Admins can access the Network Admin app

rabblerouser / core

Pluggable, extensible membership database for community organising

GNU Affero General Public License v3.0

17 stars 10 forks source link

Admins can access the Network Admin app #119

Closed yearofthedan closed 7 years ago

yearofthedan commented 7 years ago

An admin can authenticate into the app and then manually navigate to the end point network admin (dashboard/admin) endpoint.

While this isn’t a breach (the endpoints are secured and no data is returned), it exposes parts of the app which shouldn’t be available.

This occurs because the backend tests that a user is authenticated, but not their rights / user type, when returning the admin and network admin apps.

Nb. This also works in reverse. Network admins can access the admin endpoint.

yearofthedan commented 7 years ago

Actually forgot there's only one app returned, but the switch is in the front end routing. For now I'm looking to return the user type as part of the request header to let the front end switch on it.

yearofthedan commented 7 years ago

There were a few changes for this fix. Here's the basic flow:

In the initial request the server returns a user cookie with the user type which is stored in the front end redux store.
There's a react component which has a type property and wraps any component to be restricted.
compares its type with the user type in the redux store and displays the content if there's a match.

We had previously talked about having one app route for all types of users which this change enables, so I've also implemented this using RestrictedTo.