Check authorised user is the expected user #10

andyhd · 2017-08-10T11:07:04Z

Users were able to login to other users' RStudio instances.
This prevents that.
Users can still login to their own RStudio instance, but get a 403 "Forbidden" error if they login to another user's RStudio.

xoen · 2017-08-10T11:29:55Z

routes/index.js

+function authorisedUser(req) {
+
+ if (req && req.user && req.user.nickname) {
+ return req.user.nickname.toLowerCase() == env.USER;


As this is JS (😱), I would use === here to be on the safe side.

== coerces the type of the operands, which can be a problem when comparing strings and integers, for example, but it's not a problem here. But I will change this for best practices sake.

xoen · 2017-08-10T11:33:07Z

See comment on equality but as far as I can see looks good.

Check authorised user is the expected user

015bb99

andyhd requested review from kerin and xoen August 10, 2017 11:14

andyhd added 2 commits August 10, 2017 12:20

Lowercase username just in case

57cf22e

Lowercase username earlier

647a7a1

xoen reviewed Aug 10, 2017

View reviewed changes

Use identity rather than equality

81bbb74

andyhd merged commit 6c05402 into master Aug 10, 2017

andyhd deleted the fix-auth branch August 10, 2017 12:48

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check authorised user is the expected user #10

Check authorised user is the expected user #10

andyhd commented Aug 10, 2017 •

edited

Loading

xoen Aug 10, 2017

andyhd Aug 10, 2017

xoen commented Aug 10, 2017

Check authorised user is the expected user #10

Check authorised user is the expected user #10

Conversation

andyhd commented Aug 10, 2017 • edited Loading

xoen Aug 10, 2017

Choose a reason for hiding this comment

andyhd Aug 10, 2017

Choose a reason for hiding this comment

xoen commented Aug 10, 2017

andyhd commented Aug 10, 2017 •

edited

Loading