Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

all_permissions? function returns true even if permission set given is not within the list of permissions provided and compiled #708

Open
kairos0ne opened this issue Sep 19, 2022 · 0 comments
Open

all_permissions? function returns true even if permission set given is not within the list of permissions provided and compiled #708

kairos0ne opened this issue Sep 19, 2022 · 0 comments

Comments

@kairos0ne
Copy link

Steps to Reproduce

I have a case in plug router as such.

 case conn.params["action"] do

            "create" ->
              %{"body" => record} = conn.params

              if check_if_table_exixts(record["id"]) do
                perms = create_table_helper(get_table_name(record["id"])) |> IO.inspect()
                claims = Guardian.Plug.current_claims(conn)
                has_all_these_things? = claims
                  |> Dynamic.Guardian.decode_permissions_from_claims |> IO.inspect()
                  |> Dynamic.Guardian.all_permissions?(perms) |> IO.inspect()
                if has_all_these_things? do
                DataHandler.Request.create(conn, opts)
                else
                  send_resp(conn, 403, Jason.encode!(%{"error" => "unautherized"}))
                end
              else
                send_resp(conn, 400, Jason.encode!(%{"error" => "table does not exist"}))
              end


            "update" ->
              %{"body" => record} = conn.params
              perms = update_table_helper(get_table_name(record["id"])) |> IO.inspect()
              has_all_things? =
                Guardian.Plug.current_claims(conn)
                |> Dynamic.Guardian.decode_permissions_from_claims()
                |> Dynamic.Guardian.all_permissions?(perms)
              if has_all_things? do
                DataHandler.Request.update(conn, opts)
              else
                send_resp(conn, 403, Jason.encode!(%{"error" => "unautherized"}))
              end

            "delete" ->
              %{"body" => record} = conn.params
              perms = delete_table_helper(get_table_name(record["id"])) |> IO.inspect()
              has_all_things? =
                Guardian.Plug.current_claims(conn)
                |> Dynamic.Guardian.decode_permissions_from_claims()
                |> Dynamic.Guardian.all_permissions?(perms)
              if has_all_things? do
                DataHandler.Request.delete(conn, opts)
              else
                send_resp(conn, 403, Jason.encode!(%{"error" => "unautherized"}))
              end

            "read" ->
              %{"body" => record} = conn.params
              perms = read_table_helper(get_table_name(record["id"])) |> IO.inspect()
              has_all_these_things? =
                Guardian.Plug.current_claims(conn)
                |> Dynamic.Guardian.decode_permissions_from_claims() |> IO.inspect()
                |> Dynamic.Guardian.all_permissions?(perms) |> IO.inspect()
              if has_all_these_things? do
                DataHandler.Request.read(conn, opts)
              else
                send_resp(conn, 403, Jason.encode!(%{"error" => "unautherized"}))
              end
            _ ->
              send_resp(conn, 403, Jason.encode!(%{"error" => "no action provided"}))
      end

Im testing the read case match - I have a macro that generates the permission as %{ <table_name> : [:<table_name>_read]

I'm logging the objects to iex with IO.inspect

as you can see in the logs I've logged the available permissions and the provided permission set:

even though the permission set is not within the structure or claims the function all_permissions? returns 'true'

