Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Adds access control check for reminders
  • Loading branch information
vicpatel committed Jul 8, 2021
1 parent 3bf0f6f commit 0334478
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 3 deletions.
17 changes: 15 additions & 2 deletions system/service/reminder.go
Expand Up @@ -87,6 +87,10 @@ func (svc reminder) FindByID(ctx context.Context, ID uint64) (r *types.Reminder,
return err
}

if svc.checkAssignTo(ctx, r) {
return ReminderErrNotAllowedToRead()
}

raProps.setReminder(r)

return nil
Expand All @@ -100,14 +104,14 @@ func (svc reminder) FindByIDs(ctx context.Context, IDs ...uint64) (rr types.Remi
return nil, nil
}

rr, _, err = svc.Find(ctx, types.ReminderFilter{ReminderID: IDs})
rr, _, err = svc.Find(ctx, types.ReminderFilter{ReminderID: IDs, AssignedTo: svc.currentUser(ctx)})

return rr, nil
}

func (svc reminder) checkAssignee(ctx context.Context, rm *types.Reminder) (err error) {
// Check if user is assigning to someone else
if rm.AssignedTo != svc.currentUser(ctx) {
if svc.checkAssignTo(ctx, rm) {
if !svc.ac.CanAssignReminder(ctx) {
return ReminderErrNotAllowedToAssign()
}
Expand All @@ -116,6 +120,11 @@ func (svc reminder) checkAssignee(ctx context.Context, rm *types.Reminder) (err
return nil
}

// checkAssignTo compares current user with reminder.AssignedTo and return bool
func (svc reminder) checkAssignTo(ctx context.Context, rm *types.Reminder) (valid bool) {
return rm.AssignedTo != svc.currentUser(ctx)
}

func (svc reminder) currentUser(ctx context.Context) uint64 {
return intAuth.GetIdentityFromContext(ctx).Identity()
}
Expand Down Expand Up @@ -201,6 +210,10 @@ func (svc reminder) Dismiss(ctx context.Context, ID uint64) (err error) {
return ReminderErrNotFound()
}

if svc.checkAssignTo(ctx, r) {
return ReminderErrNotAllowedToDismiss()
}

raProps.setReminder(r)

// Assign changed values
Expand Down
60 changes: 60 additions & 0 deletions system/service/reminder_actions.gen.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions system/service/reminder_actions.yaml
Expand Up @@ -61,3 +61,9 @@ errors:

- error: notAllowedToAssign
message: "not allowed to assign reminders to other users"

- error: notAllowedToDismiss
message: "not allowed to dismiss reminders of other users"

- error: notAllowedToRead
message: "not allowed to read reminders of other users"
38 changes: 37 additions & 1 deletion tests/system/reminder_test.go
Expand Up @@ -21,7 +21,11 @@ func (h helper) clearReminders() {
}

func (h helper) makeReminder() *types.Reminder {
rm := &types.Reminder{Resource: "test:resource", AssignedTo: h.cUser.ID}
return h.makeReminderByUserID(h.cUser.ID)
}

func (h helper) makeReminderByUserID(userID uint64) *types.Reminder {
rm := &types.Reminder{Resource: "test:resource", AssignedTo: userID}
rm.ID = id.Next()
rm.CreatedAt = time.Now()
h.noError(store.CreateReminder(context.Background(), service.DefaultStore, rm))
Expand Down Expand Up @@ -98,6 +102,22 @@ func TestReminderRead(t *testing.T) {
End()
}

// TestReminderReadForbidden checks only user themself can read reminder assigned to them
func TestReminderReadForbidden(t *testing.T) {
h := newHelper(t)
h.clearReminders()

rm := h.makeReminderByUserID(id.Next())

h.apiInit().
Get(fmt.Sprintf("/reminder/%d", rm.ID)).
Header("Accept", "application/json").
Expect(t).
Status(http.StatusOK).
Assert(helpers.AssertError("not allowed to read reminders of other users")).
End()
}

func TestReminderList(t *testing.T) {
h := newHelper(t)
h.clearReminders()
Expand Down Expand Up @@ -179,6 +199,22 @@ func TestReminderDismiss(t *testing.T) {
End()
}

// TestReminderDismissForbidden checks only user themself can dismiss reminder assigned to them
func TestReminderDismissForbidden(t *testing.T) {
h := newHelper(t)
h.clearReminders()

rm := h.makeReminderByUserID(id.Next())

h.apiInit().
Patch(fmt.Sprintf("/reminder/%d/dismiss", rm.ID)).
Header("Accept", "application/json").
Expect(t).
Status(http.StatusOK).
Assert(helpers.AssertError("not allowed to dismiss reminders of other users")).
End()
}

func TestReminderSnooze(t *testing.T) {
h := newHelper(t)
h.clearReminders()
Expand Down

0 comments on commit 0334478

Please sign in to comment.