search

ORNL / DataFed

A Federated Scientific Data Management System
https://ornl.github.io/DataFed/
Other
18 stars 14 forks source link

Collection create route #818

Open JoshuaSBrown opened 2 years ago

JoshuaSBrown commented 2 years ago

There is a bug in the javascript coll_router.js, if the parent collection is not defined than the owner_id is not defined. 

               if ( req.body.parent ) {
                    parent_id = g_lib.resolveCollID( req.body.parent, client );

                    var owner_id = g_db.owner.firstExample({_from:parent_id})._to;
                    if ( owner_id != client._id ){
                        if ( !g_lib.hasManagerPermProj( client, owner_id )){
                            var parent_coll = g_db.c.document( parent_id );

                            if ( !g_lib.hasPermissions( client, parent_coll, g_lib.PERM_CREATE ))
                                throw g_lib.ERR_PERM_DENIED;
                        }
                        owner = g_db._document( owner_id );
                    }
                }else{
                    parent_id = g_lib.getRootID(client._id);
                }

               // Ensure owner of collection has at least one allocation
                if ( !g_db.alloc.firstExample({ _from: owner_id })){
                    throw [g_lib.ERR_NO_ALLOCATION,"An allocation is required to create a collection."];
                }
JoshuaSBrown commented 1 year ago

This logic appears in the create route. Beneath the code excerpt, the owner_id is used to check if they have an allocation. So it looks like if a user is working in the 'root' collection then the allocation check is done against an undefined user.