Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix JWT out-of-sync detection middleware and move it into LexQueries #1218

Merged
merged 11 commits into from
Nov 13, 2024
Merged

Fix JWT out-of-sync detection middleware and move it into LexQueries #1218

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
90c94d8
Make test tasks log better
myieye Nov 6, 2024
9967fa2
Move middleware token refreshing to LexQueries
myieye Nov 6, 2024
cb8f236
Add single integration test to demonstrate token refreshing
myieye Nov 6, 2024
a36419e
Always query and show projects members
myieye Nov 7, 2024
69b427b
fix bug where non-members could view the member list of any non-confi…
hahn-kev Nov 12, 2024
62e9c24
Remove unnecessary resolver-context lookups
myieye Nov 12, 2024
ff06c6d
Fix: overrideUser not always respected
myieye Nov 12, 2024
8818f08
Improve ShouldBe checks
myieye Nov 12, 2024
adc37c3
Improve setting non-nullable properties to null
myieye Nov 12, 2024
d00aafe
fixup! fix bug where non-members could view the member list of any no…
myieye Nov 12, 2024
4147991
Merge branch 'develop' into bug/optimize-middleware
myieye Nov 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletions backend/LexBoxApi/Services/PermissionService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ public bool CanSyncProject(Guid projectId)
if (User is null) return false;
if (User.Role == UserRole.admin) return true;
if (User.Projects is null) return false;
return User.Projects.Any(p => p.ProjectId == projectId);
return User.IsProjectMember(projectId);
}

public async ValueTask<bool> CanSyncProjectAsync(Guid projectId)
Expand All @@ -71,7 +71,7 @@ public async ValueTask<bool> CanViewProject(Guid projectId, LexAuthUser? overrid
{
var user = overrideUser ?? User;
if (user is not null && user.Role == UserRole.admin) return true;
if (user is not null && user.Projects.Any(p => p.ProjectId == projectId)) return true;
if (user is not null && user.IsProjectMember(projectId)) return true;
// Org admins can view all projects, even confidential ones
if (await ManagesOrgThatOwnsProject(projectId)) return true;
myieye marked this conversation as resolved.
Show resolved Hide resolved
var isConfidential = await projectService.LookupProjectConfidentiality(projectId);
Expand Down Expand Up @@ -100,6 +100,8 @@ public async ValueTask<bool> CanViewProjectMembers(Guid projectId)
if (User is not null && User.Role == UserRole.admin) return true;
// Project managers can view members of their own projects, even confidential ones
if (await CanManageProject(projectId)) return true;
// non members can't view project members
if (User?.IsProjectMember(projectId) != true) return false;
hahn-kev marked this conversation as resolved.
Show resolved Hide resolved
var isConfidential = await projectService.LookupProjectConfidentiality(projectId);
// In this specific case (only), we assume public unless explicitly set to private
return !(isConfidential ?? false);
Expand All @@ -109,7 +111,7 @@ public async ValueTask<bool> CanManageProject(Guid projectId)
{
if (User is null) return false;
if (User.Role == UserRole.admin) return true;
if (User.Projects.Any(p => p.ProjectId == projectId && p.Role == ProjectRole.Manager)) return true;
if (User.IsProjectMember(projectId, ProjectRole.Manager)) return true;
return await ManagesOrgThatOwnsProject(projectId);
}

Expand Down
9 changes: 9 additions & 0 deletions backend/LexCore/Auth/LexAuthUser.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,15 @@ public ClaimsPrincipal GetPrincipal(string authenticationType)
LexAuthConstants.EmailClaimType,
LexAuthConstants.RoleClaimType));
}

public bool IsProjectMember(Guid projectId, ProjectRole? role = null)
myieye marked this conversation as resolved.
Show resolved Hide resolved
{
if (role is not null)
{
return Projects.Any(p => p.ProjectId == projectId && p.Role == role);
}
return Projects.Any(p => p.ProjectId == projectId);
}
}

public record AuthUserProject(ProjectRole Role, Guid ProjectId);
Expand Down
Loading