Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission with using the editor #301

Open
yassine-jradbs opened this issue Apr 9, 2021 · 3 comments
Open

Permission with using the editor #301

yassine-jradbs opened this issue Apr 9, 2021 · 3 comments
Assignees
@yassine-jradbs

Comments

@yassine-jradbs
Copy link
Contributor

yassine-jradbs commented Apr 9, 2021
edited
Loading

Description

By default, regular users who are not members of a workspace have access to edit a template of an email.

User story

  • As a regular user, when I login and try to edit a template where its not in a workspace that i'm not already member in then I shouldn't have access to edit that template

editor
@yassine-jradbs
Copy link
Contributor Author

yassine-jradbs commented Apr 12, 2021
edited
Loading

Tasks

server :

In mailing/mailing.controller

the function updateMosaico must check the user's rights to update the mail. Depending on the source (workspace or parentFolder), we will use hasAccess for the verification.

Steps :

  • Import workspaceService and folderService from workspace/workspace.service and folder/folder.service
    In "updateMosaico" function:

  • Check if the value of mailing._parentFolder or mailing._workspace is undefined [If the value of mailing._parentFolder is undefined and the value of mailing._workspace is defined that means that the mail is in a workspace and vice versa..] by adding conditions on these variables:
    if (mailing._parentFolder == undefined && mailing._workspace)
    else if (mailing._workspace == undefined && mailing._parentFolder)

  • Declare hasAccessOnWorkspace hasAccessOnFolder variable under the condition of the defined variable (mailing._workspace or mailing._portfolio)
    const hasAccessOnWorkspace = await workspaceService.hasAccess(user, mailing._workspace._id);
    const hasAccessOnFolder = await folderService.hasAccess(mailing._parentFolder._id, user );

  • Use the boolean value of hasAccessOnWorkspace or hasAccessOnparentFolder to test the treatment:

  if (hasAccessOnWorkspace){
    mailing.data = req.body.data || mailing.data;
    mailing.name =
      modelsUtils.normalizeString(req.body.name) ||
      simpleI18n('default-mailing-name', user.lang);
    // http:https://mongoosejs.com/docs/schematypes.html#mixed
    mailing.markModified('data');
    await mailing.save();
    const mailingForMosaico = await Mailings.findOneForMosaico(
      query,
      req.user.lang
    );
    res.json(mailingForMosaico);
  }else{
    throw new createError.NotFound();
  }

  if (hasAccessOnparentFolder){
    mailing.data = req.body.data || mailing.data;
    mailing.name =
      modelsUtils.normalizeString(req.body.name) ||
      simpleI18n('default-mailing-name', user.lang);
    // http:https://mongoosejs.com/docs/schematypes.html#mixed
    mailing.markModified('data');
    await mailing.save();
    const mailingForMosaico = await Mailings.findOneForMosaico(
      query,
      req.user.lang
    );
    res.json(mailingForMosaico);
  }else{
    throw new createError.NotFound();
  }

The full solution:

  const workspaceService = require('../workspace/workspace.service');     //Add this on top of the file
  const folderService = require('../folder/folder.service.js');                           //Add this on top of the file

  async function updateMosaico(req, res) {
  const { user } = req;
  const { mailingId } = req.params;
  const query = modelsUtils.addGroupFilter(req.user, { _id: mailingId });
  const mailing = await Mailings.findOne(query);
  
  if (!mailing) throw new createError.NotFound();

  if (mailing._parentFolder == undefined && mailing._workspace){
    const hasAccessOnWorkspace = await workspaceService.hasAccess(
      user,
      mailing._workspace._id
    );
    if (hasAccessOnWorkspace) {
      mailing.data = req.body.data || mailing.data;
      mailing.name =
        modelsUtils.normalizeString(req.body.name) ||
        simpleI18n('default-mailing-name', user.lang);
      // http:https://mongoosejs.com/docs/schematypes.html#mixed
      mailing.markModified('data');
      await mailing.save();
      const mailingForMosaico = await Mailings.findOneForMosaico(
        query,
        req.user.lang
      );
      res.json(mailingForMosaico);
    } else {
      throw new createError.NotFound();
    }
  } else if (mailing._workspace == undefined && mailing._parentFolder){
    const hasAccessOnparentFolder = await folderService.hasAccess(
      mailing._parentFolder._id,
      user
    );
    if (hasAccessOnparentFolder) {
      mailing.data = req.body.data || mailing.data;
      mailing.name =
        modelsUtils.normalizeString(req.body.name) ||
        simpleI18n('default-mailing-name', user.lang);
      // http:https://mongoosejs.com/docs/schematypes.html#mixed
      mailing.markModified('data');
      await mailing.save();
      const mailingForMosaico = await Mailings.findOneForMosaico(
        query,
        req.user.lang
      );
      res.json(mailingForMosaico);
     } else {
      throw new createError.NotFound();
    }
  }
}

Test

permission

@deelanM
Copy link
Collaborator

deelanM commented Apr 15, 2021
edited by yassine-jradbs
Loading

Tasks

server

  • mosaico-editor.controller : in render, add check on user's rights on mailing's source

Test

perm

@deelanM deelanM mentioned this issue Apr 15, 2021
Merged
@Gregoire-Bearstudio
Copy link
Collaborator

I can't access the editor in the app for mails I don't have access to
BUT, if I know the URL, I can still access it (It won't save any modification to the mail though)

Badsender.Mail.Authorizarion.mp4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yassine-jradbs yassine-jradbs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@deelanM @Gregoire-Bearstudio @yassine-jradbs