reaction
reaction copied to clipboard
Published
20 hours ago •
reactioncommerce
reactioncommerce
SPIKE: Permissions Audit
Audit all existing queries and mutations to verify that we are doing a permissions check.
I have gone through the resolvers, queries & mutations and identified the ones which are not calling validatePermissions. The entries are listed in the below markdown table. The reason for skipping each of the entry is also noted in the table. The 2 entries from Surcharge where fix was required has been implemented via ticket #6634 (PR #6716)
| Mutation/Query not using validatePermissions | Public access required | Plan/action | Reason for action |
|---|---|---|---|
| packages/api-plugin-accounts/src/mutations/addAccountToGroupBySlug.js | skip | internal function, not public | |
| packages/api-plugin-accounts/src/mutations/createAuthGroupsForShop.js | skip | internal function, not public | |
| packages/api-plugin-accounts/src/mutations/sendResetAccountPasswordEmail.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-accounts/src/queries/group.js | skip | using userHasPermission directly | |
| packages/api-plugin-accounts/src/queries/groupsByAccount.js | skip | using userHasPermission directly | |
| packages/api-plugin-address-validation/src/queries/addressValidation.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-address-validation/src/queries/addressValidationServices.js | to be verified | comment- // No permissions check necessary | |
| packages/api-plugin-carts/src/mutations/addCartItems.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/convertAnonymousCartToNewAccountCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/createCart.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/reconcileCarts.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/reconcileCartsKeepAccountCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/reconcileCartsKeepAnonymousCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/reconcileCartsMerge.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/removeCartItems.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/removeMissingItemsFromCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/saveCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/saveManyCarts.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/setEmailOnAnonymousCart.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/setShippingAddressOnCart.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/mutations/transformAndValidateCart.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/mutations/updateCartItemsQuantity.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/queries/anonymousCartByCartId.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-carts/src/queries/getCommonOrderForCartGroup.js | skip | internal function, not public | |
| packages/api-plugin-carts/src/resolvers/Cart/checkout.js | verified | only data reformat | |
| packages/api-plugin-carts/src/resolvers/Cart/items.js | verified | only data reformat | |
| packages/api-plugin-carts/src/resolvers/Cart/totalItemQuantity.js | verified | only data reformat | |
| packages/api-plugin-carts/src/resolvers/CartItem/productTags.js | verified | calling queries.tagsByIds (NO validatePermissions), but tags expected to be in public domain | |
| packages/api-plugin-catalogs/src/mutations/applyCustomPublisherTransforms.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/mutations/hashProduct.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/mutations/partialProductPublish.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/queries/catalogItemProduct.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-catalogs/src/queries/catalogItems.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-catalogs/src/queries/catalogItemsAggregate.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/queries/findCatalogProductsAndVariants.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/queries/findProductAndVariant.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/queries/findVariantInCatalogProduct.js | skip | internal function, not public | |
| packages/api-plugin-catalogs/src/queries/vendors.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-discounts/src/queries/getDiscountsTotalForCart.js | skip | internal function, not public | |
| packages/api-plugin-email/src/mutations/sendEmail.js | skip | internal function, not public | |
| packages/api-plugin-email-templates/src/mutations/renderEmail.js | skip | internal function, not public | |
| packages/api-plugin-inventory/src/queries/inventoryForProductConfiguration.js | skip | internal function, not public | |
| packages/api-plugin-inventory/src/queries/inventoryForProductConfigurations.js | skip | internal function, not public | |
| packages/api-plugin-inventory-simple/src/mutations/updateSimpleInventoryBulk.js | skip | internal function, not public | |
| packages/api-plugin-navigation/src/queries/navigationTreeById.js | skip | using userHasPermission directly | |
| packages/api-plugin-notifications/src/mutations/createNotification.js | skip | internal function, not public | |
| packages/api-plugin-orders/src/mutations/placeOrder.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-orders/src/mutations/sendOrderEmail.js | skip | internal function, not public | |
| packages/api-plugin-orders/src/queries/orderById.js | skip | calls getOrderQuery which does validatePermissions | |
| packages/api-plugin-orders/src/queries/orderByReferenceId.js | skip | calls getOrderQuery which does validatePermissions | |
| packages/api-plugin-orders/src/queries/refunds.js | skip | calls getOrderQuery which does validatePermissions | |
| packages/api-plugin-orders/src/queries/refundsByPaymentId.js | skip | calls getOrderQuery which does validatePermissions | |
| packages/api-plugin-payments/src/queries/availablePaymentMethods.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-payments/src/queries/getPaymentMethodConfigByName.js | skip | internal function, not public | |
| packages/api-plugin-payments-stripe-sca/src/mutations/createStripePaymentIntent.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-pricing-simple/src/queries/getVariantPrice.js | skip | internal function, not public | |
| packages/api-plugin-pricing-simple/src/resolvers - entries pointing to util folder | verified | All are xform functions which accepts raw inputs and transforms it like adding currency info etc | |
| packages/api-plugin-settings/src/mutations/updateAppSettings.js [using userHasPermission directly] | skip | using userHasPermission directly | |
| packages/api-plugin-settings/src/queries/appSettings.js | decided to Skip | This is not based on the roles/permissions, but individual permission objects. Refer shopSettingsConfig in reaction/packages/api-plugin-shipments-flat-rate/src/index.js | |
| packages/api-plugin-shipments/src/mutations/selectFulfillmentOptionForGroup.js | skip | deprecated plugin | |
| packages/api-plugin-shipments/src/mutations/updateFulfillmentOptionsForGroup.js | skip | deprecated plugin | |
| packages/api-plugin-shipments/src/queries/getFulfillmentMethodsWithQuotes.js | skip | internal function, not public | |
| packages/api-plugin-sitemap-generator/src/queries/sitemap.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-surcharges/src/queries/surchargeById.js | Fix pushed | raised PR #6716 | |
| packages/api-plugin-surcharges/src/queries/surcharges.js | Fix pushed | raised PR #6716 | |
| packages/api-plugin-tags/src/queries/tag.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-tags/src/queries/tags.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-tags/src/queries/tagsByIds.js | Yes | skip | to be accessed by anonymous users from the storefront |
| packages/api-plugin-taxes/src/mutations/getFulfillmentGroupTaxes.js | skip | internal function, not public | |
| packages/api-plugin-taxes/src/mutations/setTaxesOnOrderFulfillmentGroup.js | skip | internal function, not public | |
| packages/api-plugin-navigation/src/resolvers/NavigationTree/index.js | decided to Skip | calling xformNavigationTreeItem which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value | |
| packages/api-plugin-surcharges/src/resolvers/Surcharge/index.js | decided to Skip | calling xformSurchargeAmount which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value | |
| packages/api-plugin-surcharges/src/resolvers/AppliedSurcharge/index.js | decided to Skip | calling xformSurchargeAmount which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value |
