Merge pull request #1088 from sharelatex/ta-fix-entity-id-scope

Fix Scope Bug in Group Access Control GitOrigin-RevId: 7d2cb5fc08e0c7e4bd1b70c03b62620bb7dd8d41
2024-09-16 02:52:31 -04:00 · 2018-10-30 10:02:30 +00:00 · 2018-10-30 10:02:30 +00:00 · 1a9bb5f4eb
commit 1a9bb5f4eb
parent c18ca779ba
2 changed files with 26 additions and 2 deletions
--- a/services/web/app/coffee/Features/UserMembership/UserMembershipAuthorization.coffee
+++ b/services/web/app/coffee/Features/UserMembership/UserMembershipAuthorization.coffee
@ -6,13 +6,13 @@ Errors = require('../Errors/Errors')
 logger = require("logger-sharelatex")

 module.exports =
-	requireEntityAccess: (entityName, entityId = null) ->
+	requireEntityAccess: (entityName, entityIdOverride = null) ->
 		(req, res, next) ->
 			loggedInUser = AuthenticationController.getSessionUser(req)
 			unless loggedInUser
 				return AuthorizationMiddlewear.redirectToRestricted req, res, next

-			entityId = req.params.id unless entityId?
+			entityId = entityIdOverride or req.params.id
 			getEntity entityName, entityId, loggedInUser, (error, entity, entityConfig) ->
 				return next(error) if error?
 				unless entity?
--- a/services/web/test/unit/coffee/UserMembership/UserMembershipAuthorizationTests.coffee
+++ b/services/web/test/unit/coffee/UserMembership/UserMembershipAuthorizationTests.coffee
@ -73,3 +73,27 @@ describe "UserMembershipAuthorization", ->
 				sinon.assert.notCalled(@UserMembershipHandler.getEntity)
 				expect(@req.entity).to.not.exist
 				done()
+
+		it 'can override entity id', (done) ->
+			middlewear = @UserMembershipAuthorization.requireEntityAccess 'group', 'entity-id-override'
+			middlewear @req, null, (error) =>
+				expect(error).to.not.extist
+				sinon.assert.calledWithMatch(
+					@UserMembershipHandler.getEntity,
+					'entity-id-override',
+				)
+				done()
+
+		it "doesn't cache entity id between requests", (done) ->
+			middlewear = @UserMembershipAuthorization.requireEntityAccess 'group'
+			middlewear @req, null, (error) =>
+				expect(error).to.not.extist
+				lastCallArs = @UserMembershipHandler.getEntity.lastCall.args
+				expect(lastCallArs[0]).to.equal @req.params.id
+				newEntityId = 'another-mock-id'
+				@req.params.id = newEntityId
+				middlewear @req, null, (error) =>
+					expect(error).to.not.extist
+					lastCallArs = @UserMembershipHandler.getEntity.lastCall.args
+					expect(lastCallArs[0]).to.equal newEntityId
+					done()