Skip to content

Fix permission issues with Meteor methods for Accounts plugin #4867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 13, 2018
Merged

Fix permission issues with Meteor methods for Accounts plugin #4867

merged 3 commits into from
Dec 13, 2018

Conversation

@aldeed
Copy link
Contributor

@aldeed aldeed commented Dec 12, 2018

Impact: minor
Type: bugfix

Issue

  • "accounts/addressBookRemove" Meteor method did not correctly check permissions on multi-shop installations. By having "reaction-accounts" permission on any shop, you could update accounts belonging to any other shop.
  • "accounts/addressBookUpdate" Meteor method did not correctly check permissions on multi-shop installations. By having "reaction-accounts" permission on any shop, you could update accounts belonging to any other shop.
  • "accounts/sendWelcomeEmail" Meteor method did not check permissions. Any user (possibly even someone who isn't logged in) who knows a MongoDB shop ID and account ID could cause a welcome email to be sent to that account's email address.

Solution

  • Added account.shopId to permission check in "accounts/addressBookRemove"
  • Added account.shopId to permission check in "accounts/addressBookUpdate"
  • Removed the "accounts/sendWelcomeEmail" Meteor method and instead put the same code in an internal sendWelcomeEmail util function that is only callable from server code.

Breaking changes

Custom code relying on being able to call the "accounts/sendWelcomeEmail" Meteor method will break. Calls from client code must be removed. Calls from server code should be updated to import and call the util function.

Testing

  1. Verify that the described permission issues are fixed.
  2. Verify that you can still change your own address and remove an address from your address book.
  3. Verify that a welcome email is sent when you register a new user.

@aldeed aldeed self-assigned this Dec 12, 2018
@aldeed aldeed requested a review from impactmass December 12, 2018 18:16
@aldeed aldeed added this to the 🏔 Shavano milestone Dec 12, 2018
impactmass
impactmass approved these changes Dec 13, 2018
View reviewed changes
imports/plugins/core/accounts/server/methods/addressBookRemove.js
const account = Accounts.findOne({ userId });
if (!account) throw new ReactionError("not-found", "Not Found");

if (authUserId !== userId && !Reaction.hasPermission("reaction-accounts", authUserId, account.shopId)) {
Copy link
Contributor

@impactmass impactmass Dec 13, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@impactmass impactmass merged commit 538bc2b into release-2.0.0-rc.8 Dec 13, 2018
@impactmass impactmass deleted the fix-aldeed-security-2 branch December 13, 2018 13:02
@spencern spencern mentioned this pull request Jan 8, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@impactmass impactmass impactmass approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@aldeed aldeed

Labels

None yet

Projects

None yet

Milestone

🏔 Shavano

Development

Successfully merging this pull request may close these issues.

3 participants

@aldeed @impactmass