From 9e1e23f26815c0b116cbd46b774c7f1db45b0961 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Wed, 16 Oct 2019 15:21:50 +0200 Subject: [PATCH] [bug] unauthorized user can see the edit project form --- CHANGELOG.md | 1 + .../javascripts/controllers/projects.js.erb | 27 +++++++++++++++---- 2 files changed, 23 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a51cb9868..c1ff097a8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ - Fix a bug: public calendar won't show anything if the current date range include a reserved space availability (#151) - Fix a bug: invoices list is not shown by default in "manage invoices" section - Fix a bug: unable to run rake fablab:es:* tasks due to an issue with gem faraday 0.16.x (was updated to 0.17) +- Fix a bug: unauthorized user can see the edit project form - Fix a security issue: fixed [CVE-2015-9284](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284) - [TODO DEPLOY] **IMPORTANT** Please read [postgres_upgrade.md](doc/postgres_upgrade.md) for instructions on upgrading PostgreSQL. - [TODO DEPLOY] `rake db:migrate` diff --git a/app/assets/javascripts/controllers/projects.js.erb b/app/assets/javascripts/controllers/projects.js.erb index c8e78be77..b81d19648 100644 --- a/app/assets/javascripts/controllers/projects.js.erb +++ b/app/assets/javascripts/controllers/projects.js.erb @@ -442,9 +442,9 @@ Application.Controllers.controller('NewProjectController', ['$scope', '$state', /** * Controller used in the project edition page */ -Application.Controllers.controller('EditProjectController', ['$scope', '$state', '$stateParams', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'projectPromise', 'Diacritics', 'dialogs', 'allowedExtensions', '_t', - function ($scope, $state, $stateParams, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, projectPromise, Diacritics, dialogs, allowedExtensions, _t) { - CSRF.setMetaTags(); +Application.Controllers.controller('EditProjectController', ['$rootScope', '$scope', '$state', '$stateParams', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'projectPromise', 'Diacritics', 'dialogs', 'allowedExtensions', '_t', + function ($rootScope, $scope, $state, $stateParams, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, projectPromise, Diacritics, dialogs, allowedExtensions, _t) { + /* PUBLIC SCOPE */ // API URL where the form will be posted $scope.actionUrl = `/api/projects/${$stateParams.id}`; @@ -462,8 +462,25 @@ Application.Controllers.controller('EditProjectController', ['$scope', '$state', }); }); - // Using the ProjectsController - return new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t); + /* PRIVATE SCOPE */ + + /** + * Kind of constructor: these actions will be realized first when the controller is loaded + */ + const initialize = function () { + CSRF.setMetaTags(); + + if ($scope.project.author_id !== $rootScope.currentUser.id && $scope.project.user_ids.indexOf($rootScope.currentUser.id) === -1) { + $state.go('app.public.projects_show', { id: $scope.project.slug }); + console.error('[EditProjectController::initialize] user is not allowed') + } + + // Using the ProjectsController + return new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t); + } + + // !!! MUST BE CALLED AT THE END of the controller + return initialize(); } ]);