Merge branch 'dev' for release 5.6.3

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog Fab-manager
 
+## v5.6.3 2023 January 9
+
+- Fix a bug: unable to build the docker image (yarn error extracting tar content of undefined failed)
+- Fix a security issue: logged users but non-admins can access to analytics data throught the API
+
 ## v5.6.2 2023 January 9
 
 - Improved fix_invoice_item task

app/controllers/api/analytics_controller.rb

@@ -5,6 +5,8 @@ class API::AnalyticsController < API::ApiController
   before_action :authenticate_user!
 
   def data
+    authorize :analytics
+
     render json: HealthService.row_stats
   end
 end

app/policies/admin_policy.rb

@@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AdminsController
 class AdminPolicy < ApplicationPolicy
   def index?
     user.admin? || user.manager?

app/policies/age_range_policy.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AgeRangesController
 class AgeRangePolicy < ApplicationPolicy
-  %w(create update destroy show).each do |action|
+  %w[create update destroy show].each do |action|
     define_method "#{action}?" do
       user.admin?
     end

app/policies/analytics_policy.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AnalyticsController
+class AnalyticsPolicy < ApplicationPolicy
+  def data?
+    user.admin?
+  end
+end

package.json

@@ -1,6 +1,6 @@
 {
   "name": "fab-manager",
-  "version": "5.6.2",
+  "version": "5.6.3",
   "description": "Fab-manager is the FabLab management solution. It provides a comprehensive, web-based, open-source tool to simplify your administrative tasks and your marker's projects.",
   "keywords": [
     "fablab",
@@ -151,7 +151,7 @@
     "ngUpload": "0.5",
     "ngtemplate-loader": "^2.1.0",
     "nvd3": "1.8",
-    "object-to-formdata": "https://github.com/sylvainbx/object-to-formdata.git#master",
+    "object-to-formdata": "https://github.com/sylvainbx/object-to-formdata.git",
     "phosphor-react": "^1.4.0",
     "process": "^0.11.10",
     "prop-types": "^15.7.2",

test/integration/analytics_test.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AnalyticsTest < ActionDispatch::IntegrationTest
+  def setup
+    @admin = User.find_by(username: 'admin')
+    @jdupond = User.find_by(username: 'jdupond')
+  end
+
+  test 'fetch analytics data' do
+    login_as(@admin, scope: :user)
+
+    get '/api/analytics/data'
+
+    # Check response format & status
+    assert_equal 200, response.status, response.body
+    assert_equal Mime[:json], response.content_type
+
+    # Check the resulting data was created
+    res = json_response(response.body)
+    assert_not_nil res[:version]
+    assert_not_nil res[:members]
+    assert_not_nil res[:admins]
+    assert_not_nil res[:managers]
+    assert_not_nil res[:availabilities]
+    assert_not_nil res[:reservations]
+    assert_not_nil res[:orders]
+  end
+
+  test 'non-admin cannot fetch analytics data' do
+    login_as(@jdupond, scope: :user)
+    get '/api/analytics/data'
+
+    assert_response :forbidden
+  end
+end

yarn.lock

@@ -8311,7 +8311,7 @@ object-keys@^1.0.12, object-keys@^1.1.1:
   resolved "https://registry.yarnpkg.com/object-keys/-/object-keys-1.1.1.tgz#1c47f272df277f3b1daf061677d9c82e2322c60e"
   integrity sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==
 
-"object-to-formdata@https://github.com/sylvainbx/object-to-formdata.git#master":
+"object-to-formdata@https://github.com/sylvainbx/object-to-formdata.git":
   version "4.4.2"
   resolved "https://github.com/sylvainbx/object-to-formdata.git#4c00be9626e64653e0e2fdfbefca99b3fb3de511"