[Bug] Secured Route / Auth wall

[pranshugupta54]

Currently routes on admin portal rely only on local storage, which allows to change the local storage and access those pages. These should be implemented via backend call to check if the user is superadmn / admin or not.

Current implementation: 1) Parent SecuredRoute - checks if user is logged in using local storage

We can keep this as it is. 2) Child SuperAdminScreen

The component SuperAdminScreen currently has no check and each child element checks individually from localStorage Possible fix: Add checkAuth inside SuperAdminScreen component directly via backend

• /orglist - we can ignore this as it's public route and any user can get all orgs.
• /member - gets detail about the user with userId - it only checks @auth (this means any logged in user can get list of all users on the portal) - Should check Superadmin or Admin of a common Org
• /requests - doesnt seem to work
• /users - gets all users - it only checks @auth (this means any logged in user can get list of all users on the portal) - Should check Superadmin
• /communityProfile - since this data is public so no need to fix this, (Admin or Auth users cant change anyhow even if they can view the page)

3) Org routes

These have no check for auth, so anyone can access any page. Possible fix: OrganizationScreen component should make a backend call to check user.

References:

1. https://github.com/PalisadoesFoundation/talawa-api/issues/1967
2. https://github.com/PalisadoesFoundation/talawa-api/issues/2103
3. https://github.com/PalisadoesFoundation/talawa-api/issues/1837
4. https://github.com/PalisadoesFoundation/talawa-admin/issues/1803
5. https://thepalisadoes-dyb6419.slack.com/archives/CSWGQ70UQ/p1711641406421999
6. https://github.com/PalisadoesFoundation/talawa-api/issues/1837

[pranshugupta54]

We can not directly add requirement of Superadmin/Admin to organization queries because these queries are also used on the User Portal to get info.

If we plan to make changes to it, make sure to check: 1) List of orgs which users can join will be affected (They won't be able to see fields like number of members or address etc)

[pranshugupta54]

To fix: Users can access admin pages

[github-actions[bot]]

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

[pranshugupta54]

How about making a Json Web token which stores isSuperAdmin inside the token itself and is created on the server.

Steps:

• Create a token on server which has info like Super Admin or Admin
• Send it on Login/Signup
• Store it in localStorage
• Decode it on the client side to check if its admin

Benefit, since it's generated on server -> it can not be modified on the client side 🤔

[github-actions[bot]]

This issue did not get any activity in the past 10 days and will be closed in 180 days if no update occurs. Please check if the develop branch has fixed it and report again or close the issue.

[AnshulKahar2729]

How about making a proper architecture where the user will login signup on the site, upon successful login, user will get the JWT Token which will have payload of general details of user including their roles from the server. Now after the login, on each request will send the token in the header and backend we will verify this token while verifying the token we will get the details and role of the user and according to the we can send the corresponding data.