We can update an env from an other app_id if we just change in the URL the :env_id parameter.
It seems there is no check that the :env_id that is a children of the :app_id.
Also, if someone pay the subscription, everybody will be able to update the app using the API.
The authorize rules is a or if placed on the same function.
What browsers are you seeing the problem on?
Other (specify above)
Version
lenra/server:1.3.2
Relevant log output
def update(conn, %{"env_id" => env_id} = params) do
with {:ok, _app} <- get_app_and_allow(conn, params),
{:ok, env} <- Apps.fetch_env(env_id), # ←← Here
{:ok, %{updated_env: env}} <- Apps.update_env(env.id, params) do
conn
|> reply(env)
end
end
defmodule LenraWeb.EnvsController.Policy do
def authorize(:update, %User{id: user_id}, %App{creator_id: user_id}), do: true
def authorize(:update, %App{id: app_id}, %Subscription{application_id: app_id}), do: true
end
What happened?
We can update an env from an other app_id if we just change in the URL the
:env_id
parameter. It seems there is no check that the:env_id
that is a children of the:app_id
.Also, if someone pay the subscription, everybody will be able to update the app using the API. The authorize rules is a
or
if placed on the same function.What browsers are you seeing the problem on?
Other (specify above)
Version
lenra/server:1.3.2
Relevant log output