Roles.userIsInRole without role returns true

Meteor-Community-Packages / meteor-roles

Authorization package for Meteor, compatible with built-in accounts packages

http://meteor-community-packages.github.io/meteor-roles/

MIT License

921 stars 167 forks source link

Roles.userIsInRole without role returns true #204

Closed idanwe closed 4 years ago

idanwe commented 8 years ago

I'm using enum for my defined roles. And at one place I misspelled a role UserRole.Supervisor instead of UserRoe.SUPERVISOR then I found that Roles.userIsInRole(this.userId, undefined, 'real-madrid') returns true. e.g.

  Roles.addUsersToRoles(userId, UserRole.SUPERVISON, 'barcelona');
  Roles.userIsInRole(userId, UserRole.Supervison, 'real-madrid'); // Supervisor is misspelled lowercase
  > true

I found it as a security vulnerability.

Do you have some best practice to avoid it? Is it in purpose?

mitar commented 8 years ago

Which version are you using? 1.0 or 2.0?

idanwe commented 8 years ago

alanning:roles@1.2.15

idanwe commented 8 years ago

@mitar What is the status of v2?

mitar commented 8 years ago

I think it is ready, but it is waiting for @alanning to release it (or release at least release candidate).

mitar commented 7 years ago

I made a test for 2.0 in c5e27a83ba88eecae00a28283f8ad93bc83916d0 and it is returning false for unknown roles.

mitar commented 7 years ago

And for 1.0 I made e486f5a34f93eff514205af58ace2c64fc9b2909. I cannot reproduce what you are reporting here, so I think you have an issue on your side.