Logs

iex|1|▶▶▶ 10:59:00.581 [debug] POST /api/v1/data
10:59:00.687 [debug] QUERY OK source="users" db=12.2ms decode=2.1ms queue=1.0ms idle=154.7ms
SELECT u0."id", u0."name", u0."email", u0."password_hash", u0."inserted_at", u0."updated_at", r1."id", r1."name", r1."permissions", r1."registerable", r1."inserted_at", r1."updated_at" FROM "users" AS u0 LEFT OUTER JOIN "user_roles" AS u2 ON u2."user_id" = u0."id" LEFT OUTER JOIN "roles" AS r1 ON u2."role_id" = r1."id" WHERE (u0."id" = $1) [<<18, 84, 245, 201, 110, 29, 71, 214, 138, 58, 156, 108, 6, 206, 177, 122>>]
10:59:00.696 [debug] QUERY OK source="users" db=2.6ms idle=177.4ms
SELECT u0."id", u0."name", u0."email", u0."password_hash", u0."inserted_at", u0."updated_at", r1."id", r1."name", r1."permissions", r1."registerable", r1."inserted_at", r1."updated_at" FROM "users" AS u0 LEFT OUTER JOIN "user_roles" AS u2 ON u2."user_id" = u0."id" LEFT OUTER JOIN "roles" AS r1 ON u2."role_id" = r1."id" WHERE (u0."id" = $1) [<<18, 84, 245, 201, 110, 29, 71, 214, 138, 58, 156, 108, 6, 206, 177, 122>>]
10:59:00.733 [debug] QUERY OK source="base" db=3.6ms queue=0.8ms idle=212.9ms
SELECT TRUE FROM "base" AS b0 WHERE (b0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.735 [debug] QUERY OK source="tables" db=0.9ms queue=0.9ms idle=217.5ms
SELECT TRUE FROM "tables" AS t0 WHERE (t0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.737 [debug] QUERY OK source="tables" db=0.8ms queue=0.7ms idle=219.7ms
SELECT t0."id", t0."name", t0."parent", t0."permissions", t0."schema", t0."relations", t0."inserted_at", t0."updated_at" FROM "tables" AS t0 WHERE (t0."id" = $1) [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.741 [debug] QUERY OK source="base" db=3.7ms idle=221.3ms
SELECT TRUE FROM "base" AS b0 WHERE (b0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.742 [debug] QUERY OK source="tables" db=1.4ms idle=225.2ms
SELECT TRUE FROM "tables" AS t0 WHERE (t0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.743 [debug] QUERY OK source="tables" db=0.8ms idle=226.8ms
SELECT t0."id", t0."name", t0."parent", t0."permissions", t0."schema", t0."relations", t0."inserted_at", t0."updated_at" FROM "tables" AS t0 WHERE (t0."id" = $1) [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
%{test_table5: [:read_test_table5]}
%{
  groups: [:create_groups, :delete_groups, :read_groups, :update_groups],
  groups_roles: [:create_groups_roles, :delete_groups_roles, :read_groups_roles,
   :update_groups_roles],
  groups_users: [:create_groups_users, :delete_groups_users, :read_groups_users,
   :update_groups_users],
  records: [:create_records, :delete_records, :read_records, :update_records],
  roles: [:create_roles, :delete_roles, :read_roles, :update_roles],
  tables: [:create_tables, :delete_tables, :read_tables, :update_tables],
  user_groups: [:create_user_groups, :delete_user_groups, :read_user_groups,
   :update_user_groups],
  users: [:create_users, :delete_users, :read_users, :update_users],
  users_roles: [:create_users_roles, :delete_users_roles, :read_users_roles,
   :update_users_roles],
  views: [:create_views, :delete_views, :read_views, :update_views]
}
true
10:59:00.747 [debug] QUERY OK source="base" db=3.5ms idle=228.0ms
SELECT TRUE FROM "base" AS b0 WHERE (b0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.749 [debug] QUERY OK source="tables" db=1.3ms idle=231.7ms
SELECT TRUE FROM "tables" AS t0 WHERE (t0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.752 [debug] QUERY OK source="base" db=3.3ms idle=65.2ms
SELECT TRUE FROM "base" AS b0 WHERE (b0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.753 [debug] QUERY OK source="tables" db=0.7ms idle=56.6ms
SELECT TRUE FROM "tables" AS t0 WHERE (t0."id" = $1) LIMIT 1 [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.754 [debug] QUERY OK source="tables" db=0.4ms idle=20.2ms
SELECT t0."id", t0."name", t0."parent", t0."permissions", t0."schema", t0."relations", t0."inserted_at", t0."updated_at" FROM "tables" AS t0 WHERE (t0."id" = $1) [<<237, 146, 46, 53, 9, 50, 70, 51, 144, 178, 151, 198, 225, 177, 77, 199>>]
10:59:00.757 [debug] QUERY OK db=0.4ms queue=0.3ms idle=20.6ms
SELECT json_agg(t.*) as data from test_table5 t; []
10:59:00.758 [debug] Sent 200 in 176ms

Expected Result

I would expect the function to return false as the provided permission %{test_table5: [:read_test_table5]} does not exist in the permissions:

%{
groups: [:create_groups, :delete_groups, :read_groups, :update_groups],
groups_roles: [:create_groups_roles, :delete_groups_roles, :read_groups_roles,
:update_groups_roles],
groups_users: [:create_groups_users, :delete_groups_users, :read_groups_users,
:update_groups_users],
records: [:create_records, :delete_records, :read_records, :update_records],
roles: [:create_roles, :delete_roles, :read_roles, :update_roles],
tables: [:create_tables, :delete_tables, :read_tables, :update_tables],
user_groups: [:create_user_groups, :delete_user_groups, :read_user_groups,
:update_user_groups],
users: [:create_users, :delete_users, :read_users, :update_users],
users_roles: [:create_users_roles, :delete_users_roles, :read_users_roles,
:update_users_roles],
views: [:create_views, :delete_views, :read_views, :update_views]
}

Actual Result

the function returns true for any permission

Worth noting im providing only one permission set to all_permissions?

Is there something Im missing here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kairos0ne