From c37fffbd52ad4acd7a97dd50edc77f8b56c9e6b2 Mon Sep 17 00:00:00 2001 From: Eric Dobbertin Date: Wed, 12 Dec 2018 11:46:06 -0600 Subject: [PATCH 1/3] fix: correctly check permissions for address book remove --- .../accounts/server/methods/addressBookRemove.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/imports/plugins/core/accounts/server/methods/addressBookRemove.js b/imports/plugins/core/accounts/server/methods/addressBookRemove.js index 9c2eac88632..740bc0fc7f9 100644 --- a/imports/plugins/core/accounts/server/methods/addressBookRemove.js +++ b/imports/plugins/core/accounts/server/methods/addressBookRemove.js @@ -16,16 +16,16 @@ import ReactionError from "@reactioncommerce/reaction-error"; export default function addressBookRemove(addressId, accountUserId) { check(addressId, String); check(accountUserId, Match.Optional(String)); - - if (typeof accountUserId === "string") { - if (Reaction.getUserId() !== accountUserId && !Reaction.hasPermission("reaction-accounts")) { - throw new ReactionError("access-denied", "Access denied"); - } - } this.unblock(); - const userId = accountUserId || Reaction.getUserId(); + const authUserId = Reaction.getUserId(); + const userId = accountUserId || authUserId; const account = Accounts.findOne({ userId }); + if (!account) throw new ReactionError("not-found", "Not Found"); + + if (authUserId !== userId && !Reaction.hasPermission("reaction-accounts", authUserId, account.shopId)) { + throw new ReactionError("access-denied", "Access denied"); + } const updatedAccountResult = Accounts.update({ userId, From 9c1d54ea127c11b58e4067b807fcecc1e142a48e Mon Sep 17 00:00:00 2001 From: Eric Dobbertin Date: Wed, 12 Dec 2018 11:46:13 -0600 Subject: [PATCH 2/3] fix: correctly check permissions for address book update --- .../accounts/server/methods/addressBookUpdate.js | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/imports/plugins/core/accounts/server/methods/addressBookUpdate.js b/imports/plugins/core/accounts/server/methods/addressBookUpdate.js index d78b9f08a0d..1136b2002c1 100644 --- a/imports/plugins/core/accounts/server/methods/addressBookUpdate.js +++ b/imports/plugins/core/accounts/server/methods/addressBookUpdate.js @@ -21,19 +21,16 @@ export default function addressBookUpdate(address, accountUserId, type) { Schemas.Address.validate(address); check(accountUserId, Match.Maybe(String)); check(type, Match.Maybe(String)); - - // security check for admin access - if (typeof accountUserId === "string") { - if (Reaction.getUserId() !== accountUserId && !Reaction.hasPermission("reaction-accounts")) { - throw new ReactionError("access-denied", "Access denied"); - } - } this.unblock(); - // If no userId is provided, use the current user + const authUserId = Reaction.getUserId(); const userId = accountUserId || Reaction.getUserId(); - // Find old state of isShippingDefault & isBillingDefault to compare and reflect in cart const account = Accounts.findOne({ userId }); + if (authUserId !== userId && !Reaction.hasPermission("reaction-accounts", authUserId, account.shopId)) { + throw new ReactionError("access-denied", "Access denied"); + } + + // Find old state of isShippingDefault & isBillingDefault to compare and reflect in cart const oldAddress = (account.profile.addressBook || []).find((addr) => addr._id === address._id); if (!oldAddress) throw new ReactionError("not-found", `No existing address found with ID ${address._id}`); From 412cb760e6cc695728d5af4b7b7f8b5ab26ca1f8 Mon Sep 17 00:00:00 2001 From: Eric Dobbertin Date: Wed, 12 Dec 2018 11:56:18 -0600 Subject: [PATCH 3/3] fix: move sendWelcomeEmail to internal function --- imports/plugins/core/accounts/server/methods/index.js | 2 -- .../server/{methods => util}/sendWelcomeEmail.js | 9 +++------ imports/plugins/core/core/server/startup/accounts.js | 3 ++- 3 files changed, 5 insertions(+), 