(security) restrict access to stats endpoint

2025-01-18 07:52:23 +01:00 · 2023-01-09 13:13:24 +01:00 · 2023-01-09 13:13:24 +01:00 · 68e5f6dc20
commit 68e5f6dc20
parent 773f97b16d
6 changed files with 56 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,7 @@
 # Changelog Fab-manager

+- Fix a security issue: logged users but non-admins can access to analytics data throught the API
+
 ## v5.6.2 2023 January 9

 - Improved fix_invoice_item task
--- a/app/controllers/api/analytics_controller.rb
+++ b/app/controllers/api/analytics_controller.rb
@ -5,6 +5,8 @@ class API::AnalyticsController < API::ApiController
  before_action :authenticate_user!

  def data
+    authorize :analytics
+
    render json: HealthService.row_stats
  end
 end
--- a/app/policies/admin_policy.rb
+++ b/app/policies/admin_policy.rb
@ -1,3 +1,6 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AdminsController
 class AdminPolicy < ApplicationPolicy
  def index?
    user.admin? || user.manager?
--- a/app/policies/age_range_policy.rb
+++ b/app/policies/age_range_policy.rb
@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AgeRangesController
 class AgeRangePolicy < ApplicationPolicy
-  %w(create update destroy show).each do |action|
+  %w[create update destroy show].each do |action|
    define_method "#{action}?" do
      user.admin?
    end
--- a/app/policies/analytics_policy.rb
+++ b/app/policies/analytics_policy.rb
@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Check the access policies for API::AnalyticsController
+class AnalyticsPolicy < ApplicationPolicy
+  def data?
+    user.admin?
+  end
+end
--- a/test/integration/analytics_test.rb
+++ b/test/integration/analytics_test.rb
@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AnalyticsTest < ActionDispatch::IntegrationTest
+  def setup
+    @admin = User.find_by(username: 'admin')
+    @jdupond = User.find_by(username: 'jdupond')
+  end
+
+  test 'fetch analytics data' do
+    login_as(@admin, scope: :user)
+
+    get '/api/analytics/data'
+
+    # Check response format & status
+    assert_equal 200, response.status, response.body
+    assert_equal Mime[:json], response.content_type
+
+    # Check the resulting data was created
+    res = json_response(response.body)
+    assert_not_nil res[:version]
+    assert_not_nil res[:members]
+    assert_not_nil res[:admins]
+    assert_not_nil res[:managers]
+    assert_not_nil res[:availabilities]
+    assert_not_nil res[:reservations]
+    assert_not_nil res[:orders]
+  end
+
+  test 'non-admin cannot fetch analytics data' do
+    login_as(@jdupond, scope: :user)
+    get '/api/analytics/data'
+
+    assert_response :forbidden
+  end
+end