Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Restrict write access to flows.data column via GraphQL API #2488

Merged
merged 5 commits into from
Nov 29, 2023
Merged

fix: Restrict write access to flows.data column via GraphQL API #2488

merged 5 commits into from
Nov 29, 2023

Conversation

DafyddLlyr
Copy link
Contributor

@DafyddLlyr DafyddLlyr commented Nov 28, 2023
edited
Loading

What does this PR do?

  • Restricts write access to the flows.data column for all user roles
  • This means that this column cannot be updated via the GraphQL API (unless using the admin role)
  • The aim of this is to ensure that only sanitised data can be entered into this column

Context

Follow on from #2483 & #2484

I was hoping for a slightly simpler solution of relying on Hasura's backend-only permissions but this is just per-table, not per-column.

We should probably extend this approach to similar columns such as global_settings.footer_content and flows.settings. It might be best to follow the pattern of Editor → API → Hasura for these operations where we require sanitation before writing to the DB. Let's discuss this at the dev call!

@DafyddLlyr DafyddLlyr changed the title Dp/restrict access to flow data column fix: Restrict write access to flows.data column Nov 28, 2023
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 28, 2023
edited
Loading

🤖 Hasura Change Summary compared a subset of table metadata including permissions:

Updated Tables (1)

  • public.flows permissions:

    insert select update delete
    platformAdmin / /
    teamEditor / /
    4 removed column permissions
    insert select update
    platformAdmin ➖ data ➖ data
    teamEditor

DafyddLlyr
DafyddLlyr commented Nov 28, 2023
View reviewed changes
api.planx.uk/modules/flows/findReplace/service.ts
const { client: $client } = getClient();
const response = await $client.request<UpdateFlow>(

// XXX: This is using the API Hasura role
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me know if a comment is not good enough here!

Alternatives considered are -

  • Attempt a mutation before UpdateFlow which we know user has permission for (e.g. set flow_slug = flow_slug). If this works we know user should be allowed to update flow.data
  • Manually query permission (e.g. check join of userId → team_members → teamId → flowId). The tricky thing about a manual check is that this logic will always have to be updated alongside our permission and roles model.

For now, we're checking if the user is a platformAdmin via middleware and then executing this mutation. This is totally fine I think - I just wanted to leave a cautionary note behind.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with your decision/approach here ➕ thanks for explaining alternatives

@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 28, 2023
edited
Loading

Removed vultr server and associated DNS entries

@DafyddLlyr DafyddLlyr changed the title fix: Restrict write access to flows.data column fix: Restrict write access to flows.data column via GraphQL API Nov 28, 2023
@DafyddLlyr DafyddLlyr marked this pull request as ready for review November 28, 2023 18:38
@DafyddLlyr DafyddLlyr requested a review from a team November 28, 2023 18:38
jessicamcinchak
jessicamcinchak approved these changes Nov 29, 2023
View reviewed changes
api.planx.uk/modules/flows/findReplace/service.ts
const { client: $client } = getClient();
const response = await $client.request<UpdateFlow>(

// XXX: This is using the API Hasura role
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with your decision/approach here ➕ thanks for explaining alternatives

api.planx.uk/modules/flows/findReplace/controller.ts
replace: z
.string()
.optional()
.transform((val) => val && DOMPurify.sanitize(val)),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this sanitation step too 👍

@DafyddLlyr DafyddLlyr merged commit 29889f8 into main Nov 29, 2023
12 checks passed
@DafyddLlyr DafyddLlyr deleted the dp/restrict-access-to-flow-data-column branch November 29, 2023 08:55
@DafyddLlyr DafyddLlyr mentioned this pull request Nov 30, 2023
Merged
@DafyddLlyr DafyddLlyr mentioned this pull request Dec 11, 2023
Merged
This was referenced Dec 21, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessicamcinchak jessicamcinchak jessicamcinchak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DafyddLlyr @jessicamcinchak