search

lenra-io / server

GNU Affero General Public License v3.0
6 stars 0 forks source link

[Bug]: Can update env from other app_id #532

Closed shiipou closed 5 months ago

shiipou commented 5 months ago

What happened?

We can update an env from an other app_id if we just change in the URL the :env_id parameter. It seems there is no check that the :env_id that is a children of the :app_id.

Also, if someone pay the subscription, everybody will be able to update the app using the API. The authorize rules is a or if placed on the same function.

What browsers are you seeing the problem on?

Other (specify above)

Version

lenra/server:1.3.2

Relevant log output

def update(conn, %{"env_id" => env_id} = params) do
    with {:ok, _app} <- get_app_and_allow(conn, params),
         {:ok, env} <- Apps.fetch_env(env_id), # ←← Here 
         {:ok, %{updated_env: env}} <- Apps.update_env(env.id, params) do
      conn
      |> reply(env)
    end
  end
defmodule LenraWeb.EnvsController.Policy do
  def authorize(:update, %User{id: user_id}, %App{creator_id: user_id}), do: true
  def authorize(:update, %App{id: app_id}, %Subscription{application_id: app_id}), do: true
end
jonas-martinez commented 5 months ago

@taorepoara We might need to prioritise this issue.

taorepoara commented 5 months ago

:tada: This issue has been resolved in version 1.3.3 :tada:

The release is available on:

Your semantic-release bot :package::rocket: