Skip to content
This repository was archived by the owner on Jun 5, 2019. It is now read-only.

Improve security of and make optional certain user API parameters #70

Open
hulbert wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Improve security of and make optional certain user API parameters #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
793d70d
obey apidoc of optional name, email & prevent privilege changes
hulbert Sep 23, 2014
6dcf027
bring over david's fix for hidden checkbox, optional roles, safer new…
hulbert Sep 23, 2014
4c28ec7
use _.pick for optionals too
hulbert Sep 25, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions client/source/templates/users/edit.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
{{input 'password' '' placeholder="New password" type="password"}}
{{input 'passwordconfirm' '' placeholder="Confirm new password" type="password"}}
</div>
{{hidden 'admin' isAdmin}}

{{!-- Viewing someone else's --}}
{{else}}
Expand Down
26 changes: 20 additions & 6 deletions server/routes/api/users.coffee
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
express = require 'express'
async = require 'async'
crypto = require 'crypto'
_ = require 'underscore'
{isArray} = require 'util'

mailer = require '../../lib/mailer'
config = require '../../config'
Expand Down Expand Up @@ -75,6 +77,7 @@ module.exports = app = express()
@apiParam {String} name Full name of the user.
@apiParam {String} email Email address of the user.
@apiParam {String} password Password for the user. Must be between 6-20 characters and include a number.
@apiParam {Array} [roles] Array of roles the user is granted

@apiPermission administrator
###
Expand All @@ -93,13 +96,19 @@ app.route('/users')
return res.status(401).end() unless req.user?.hasRole ['administrator']
return req.status(400).end() unless typeof req?.body is 'object'

newUser = new User req.body
data = _.pick req.body, 'name', 'email', 'password'
newUser = new User data

# optional
if req.body.roles? and isArray(req.body.roles)
Copy link
Copy Markdown
Contributor

@davidkaneda davidkaneda Sep 29, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of bringing in a custom util class above, you could use _.isArray here

Copy link
Copy Markdown
Contributor Author

@hulbert hulbert Sep 30, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

util#isArray is part of node core http://nodejs.org/api/util.html#util_util_isarray_object

Copy link
Copy Markdown
Contributor

@davidkaneda davidkaneda Sep 30, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, sorry! Thought it was coming from the bucketUtil class from another PR — that's fine :)

On Mon, Sep 29, 2014 at 6:10 PM, Scott Hulbert notifications@github.com
wrote:

@@ -93,13 +96,19 @@ app.route('/users')
return res.status(401).end() unless req.user?.hasRole ['administrator']
return req.status(400).end() unless typeof req?.body is 'object'

Reply to this email directly or view it on GitHub:
https://github.com/asm-products/buckets/pull/70/files#r18194492

newUser.roles = req.body.roles

newUser.save (err) ->
return res.status(400).send err if err
res.status(200).send newUser

.get (req, res) ->
# TODO shouldn't we filter passwords and such from here?
Copy link
Copy Markdown
Contributor

@davidkaneda davidkaneda Sep 29, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Users should already have their passwordDigest filtered out (it has a select: false on the attribute in the Mongoose Schema)

User.find {}, (err, users) ->
res.status(200).send users

Expand All @@ -125,6 +134,7 @@ app.route('/users')
@apiParam {String} id User ID (sent in URL)
@apiParam {String} [name] The full name of the user.
@apiParam {String} [email] The user’s email address.
@apiParam {Array} [roles] Array of roles the user has

@apiPermission administrator

Expand Down Expand Up @@ -166,23 +176,27 @@ app.route('/users/:userID')
res.status(200).end()

.put (req, res) ->
return res.status(401).end() unless req.user?.hasRole ['administrator'] or req.user?._id is req.params.userID
adminEditing = req.user?.hasRole ['administrator']
return res.status(401).end() unless adminEditing or req.user?._id is req.params.userID

User.findById req.params.userID, 'passwordDigest', (err, user) ->
return res.status(400).end() if err or not user

{password, passwordconfirm, oldpassword} = req.body
delete req.body.password # Only add back after checking below
if password and passwordconfirm and oldpassword
if password isnt passwordconfirm
user.invalidate 'passwordconfirm', 'Your new password and confirmation don’t match.'
else if not user.authenticate oldpassword
user.invalidate 'oldpassword', 'The provided password is incorrect.'
else
# All good
req.body.password = password
user.password = password

user.set(req.body).save (err, user) ->
user.set _.pick req.body, 'name', 'email'

if adminEditing and req.body.roles? and isArray(req.body.roles)
Copy link
Copy Markdown
Contributor

@davidkaneda davidkaneda Sep 29, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a test (or two) for "An admin can update user roles w/PUT, but a non-administrator can't (even if it’s their own profile)"

user.roles = req.body.roles

user.save (err, user) ->
return res.status(400).send err if err
res.status(200).send user

Expand Down