LePatron.email icon indicating copy to clipboard operation
LePatron.email copied to clipboard
verified publisher icon Badsender-com

Permission with using the editor

Open yassine-jradbs opened this issue 5 years ago • 3 comments

Description

By default, regular users who are not members of a workspace have access to edit a template of an email.

User story

  • As a regular user, when I login and try to edit a template where its not in a workspace that i'm not already member in then I shouldn't have access to edit that template

editor

yassine-jradbs avatar Apr 09 '21 13:04 yassine-jradbs

Tasks

server :

In mailing/mailing.controller

the function updateMosaico must check the user's rights to update the mail. Depending on the source (workspace or parentFolder), we will use hasAccess for the verification.

Steps :

  • [ ] Import workspaceService and folderService from workspace/workspace.service and folder/folder.service In "updateMosaico" function:

  • [ ] Check if the value of mailing._parentFolder or mailing._workspace is undefined [If the value of mailing._parentFolder is undefined and the value of mailing._workspace is defined that means that the mail is in a workspace and vice versa..] by adding conditions on these variables: if (mailing._parentFolder == undefined && mailing._workspace) else if (mailing._workspace == undefined && mailing._parentFolder)

  • [ ] Declare hasAccessOnWorkspace hasAccessOnFolder variable under the condition of the defined variable (mailing._workspace or mailing._portfolio) const hasAccessOnWorkspace = await workspaceService.hasAccess(user, mailing._workspace._id); const hasAccessOnFolder = await folderService.hasAccess(mailing._parentFolder._id, user );

  • [ ] Use the boolean value of hasAccessOnWorkspace or hasAccessOnparentFolder to test the treatment:

  if (hasAccessOnWorkspace){
    mailing.data = req.body.data || mailing.data;
    mailing.name =
      modelsUtils.normalizeString(req.body.name) ||
      simpleI18n('default-mailing-name', user.lang);
    // http://mongoosejs.com/docs/schematypes.html#mixed
    mailing.markModified('data');
    await mailing.save();
    const mailingForMosaico = await Mailings.findOneForMosaico(
      query,
      req.user.lang
    );
    res.json(mailingForMosaico);
  }else{
    throw new createError.NotFound();
  }

  if (hasAccessOnparentFolder){
    mailing.data = req.body.data || mailing.data;
    mailing.name =
      modelsUtils.normalizeString(req.body.name) ||
      simpleI18n('default-mailing-name', user.lang);
    // http://mongoosejs.com/docs/schematypes.html#mixed
    mailing.markModified('data');
    await mailing.save();
    const mailingForMosaico = await Mailings.findOneForMosaico(
      query,
      req.user.lang
    );
    res.json(mailingForMosaico);
  }else{
    throw new createError.NotFound();
  }

The full solution:

  const workspaceService = require('../workspace/workspace.service');     //Add this on top of the file
  const folderService = require('../folder/folder.service.js');                           //Add this on top of the file

  async function updateMosaico(req, res) {
  const { user } = req;
  const { mailingId } = req.params;
  const query = modelsUtils.addGroupFilter(req.user, { _id: mailingId });
  const mailing = await Mailings.findOne(query);
  
  if (!mailing) throw new createError.NotFound();

  if (mailing._parentFolder == undefined && mailing._workspace){
    const hasAccessOnWorkspace = await workspaceService.hasAccess(
      user,
      mailing._workspace._id
    );
    if (hasAccessOnWorkspace) {
      mailing.data = req.body.data || mailing.data;
      mailing.name =
        modelsUtils.normalizeString(req.body.name) ||
        simpleI18n('default-mailing-name', user.lang);
      // http://mongoosejs.com/docs/schematypes.html#mixed
      mailing.markModified('data');
      await mailing.save();
      const mailingForMosaico = await Mailings.findOneForMosaico(
        query,
        req.user.lang
      );
      res.json(mailingForMosaico);
    } else {
      throw new createError.NotFound();
    }
  } else if (mailing._workspace == undefined && mailing._parentFolder){
    const hasAccessOnparentFolder = await folderService.hasAccess(
      mailing._parentFolder._id,
      user
    );
    if (hasAccessOnparentFolder) {
      mailing.data = req.body.data || mailing.data;
      mailing.name =
        modelsUtils.normalizeString(req.body.name) ||
        simpleI18n('default-mailing-name', user.lang);
      // http://mongoosejs.com/docs/schematypes.html#mixed
      mailing.markModified('data');
      await mailing.save();
      const mailingForMosaico = await Mailings.findOneForMosaico(
        query,
        req.user.lang
      );
      res.json(mailingForMosaico);
     } else {
      throw new createError.NotFound();
    }
  }
}

Test

permission

yassine-jradbs avatar Apr 12 '21 17:04 yassine-jradbs

Tasks

server

  • [ ] mosaico-editor.controller : in render, add check on user's rights on mailing's source

Test

perm

deelanM avatar Apr 15 '21 08:04 deelanM

I can't access the editor in the app for mails I don't have access to BUT, if I know the URL, I can still access it (It won't save any modification to the mail though)

https://user-images.githubusercontent.com/80386314/115739179-fcaf5f80-a38d-11eb-9483-9c9f03fb4ff7.mp4

Gregoire-Bearstudio avatar Apr 22 '21 15:04 Gregoire-Bearstudio