validate mongo id in getPrivilegeLevelForProject

https://sentry.io/sharelatex-1/sl-web-server-prod/issues/204397665/
2024-11-21 20:47:08 -05:00 · 2017-03-17 14:42:07 +00:00 · 2017-03-17 14:42:07 +00:00 · 625fa810c2
commit 625fa810c2
parent 8ee2e5ba63
2 changed files with 18 additions and 1 deletions
--- a/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee
+++ b/services/web/app/coffee/Features/Authorization/AuthorizationManager.coffee
@ -4,6 +4,8 @@ User = require("../../models/User").User
 PrivilegeLevels = require("./PrivilegeLevels")
 PublicAccessLevels = require("./PublicAccessLevels")
 Errors = require("../Errors/Errors")
+ObjectId = require("mongojs").ObjectId
+

 module.exports = AuthorizationManager =
 	# Get the privilege level that the user has for the project
@ -13,6 +15,8 @@ module.exports = AuthorizationManager =
 	#   * becausePublic: true if the access level is only because the project is public.
 	getPrivilegeLevelForProject: (user_id, project_id, callback = (error, privilegeLevel, becausePublic) ->) ->
 		getPublicAccessLevel = () ->
+			if !ObjectId.isValid(project_id)
+				return callback(new Error("invalid project id"))
 			Project.findOne { _id: project_id }, { publicAccesLevel: 1 }, (error, project) ->
 				return callback(error) if error?
 				if !project?
--- a/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee
+++ b/services/web/test/UnitTests/coffee/Authorization/AuthorizationManagerTests.coffee
@ -136,7 +136,20 @@ describe "AuthorizationManager", ->
 			it "should return a NotFoundError", ->
 				@AuthorizationManager.getPrivilegeLevelForProject @user_id, @project_id, (error) ->
 					error.should.be.instanceof Errors.NotFoundError
-	
+
+		describe "when the project id is not validssssssss", ->
+			beforeEach ->
+				@AuthorizationManager.isUserSiteAdmin.withArgs(@user_id).yields(null, false)
+				@CollaboratorsHandler.getMemberIdPrivilegeLevel
+					.withArgs(@user_id, @project_id)
+					.yields(null, "readOnly")
+
+			it "should return a error", (done)->
+				@AuthorizationManager.getPrivilegeLevelForProject undefined, "not project id", (err) =>
+					@Project.findOne.called.should.equal false
+					expect(err).to.exist
+					done()
+
 	describe "canUserReadProject", ->
 		beforeEach ->
 			@AuthorizationManager.getPrivilegeLevelForProject = sinon.stub()