Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable stories edit page for users with insufficient permissions #2691

Open
RichDom2185 opened this issue Sep 30, 2023 · 2 comments
Open

Disable stories edit page for users with insufficient permissions #2691

RichDom2185 opened this issue Sep 30, 2023 · 2 comments
Labels
Bug Something isn't working minor Less important than important, but more than nice-to-have

Comments

@RichDom2185
Copy link
Member

Reported by a student; reworded and posted here as it is not a major security vulnerability (the API request would still be blocked correctly by the backend, i.e. saving will result in an error if the user has insufficient permissions). Thank you for the report!

Background

The backend already implements the correct access control checks to ensure this editing stories is not possible unless the user has sufficient permissions:

And the frontend also already hides the edit button in the stories table:

frontend/src/pages/stories/Stories.tsx

Lines 151 to 163 in 105a553

storyActions={story => {
const isAuthor = storiesUserId === story.authorId;
const hasWritePermissions =
storiesRole === StoriesRole.Moderator || storiesRole === StoriesRole.Admin;
return (
<StoryActions
storyId={story.id}
handleDeleteStory={handleDeleteStory}
handleTogglePin={handleTogglePinStory}
handleMovePinUp={handleMovePinUp}
handleMovePinDown={handleMovePinDown}
canView // everyone has view permissions, even anonymous users
canEdit={isAuthor || hasWritePermissions}

But manually editing the URL from /view/<story_id> to /edit/<story_id> still results in the edit component showing.

Proposal

Redirect /edit/<story_id>/view/<story_id> when the user has insufficient permissions to edit.
@RichDom2185 RichDom2185 added Bug Something isn't working minor Less important than important, but more than nice-to-have labels Sep 30, 2023
@sayomaki
Copy link
Contributor

sayomaki commented Oct 3, 2023

Could be related to #2632

@RichDom2185
Copy link
Member Author

Could be related to #2632

Oh yes, might be a duplicate, thanks for that. Also, on second thought, I think it might be better to just disable the edit route (instead of redirecting), because if we redirect without any additional feedback to the user, there is a possibility that the user gets confused if they mistakenly believe that they have edit rights to a particular story.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working minor Less important than important, but more than nice-to-have
Projects
No open projects
SA 2425 CP3108 P07: Stories content management
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sayomaki @RichDom2185