Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User typeahead can be abused to determine values of admin-only fields #1286

Open
myieye opened this issue Nov 27, 2024 · 1 comment
Open
Labels
bug Something isn't working 📦 Lexbox issues related to any server side code, fw-headless included

Comments

@myieye
Copy link
Contributor

myieye commented Nov 27, 2024

Describe the bug

We don't explicitly show the email addresses of other users, but by trial and error it's quite easy to figure out what a user's email address is by filtering users by their email. So, that probably shouldn't be allowed (unless you're allowed to see the user's email, probably?)

Fix ideas
I tried adding the admin required policy to filter fields, but you get the error:
1. The specified directive @authorizeis not allowed on the current locationInputFieldDefinition. (LexBoxApi.GraphQL.CustomTypes.UserFilterType).

We could explicitly set email and username to null for users that are not "managed by" the requesting user. Which would effectively disable filtering by those fields. We're already doing that in the scope of an org. I think UsersICanSee is the only query where we'd need to do that. Something like this: 😬

    public IQueryable<User> UserQueryForTypeahead(LexAuthUser user)
    {
        var myOrgIds = user.Orgs.Select(o => o.OrgId).ToList();
        var myManagedOrgIds = user.Orgs.Where(o => o.Role == OrgRole.Admin).Select(o => o.OrgId).ToList();
        var myProjectIds = user.Projects.Select(p => p.ProjectId).ToList();
        var myManagedProjectIds = user.Projects.Where(p => p.Role == ProjectRole.Manager).Select(p => p.ProjectId).ToList();
        return dbContext.Users
            .Select(u => new
            {
                user = u,
                iSee = u.Id == user.Id ||
                    u.Organizations.Any(orgMember => myOrgIds.Contains(orgMember.OrgId)) ||
                    u.Projects.Any(projMember =>
                        myManagedProjectIds.Contains(projMember.ProjectId) ||
                        (projMember.Project != null && projMember.Project.IsConfidential != true && myProjectIds.Contains(projMember.ProjectId))),
                iManage = u.Organizations.Any(orgMember => myManagedOrgIds.Contains(orgMember.OrgId))
            })
            .Where(u => u.iSee)
            .Select(u => u.iManage ? u.user : new User { Id = u.user.Id, Name = u.user.Name });
    }
@myieye myieye added the bug Something isn't working label Nov 27, 2024
@hahn-kev hahn-kev added the 📦 Lexbox issues related to any server side code, fw-headless included label Dec 11, 2024
@hahn-kev
Copy link
Collaborator

yeah that makes sense, I think to fix this we can remove UseFiltering annotation and explicitly support the kind of filtering we want (eg string parameter which is used in a Where call to the Queryable)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working 📦 Lexbox issues related to any server side code, fw-headless included
Projects
None yet
Development

No branches or pull requests

2 participants