Closed peter-kwan closed 1 week ago
Confirmed from @treburn that he is seeing this when he assumed role into the customer accounts.
for now, is checking for any Praetorian collaborator sufficient?
Probably okay.
Regardless, checking for either research@praetorian.com or *@praetorian.com can be abused because anyone can add a collaborator any time:
May be in the backend Link account handler -- we enforce that non-MSP users can't add @praetorian.com collaborator?
Gave it more thought.
Checking for @praetorian.com to decide on whether to display the Upgrade button is sufficient.
Abusers can add a praetorian.com collaborator any day. That would serve to hide the Upgrade button. But whether or not we triage risk for them is our call. We will only triage those who clicked the Upgrade button.
That was my thought process as well.
peter.kwan@praetorian.com is in the MSP group essentially as a "paid customer"
Are groups exposed to the frontend? I don't see it in the API response.
{
"username": "geoff.storbeck+github@praetorian.com",
"key": "#account#geoff.storbeck+github@praetorian.com#geoff.storbeck@praetorian.com",
"name": "geoff.storbeck+github@praetorian.com",
"member": "geoff.storbeck@praetorian.com",
"value": "",
"config": null,
"updated": "2024-05-21T18:38:43Z",
"ttl": 0
}
It is an API in the backend to Cognito. UI code does not have direct access to Cognito.
They are in the JWT claims, but only for the “real” user, and not the assumed user.
Put in this change https://github.com/praetorian-inc/chariot-ui/commit/db01e889f7d3f27d2a8fba978610bea29a821807
to satisfy
Checking for @praetorian.com to decide on whether to display the Upgrade button is sufficient.
Bug Description peter.kwan@praetorian.com is in the MSP group essentially as a "paid customer". But the Upgrade Now button is visible on screen.
I believe it is because of this check: https://github.com/praetorian-inc/chariot-ui/blob/ff9ec412f30311539a7b96459e08bc5951784a3f/src/components/ui/Body.tsx#L28
Expected Behavior For paid customers without a research@praetorian.com collaborator, we should not display the Upgrade Now button.