Closed RODO94 closed 1 week ago
github-actions[bot]
commented
1 week ago π€ Hasura Change Summary compared a subset of table metadata including permissions:
public.team_settings
permissions:
| insert | select | update | delete | |
|---|---|---|---|---|
| public | β/β |
| insert | select | update | |
|---|---|---|---|
| public | β submission_email |
github-actions[bot]
commented
1 week ago Removed vultr server and associated DNS entries
RODO94
commented
1 week ago Unfortunately, I don't think this is the right solution here.
submission_emailshould not be exposed via the pubic role as it's used to access "send to email" payloads (see https://trello.com/c/EeJb0QVC/2614-harden-download-application-files-endpoint?search_id=8c2b8fda-b422-445a-a594-ae0c9b0360d7 and https://www.notion.so/opensystemslab/Inadequate-hardening-on-Send-to-email-endpoint-02cb855f339b4a1bab49fc0ff8e0dd72?pvs=4)As we know that "move Flow" is an authorised user only feature, a better solution here would be to ensure that the API is using the correct permission level for this action π
Ah yeah okay, this makes sense. It be better for the moveFlow to use $client rather than $public like in:
export const getUserAndTeam = async ({
userEmail,
teamSlug,
}: {
userEmail: string;
teamSlug: string;
}) => {
const $client = getClient();
const team = await $client.team.getBySlug(teamSlug);
if (!team) throw Error(`Unable to find team matching slug ${teamSlug}`);
const user = await $client.user.getByEmail(userEmail);
if (!user) throw Error(`Unable to find team matching email ${userEmail}`);
return { team, user };
};@DafyddLlyr
DafyddLlyr
commented
1 week ago @RODO94 Yep, that should work without changing the column permission structure on Hasura π
Addressing the bug: https://opensystemslab.slack.com/archives/C4B0CKQ3U/p1726047860980599
I found there was an issue with moveFlow in the API which was using the Public role to getTeamBySlug(). Found that this was unchecked for
submission_emailon Hasura.Tried locally and it fixes the issue.