user_id' => 'integer',
    ];

Thx

doctor-beat commented 6 months ago

That fixes the issue, triple equality is now comparing two integers

Bubka commented 6 months ago

Ok thanks 👍🏻