Don't allow unauthenticated proposal access

PhilanthropyDataCommons / service

A project for collecting and serving public information associated with grant applications

GNU Affero General Public License v3.0

8 stars 2 forks source link

Don't allow unauthenticated proposal access #932

Closed slifty closed 6 months ago

slifty commented 6 months ago

We recently updated the GET /proposals endpoint to only return proposals owned by the current user, but we did NOT add any restrictions to specific GET /proposal/:proposalId requests. This means someone could access any proposal via the API if they knew the proposal ID.

Instead, ownership rules should apply to all endpoints.

reefdog commented 6 months ago

I think this might be broken. Locally:

Hitting http://localhost:3001/proposals?_page=1&_count=100&organization=10 returns:

{
  "entries": [
    {
      "id": 114,
      "versions": [...],
      "createdAt": "2024-04-19T16:32:58.714618-05:00",
      "createdBy": 5,
      "externalId": "2",
      "opportunityId": 54
    },
    {
      "id": 112,
      "versions": [...],
      "createdAt": "2024-04-19T16:32:54.533533-05:00",
      "createdBy": 5,
      "externalId": "2",
      "opportunityId": 53
    }
  ],
  "total": 110
}

But then hitting http://localhost:3001/proposals/114 returns:

{
  "name": "NotFoundError",
  "message": "The proposal was not found (id: 114)",
  "details": [
    {
      "name": "NotFoundError"
    }
  ]
}

slifty commented 6 months ago

@reefdog ah! checkAuthorization doesn't account for admin is the issue I bet.

reefdog commented 6 months ago

Huh. But in this case I am still checking one of my own. (I’m logged in as user 5, and the proposal is owned by it.)

reefdog commented 6 months ago

oh wait you mean the larger “only admins can get proposals at all” restriction, not “only admins can access entities that they didn’t create”?

slifty commented 6 months ago

@reefdog moved this to its own issue