VRMS
VRMS copied to clipboard
hackforla
Security leak: Rewrite the ProjectList.js page to only call necessary project data when pm's are viewing
Overview
Currently on the Project List page it is calling all of the project data no matter what the user access level is. This means that a user can grab any project data and do a post request. This is bad practice and a security risk. It would be better and more secure if when a project manager is viewing we only call for the projects that they have access to.
Action Items
- [ ] Log in with PM account that is associated with a single project (see comment for steps to create a PM account via an admin account)
- [ ] Navigate to Projects page
- [ ] view client/src/pages/ProjectList.js
- [ ] If the user is a PM, only do a get request for the projects they are assigned to
- [ ] test to see if it still works
- [ ] make a pr
Resources/Instructions
Admin users can
-
- see all projects in database
-
- see button to add a new project
Project managers can
-
- see all projects they manage
-
- will not see button to add a new project
I tested the above issue on the dev build of VRMS by doing the following, and it appears that a PM can only see their assigned projects and do not see a button to add new projects, which is expected behavior (they do not see a list of all projects as mentioned in the issue). However, that does not mean the data is not being called.
Steps to replicate:
- Created a new account to be used as a PM account.
- Log in with another ADMIN account. Go to "Users" > search for new PM account email > assign the NEW email to a single project. Log out of ADMIN account.
- Log in with new PM account > go to "Projects" and PM account should only see the project they are associated with ( see attached - PM is only associated with project = ! ! ! ! ! 🦄 MrSquiggles ~~!!).
Screenshot of PM's Projects List
@jbubar Please let me know if you can replicate the issue as described above
Yes! @JackHaeg exactly.. that is how to create a new PM account currently.. 🙏🙏. Thanks for making it clear! @bkmorgan3 will need to do that to test it
@bkmorgan3 @jbubar
- Point of clarification: After discussion with Josh, it appears that although a PM assigned to manage a single project will see ONLY the project they are managing on the "Projects" list page (i.e., what I replicated in the comment above), the main problem is that the Project list page is still calling all of the project data (across ALL projects) no matter what the user access level is.
- So, in this scenario where a PM logs in > navigates to the "Projects" list page > sees only the project they are assigned on the front end / no add project button > all other project data across all projects is still being called.
- Thus, this issue still needs to be investigated.
@JackHaeg Sorry to wait a week to come back to this.
I must not know how to make a user.
Is it the "...Or Create A New Profile". text on the home screen?
Can you give me step by step instructions on how to do this? Or can we set up a call to screenshare?
@bkmorgan3 No worries whatsoever!
Yes, clicking on "...Or Create A New Profile" link on the Check In home screen will allow you to create a new user profile. If you don't already have an admin level account set up on the DEV build of VRMS, then let's try the following:
- go to https://dev.vrms.io/
- Click on ". . . OR CREATE A NEW PROFILE"
- Enter in your information (First / Last Name, and an email address you haven't used with VRMS before...) and click "Check In"
- Go to your email, click on the magic link to log in.
- Please send me the email address you used on Slack and I will link it to a single Project with PM level access.
Please feel free to reach out to me on Slack with any questions and we can hop on a screenshare if needed 😊