Merge pull request #115 from c4dt/block_admin_changes

ineiti · web-flow · commit 9667bff904fa · 2024-02-15T12:24:58.000+01:00
Don't let non-form-owner add voters
diff --git a/scripts/.gitignore b/scripts/.gitignore
@@ -0,0 +1 @@
+formid.env
diff --git a/scripts/local_forms.sh b/scripts/local_forms.sh
@@ -6,6 +6,7 @@ SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
 echo "add form"
 RESP=$(curl -sk "$FRONTEND_URL/api/evoting/forms" -X POST -H 'Content-Type: application/json' -b cookies.txt --data-raw $'{"Configuration":{"Title":{"En":"Colours","Fr":"","De":""},"Scaffold":[{"ID":"A7GsJxVJ","Title":{"En":"Colours","Fr":"","De":""},"Order":["GhidLIfw"],"Ranks":[],"Selects":[{"ID":"GhidLIfw","Title":{"En":"RGB","Fr":"","De":"RGB"},"MaxN":3,"MinN":1,"Choices":["{\\"en\\":\\"Red\\",\\"de\\":\\"Rot\\"}","{\\"en\\":\\"Green\\",\\"de\\":\\"Gr\xfcn\\"}","{\\"en\\":\\"Blue\\",\\"de\\":\\"Blau\\"}"],"Hint":{"En":"","Fr":"","De":"RGB"}}],"Texts":[],"Subjects":[]}]}}')
 FORMID=$(echo "$RESP" | jq -r .FormID)
+echo "FORMID=$FORMID" > "$SCRIPT_DIR/formid.env"
 
 echo "add permissions - it's normal to have a timeout error after this command"
 curl -k "$FRONTEND_URL/api/evoting/authorizations" -X PUT -H 'Content-Type: application/json' -b cookies.txt --data "$(jq -cn --arg FormID $FORMID '$ARGS.named')" -m 1
diff --git a/scripts/test_admin_nonowner_addvote.sh b/scripts/test_admin_nonowner_addvote.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# This script tests that an admin who is not the owner of a form
+# cannot add voters to the form.
+# It also tests that the admin who created the form can actually add
+# voters to the form.
+
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+"$SCRIPT_DIR/run_local.sh"
+
+. "$SCRIPT_DIR/local_vars.sh"
+SECOND_ADMIN=123321
+echo "Adding $SECOND_ADMIN to admin"
+(cd web/backend && npx ts-node src/cli.ts addAdmin --sciper $SECOND_ADMIN | grep -v Executing)
+
+"$SCRIPT_DIR/local_proxies.sh"
+"$SCRIPT_DIR/local_forms.sh"
+
+. "$SCRIPT_DIR/formid.env"
+
+tmp_dir=$(mktemp -d)
+trap 'rm -rf -- "tmpdir"' EXIT
+
+tmp_cookie_owner="$tmp_dir/cookie_owner"
+curl -k "$FRONTEND_URL/api/get_dev_login/$REACT_APP_SCIPER_ADMIN" -X GET -c "$tmp_cookie_owner" -o /dev/null -s
+tmp_cookie_nonowner="$tmp_dir/cookie_nonowner"
+curl -k "$FRONTEND_URL/api/get_dev_login/$SECOND_ADMIN" -X GET -c "$tmp_cookie_nonowner" -o /dev/null -s
+
+echo "This should fail with an error that we're not allowed"
+tmp_output="$tmp_dir/output"
+curl -s 'http://localhost:3000/api/add_role' \
+  -H 'Content-Type: application/json' \
+  --data-raw "{\"userId\":444555,\"subject\":\"$FORMID\",\"permission\":\"vote\"}" \
+  -b "$tmp_cookie_nonowner" 2>&1 | tee "$tmp_output"
+echo
+
+if ! grep -q "not owner of form" "$tmp_output"; then
+  echo
+  echo "ERROR: Reply should be 'not owner of form'"
+  exit 1
+fi
+
+echo "This should pass for the owner of the form"
+curl 'http://localhost:3000/api/add_role' \
+  -H 'Content-Type: application/json' \
+  --data-raw "{\"userId\":444555,\"subject\":\"$FORMID\",\"permission\":\"vote\"}" \
+  -b "$tmp_cookie_owner"
+echo
diff --git a/web/backend/src/controllers/users.ts b/web/backend/src/controllers/users.ts
@@ -28,6 +28,12 @@ usersRouter.post('/add_role', (req, res, next) => {
     return;
   }
 
+  if (req.body.permission === 'vote') {
+    if (!isAuthorized(req.session.userId, req.body.subject, PERMISSIONS.ACTIONS.OWN)) {
+      res.status(400).send('Unauthorized - not owner of form');
+    }
+  }
+
   addPolicy(req.body.userId, req.body.subject, req.body.permission)
     .then(() => {
       res.set(200).send();
