search

OpenFn / lightning

OpenFn/Lightning ⚡️ is the newest version of the OpenFn DPG and provides a web UI to visually manage complex workflow automation projects.
https://openfn.github.io/lightning/
GNU Lesser General Public License v3.0
129 stars 36 forks source link

Authorization error when project is `nil` or invalid `project_id` #835

Closed mtuchi closed 1 year ago

mtuchi commented 1 year ago

Describe the bug

When a user enter a valid project uuid in url but that project uuid does not exist an error will be thrown

I have reproduced this locally on main:

To Reproduce Steps to reproduce the behavior:

  1. Go to project dashboard
  2. Click on address bar and change the last character of project uuid eg. abb2e086-8d79-42b2-94d1-b56c67cef5fb
  3. Press enter
  4. See error
[error] #PID<0.1145.0> running Phoenix.Endpoint.SyncCodeReloadPlug (connection #PID<0.1122.0>, stream id 7) terminated
Server: localhost:4000 (http)
Request: GET /projects/abb2e086-8d79-42b2-94d1-b56c67cef5fb/w
** (exit) an exception was raised:
    ** (FunctionClauseError) no function clause matching in Lightning.Policies.ProjectUsers.authorize/3
        (lightning 0.5.2) lib/lightning/policies/project_users.ex:40: Lightning.Policies.ProjectUsers.authorize(:access_project, #Lightning.Accounts.User<__meta__: #Ecto.Schema.Metadata<:loaded, "users">, id: "3ec80ce9-a4db-4115-92f8-b8fc3b87bf2b", first_name: "Amy", last_name: "Admin", email: "demo@openfn.org", confirmed_at: nil, role: :user, disabled: false, scheduled_deletion: nil, credentials: #Ecto.Association.NotLoaded<association :credentials is not loaded>, project_users: #Ecto.Association.NotLoaded<association :project_users is not loaded>, projects: #Ecto.Association.NotLoaded<association :projects is not loaded>, inserted_at: ~N[2023-05-11 15:54:17], updated_at: ~N[2023-05-11 15:54:17], ...>, nil)
        (bodyguard 2.4.2) lib/bodyguard.ex:28: Bodyguard.permit/4
        (lightning 0.5.2) lib/lightning/policies/permissions.ex:62: Lightning.Policies.Permissions.can?/4
        (lightning 0.5.2) lib/lightning_web/hooks.ex:26: LightningWeb.Hooks.on_mount/4
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/lifecycle.ex:149: anonymous fn/4 in Phoenix.LiveView.Lifecycle.mount/3
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/lifecycle.ex:215: Phoenix.LiveView.Lifecycle.reduce_socket/3
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/utils.ex:389: anonymous fn/6 in Phoenix.LiveView.Utils.maybe_call_live_view_mount!/5
        (telemetry 1.2.1) /Users/openfn/Workspace/Lightning/deps/telemetry/src/telemetry.erl:321: :telemetry.span/3
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/static.ex:278: Phoenix.LiveView.Static.call_mount_and_handle_params!/5
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/static.ex:119: Phoenix.LiveView.Static.render/3
        (phoenix_live_view 0.18.18) lib/phoenix_live_view/controller.ex:39: Phoenix.LiveView.Controller.live_render/3
        (phoenix 1.7.2) lib/phoenix/router.ex:430: Phoenix.Router.__call__/5
        (lightning 0.5.2) lib/lightning_web/endpoint.ex:1: LightningWeb.Endpoint.plug_builder_call/2
        (lightning 0.5.2) lib/lightning_web/endpoint.ex:1: LightningWeb.Endpoint."call (overridable 3)"/2
        (lightning 0.5.2) lib/plug/debugger.ex:136: LightningWeb.Endpoint."call (overridable 4)"/2
        (lightning 0.5.2) lib/lightning_web/endpoint.ex:1: LightningWeb.Endpoint.call/2
        (phoenix 1.7.2) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4
        (plug_cowboy 2.6.1) lib/plug/cowboy/handler.ex:11: Plug.Cowboy.Handler.init/2
        (cowboy 2.9.0) /Users/openfn/Workspace/Lightning/deps/cowboy/src/cowboy_handler.erl:37: :cowboy_handler.execute/2
        (cowboy 2.9.0) /Users/openfn/Workspace/Lightning/deps/cowboy/src/cowboy_stream_h.erl:306: :cowboy_stream_h.execute/3

Screenshots Capture-2023-05-12-085927

Additional context This bug happens when project is nil when we're fetching the project in this line https://github.com/OpenFn/Lightning/blob/main/lib/lightning_web/hooks.ex#L19

Proposed solution Check if project exist before checking for permission 

if is_nil(project) do
      {:halt, redirect(socket, to: "/") |> put_flash(:nav, :not_found)}
    else
      projects =
        Lightning.Projects.get_projects_for_user(socket.assigns.current_user)

      can_access_project =
        ProjectUsers
        |> Permissions.can?(
          :access_project,
          socket.assigns.current_user,
          project
        )

      if can_access_project do
        {:cont,
         socket
         |> assign_new(:project, fn -> project end)
         |> assign_new(:projects, fn -> projects end)}
      else
        {:halt, redirect(socket, to: "/") |> put_flash(:nav, :no_access)}
      end
    end
mtuchi commented 1 year ago

Also when a user enter an invalid uuid the following error will be thrown

Capture-2023-05-12-090910

See screen-record

https://github.com/OpenFn/Lightning/assets/6592749/e8b4043d-4d9c-4117-9a33-085c35ee4c20

taylordowns2000 commented 1 year ago

@mtuchi , @elias-ba , this is already handled in a "good enough" sort of way on app.openfn.org.

in Phoenix, you only see that page that mtuchi shows when you're running an app on your local machine in dev mode. (and it's a great screen to see!)

image image