Merge pull request #14859 from overleaf/jpa-web-restrict-ip-override

[web] ignore ip override for non admin users GitOrigin-RevId: c11b938fa05d0328531b0ce088c7c3c29a9f13f5
2024-11-21 20:47:08 -05:00 · 2023-09-15 15:59:13 +02:00 · 2023-09-15 15:59:13 +02:00 · fb4b6e0e41
commit fb4b6e0e41
parent 42ea0ebf0d
2 changed files with 46 additions and 3 deletions
--- a/services/web/app/src/Features/Subscription/SubscriptionController.js
+++ b/services/web/app/src/Features/Subscription/SubscriptionController.js
@ -25,6 +25,7 @@ const SubscriptionHelper = require('./SubscriptionHelper')
 const Features = require('../../infrastructure/Features')
 const UserGetter = require('../User/UserGetter')
 const Modules = require('../../infrastructure/Modules')
+const AuthorizationManager = require('../Authorization/AuthorizationManager')

 const groupPlanModalOptions = Settings.groupPlanModalOptions
 const validGroupPlanModalOptions = {
@ -814,9 +815,15 @@ async function redirectToHostedPage(req, res) {
 }

 async function _getRecommendedCurrency(req, res) {
-  const currencyLookup = await GeoIpLookup.promises.getCurrencyCode(
-    req.query?.ip || req.ip
-  )
+  const userId = SessionManager.getLoggedInUserId(req.session)
+  let ip = req.ip
+  if (
+    req.query?.ip &&
+    (await AuthorizationManager.promises.isUserSiteAdmin(userId))
+  ) {
+    ip = req.query.ip
+  }
+  const currencyLookup = await GeoIpLookup.promises.getCurrencyCode(ip)
  const countryCode = currencyLookup.countryCode
  let assignmentINR, assignmentLATAM
  let recommendedCurrency = currencyLookup.currencyCode
--- a/services/web/test/unit/src/Subscription/SubscriptionControllerTests.js
+++ b/services/web/test/unit/src/Subscription/SubscriptionControllerTests.js
@ -109,6 +109,11 @@ describe('SubscriptionController', function () {
      },
      siteUrl: 'http://de.sharelatex.dev:3000',
    }
+    this.AuthorizationManager = {
+      promises: {
+        isUserSiteAdmin: sinon.stub().resolves(false),
+      },
+    }
    this.GeoIpLookup = {
      isValidCurrencyParam: sinon.stub().returns(true),
      getCurrencyCode: sinon.stub(),
@ -135,6 +140,7 @@ describe('SubscriptionController', function () {
    }
    this.SubscriptionController = SandboxedModule.require(modulePath, {
      requires: {
+        '../Authorization/AuthorizationManager': this.AuthorizationManager,
        '../SplitTests/SplitTestHandler': this.SplitTestV2Hander,
        '../Authentication/SessionManager': this.SessionManager,
        './SubscriptionHandler': this.SubscriptionHandler,
@ -183,6 +189,36 @@ describe('SubscriptionController', function () {
      })
    })

+    describe('ip override', function () {
+      beforeEach(function () {
+        this.req.ip = '1.2.3.4'
+        this.req.query = { ip: '5.6.7.8' }
+        this.GeoIpLookup.promises.getCurrencyCode.withArgs('1.2.3.4').resolves({
+          currencyCode: 'GBP',
+        })
+        this.GeoIpLookup.promises.getCurrencyCode.withArgs('5.6.7.8').resolves({
+          currencyCode: 'USD',
+        })
+      })
+      it('should ignore override for non admin', function (done) {
+        this.res.render = (page, opts) => {
+          opts.recommendedCurrency.should.equal('GBP')
+          done()
+        }
+        this.AuthorizationManager.promises.isUserSiteAdmin.resolves(false)
+        this.SubscriptionController.plansPage(this.req, this.res)
+      })
+
+      it('should accept override for admin', function (done) {
+        this.res.render = (page, opts) => {
+          opts.recommendedCurrency.should.equal('USD')
+          done()
+        }
+        this.AuthorizationManager.promises.isUserSiteAdmin.resolves(true)
+        this.SubscriptionController.plansPage(this.req, this.res)
+      })
+    })
+
    describe('groupPlanModal data', function () {
      it('should pass local currency if valid', function (done) {
        this.res.render = (page, opts) => {