Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User typeahead can be abused to determine values of admin-only fields #1286

Open
myieye opened this issue Nov 27, 2024 · 0 comments
Open

User typeahead can be abused to determine values of admin-only fields #1286

myieye opened this issue Nov 27, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@myieye
Copy link
Contributor

myieye commented Nov 27, 2024

Describe the bug

We don't explicitly show the email addresses of other users, but by trial and error it's quite easy to figure out what a user's email address is by filtering users by their email. So, that probably shouldn't be allowed (unless you're allowed to see the user's email, probably?)

Fix ideas
I tried adding the admin required policy to filter fields, but you get the error:
1. The specified directive @authorizeis not allowed on the current locationInputFieldDefinition. (LexBoxApi.GraphQL.CustomTypes.UserFilterType).

We could explicitly set email and username to null for users that are not "managed by" the requesting user. Which would effectively disable filtering by those fields. We're already doing that in the scope of an org. I think UsersICanSee is the only query where we'd need to do that. Something like this: 😬

    public IQueryable<User> UserQueryForTypeahead(LexAuthUser user)
    {
        var myOrgIds = user.Orgs.Select(o => o.OrgId).ToList();
        var myManagedOrgIds = user.Orgs.Where(o => o.Role == OrgRole.Admin).Select(o => o.OrgId).ToList();
        var myProjectIds = user.Projects.Select(p => p.ProjectId).ToList();
        var myManagedProjectIds = user.Projects.Where(p => p.Role == ProjectRole.Manager).Select(p => p.ProjectId).ToList();
        return dbContext.Users
            .Select(u => new
            {
                user = u,
                iSee = u.Id == user.Id ||
                    u.Organizations.Any(orgMember => myOrgIds.Contains(orgMember.OrgId)) ||
                    u.Projects.Any(projMember =>
                        myManagedProjectIds.Contains(projMember.ProjectId) ||
                        (projMember.Project != null && projMember.Project.IsConfidential != true && myProjectIds.Contains(projMember.ProjectId))),
                iManage = u.Organizations.Any(orgMember => myManagedOrgIds.Contains(orgMember.OrgId))
            })
            .Where(u => u.iSee)
            .Select(u => u.iManage ? u.user : new User { Id = u.user.Id, Name = u.user.Name });
    }
@myieye myieye added the bug Something isn't working label Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@myieye