9 deletions(-) rename imports/plugins/core/accounts/server/{methods => util}/sendWelcomeEmail.js (94%) diff --git a/imports/plugins/core/accounts/server/methods/index.js b/imports/plugins/core/accounts/server/methods/index.js index 01294e67559..dd736dc4900 100644 --- a/imports/plugins/core/accounts/server/methods/index.js +++ b/imports/plugins/core/accounts/server/methods/index.js @@ -12,7 +12,6 @@ import markAddressValidationBypassed from "./markAddressValidationBypassed"; import removeEmailAddress from "./removeEmailAddress"; import removeUserPermissions from "./removeUserPermissions"; import sendResetPasswordEmail from "./sendResetPasswordEmail"; -import sendWelcomeEmail from "./sendWelcomeEmail"; import setProfileCurrency from "./setProfileCurrency"; import setUserPermissions from "./setUserPermissions"; import updateEmailAddress from "./updateEmailAddress"; @@ -47,7 +46,6 @@ export default { "accounts/removeEmailAddress": removeEmailAddress, "accounts/removeUserPermissions": removeUserPermissions, "accounts/sendResetPasswordEmail": sendResetPasswordEmail, - "accounts/sendWelcomeEmail": sendWelcomeEmail, "accounts/setProfileCurrency": setProfileCurrency, "accounts/setUserPermissions": setUserPermissions, "accounts/updateEmailAddress": updateEmailAddress, diff --git a/imports/plugins/core/accounts/server/methods/sendWelcomeEmail.js b/imports/plugins/core/accounts/server/util/sendWelcomeEmail.js similarity index 94% rename from imports/plugins/core/accounts/server/methods/sendWelcomeEmail.js rename to imports/plugins/core/accounts/server/util/sendWelcomeEmail.js index 855d09ad874..683b44bcda9 100644 --- a/imports/plugins/core/accounts/server/methods/sendWelcomeEmail.js +++ b/imports/plugins/core/accounts/server/util/sendWelcomeEmail.js @@ -8,9 +8,8 @@ import { Accounts, Shops } from "/lib/collections"; import Reaction from "/imports/plugins/core/core/server/Reaction"; /** - * @name accounts/sendWelcomeEmail + * @name sendWelcomeEmail * @summary Send an email to consumers on sign up - * @memberof Accounts/Methods * @method * @param {String} shopId - shopId of new User * @param {String} userId - new userId to welcome @@ -22,15 +21,13 @@ export default function sendWelcomeEmail(shopId, userId, token) { check(userId, String); check(token, String); - this.unblock(); - - const account = Accounts.findOne(userId); + const account = Accounts.findOne({ userId }); // anonymous users aren't welcome here if (!account.emails || !account.emails.length > 0) { return false; } - const shop = Shops.findOne(shopId); + const shop = Shops.findOne({ _id: shopId }); // Get shop logo, if available. If not, use default logo from file-system const emailLogo = Reaction.Email.getShopLogo(shop); diff --git a/imports/plugins/core/core/server/startup/accounts.js b/imports/plugins/core/core/server/startup/accounts.js index b62b768b0ca..2d2b3119e93 100644 --- a/imports/plugins/core/core/server/startup/accounts.js +++ b/imports/plugins/core/core/server/startup/accounts.js @@ -7,6 +7,7 @@ import ReactionError from "@reactioncommerce/reaction-error"; import { Accounts } from "meteor/accounts-base"; import * as Collections from "/lib/collections"; import Reaction from "/imports/plugins/core/core/server/Reaction"; +import sendWelcomeEmail from "/imports/plugins/core/accounts/server/util/sendWelcomeEmail"; /** * @summary Account server startup code @@ -167,7 +168,7 @@ export default function startup() { if (userDetails.emails && userDetails.emails.length > 0 && (!(Meteor.users.find().count() === 0) && !userDetails.profile.invited)) { const token = Random.secret(); - Meteor.call("accounts/sendWelcomeEmail", shopId, user._id, token); + sendWelcomeEmail(shopId, user._id, token); const defaultEmail = userDetails.emails.find((email) => email.provides === "default"); const when = new Date(); const tokenObj = {