fix: only admin users, cross-account token and empty response

vtex-apps · May 22, 2024 · ddd199a · ddd199a
1 parent dd67e06
commit ddd199a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/dotnet/GraphQL/Query.cs b/dotnet/GraphQL/Query.cs
@@ -49,11 +49,31 @@ public Query(IProductReviewService productReviewService)
                     string orderBy = context.GetArgument<string>("orderBy");
                     string status = context.GetArgument<string>("status");
 
-                    HttpStatusCode isAdminAuthUser = await productReviewService.IsAdminAuthUser();
-
-                    if (isAdminAuthUser != HttpStatusCode.OK)
+                    if (string.IsNullOrEmpty(status) || (!string.IsNullOrEmpty(status) && status.Equals("false")))
                     {
-                        status = "true";
+                        HttpStatusCode isAdminAuthUser = await productReviewService.IsAdminAuthUser();
+
+                        if (isAdminAuthUser != HttpStatusCode.OK)
+                        {
+                            if (string.IsNullOrEmpty(status))
+                            {
+                                status = "true";
+                            }
+                            else
+                            {
+                                return new SearchResponse
+                                {
+                                    Data = new DataElement { data = new List<Review>() },
+                                    Range = new SearchRange
+                                    {
+                                        Total = 0,
+                                        From = 0,
+                                        To = 0
+                                    }
+                                };
+                            }
+
+                        }
                     }
 
                     var searchResult = await productReviewService.GetReviews(searchTerm, from, to, orderBy, status);

diff --git a/dotnet/Models/ValidatedUser.cs b/dotnet/Models/ValidatedUser.cs
@@ -9,5 +9,8 @@ public class ValidatedUser
         public string AuthStatus { get; set; }
         public string Id { get; set; }
         public string User { get; set; }    // email
+        public string Account { get; set; }
+        public string Audience { get; set; }
+        public string TokenType { get; set; }
     }
 }
diff --git a/dotnet/Services/ProductReviewService.cs b/dotnet/Services/ProductReviewService.cs
@@ -709,7 +709,7 @@ public async Task<HttpStatusCode> IsAdminAuthUser()
                 return HttpStatusCode.BadRequest;
             }
 
-            bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success");
+            bool hasAdminPermission = validatedAdminUser != null && validatedAdminUser.AuthStatus.Equals("Success") && validatedAdminUser.Account.Equals(_context.Vtex.Account) && validatedAdminUser.Audience.Equals("admin");
 
             if (!hasAdminPermission)
             {