search

IntersectMBO / govtool

🔩 GovTool and utilities monorepo.
https://gov.tools
Apache License 2.0
14 stars 9 forks source link

[BUG] Unauthorized Poll Creation on Others' Proposals #1197

Open NabinKawan opened 5 months ago

NabinKawan commented 5 months ago

Context & versions

Able to add poll on others' proposal

Steps to reproduce

Send a POST request to create a poll on another user's proposal using the following curl command:

  curl 'https://dev.api.pdf.gov.tools/api/polls' \
  -H 'accept: application/json, text/plain, /' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'authorization: Bearer <Token>' \
  -H 'content-type: application/json' \
  -H 'origin: https://dev.gov.tools/' \
  -H 'priority: u=1, i' \
  -H 'referer: https://dev.gov.tools/' \
  -H 'sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-site' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' \
  --data-raw '{"data":{"proposal_id":"11","poll_start_dt":"2024-06-07T08:49:08.498Z","is_poll_active":true}}'
{"data":{"id":12,"attributes":{"proposal_id":"11","poll_yes":0,"poll_no":0,"poll_start_dt":"2024-06-07T08:49:08.498Z","is_poll_active":true,"createdAt":"2024-06-07T08:54:59.844Z","updatedAt":"2024-06-07T08:54:59.844Z"}},"meta":{}}

Here, I'm able to add a poll in proposal-id: 11. This will also reset already existing polls.

Actual behavior

A poll is successfully created on another user's proposal.

Expected behavior

The system should block the creation of polls on proposals that do not belong to the authenticated user.

bosko-m commented 1 week ago

@spannercode Can you check if this is still the case?

kneerose commented 1 week ago

@bosko-m This issue is still occurring: I am able to add a poll to proposals that do not belong to me.

script

 curl 'https://z74f91f2d-zb0719f09-gtw.z937eb260.rustrocks.fr/api/polls'   -H 'accept: application/json, text/plain, */*' \
   -H 'accept-language: en,en-GB;q=0.9,en-US;q=0.8' \
   -H 'authorization: Bearer  <Use Your Token>' \
   -H 'content-type: application/json' \
   -H 'origin: https://dev-sanchonet.govtool.byron.network' \
   -H 'priority: u=1, i' \
   -H 'referer: https://dev-sanchonet.govtool.byron.network/' \
   -H 'sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"' \
   -H 'sec-ch-ua-mobile: ?0' \
   -H 'sec-ch-ua-platform: "Linux"' \
   -H 'sec-fetch-dest: empty' \
   -H 'sec-fetch-mode: cors' \
   -H 'sec-fetch-site: cross-site' \
   -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36' \
   --data \
-raw '{"data":{"proposal_id":"1958","poll_start_dt":"2024-11-05T09:12:56.920Z","is_poll_active":true}}'

For further details, please refer to this https://www.loom.com/share/1879b6ec318f4627b0abf0326a95e3f5?sid=4f6924eb-0b1e-40e4-9fa7-6aee6cc02a2a

Here Proposal 1958 does not belong to me, but I am still able to add a poll to it.

bosko-m commented 1 week ago

Thank you @kneerose . That makes this P0.

bosko-m commented 1 week ago

@kneerose Feel free to test this again on dev.

kneerose commented 1 week ago

@bosko-m This issue is still occurring on the development environment.

https://www.loom.com/share/b9827619b138403fb9fa85ddc2344ad6?sid=d4bfb9bf-a1b0-4ec3-816d-5fa7626c8ee9

kneerose commented 1 week ago

Additionally, users can submit multiple votes on the same proposal poll using the same user authentication related ticket -> https://github.com/IntersectMBO/govtool/issues/2356

bosko-m commented 3 days ago

@kneerose @spannercode You are free to test it again.

kneerose commented 10 minutes ago

CC: @bosko-m
Based on the provided response, the issue now appears to be resolved.

image