Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-25 00:07:47 +01:00
Code Issues Projects Releases Wiki Activity

fix: unauthorized disable feature (#5982)

Browse Source 
## About the changes
This was spotted while testing automated actions. Steps to reproduce:

1. Add an editor user
2. Get a PAT for the editor user
3. As Admin create a feature in a project where the editor user is not a
member and enable the feature
4. Try using the editor's PAT to modify the feature
5. As the editor create a project (you'd be made owner) and try the same
request but just change the project name for the new project just
created (don't change anything else)

**Expected behavior**: you can't disable the feature
**Actual behavior**: the feature is disabled

This does not happen when trying to turn on a flag because during the
turn-on process we do validate if the feature belongs to project when we
call updateStrategy:
c18a7c0dc2/src/lib/features/feature-toggle/feature-toggle-service.ts (L1751-L1764)
This commit is contained in:
Gastón Fournier 2024-01-22 12:50:14 +01:00 committed by GitHub
parent 055bab8e7c
commit c5afa8ff11
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/lib/features/feature-toggle/feature-toggle-service.ts
View File

@ -1732,6 +1732,10 @@ class FeatureToggleService {
user?: IUser, user?: IUser,
shouldActivateDisabledStrategies = false, shouldActivateDisabledStrategies = false,
): Promise<FeatureToggle> { ): Promise<FeatureToggle> {
await this.validateFeatureBelongsToProject({
featureName,
projectId: project,
});
const hasEnvironment = const hasEnvironment =
await this.featureEnvironmentStore.featureHasEnvironment( await this.featureEnvironmentStore.featureHasEnvironment(
environment, environment,

7
src/lib/services/access-service.ts
View File

@ -65,6 +65,9 @@ export type IdPermissionRef = Pick<IPermission, 'id' | 'environment'>;
export type NamePermissionRef = Pick<IPermission, 'name' | 'environment'>; export type NamePermissionRef = Pick<IPermission, 'name' | 'environment'>;
export type PermissionRef = IdPermissionRef | NamePermissionRef; export type PermissionRef = IdPermissionRef | NamePermissionRef;
type APIUser = Pick<IUser, 'id' | 'permissions'> & { isAPI: true };
type NonAPIUser = Pick<IUser, 'id'> & { isAPI?: false };
export interface IRoleCreation { export interface IRoleCreation {
name: string; name: string;
description: string; description: string;
@ -150,7 +153,7 @@ export class AccessService {
* @param projectId * @param projectId
*/ */
async hasPermission( async hasPermission(
user: Pick<IUser, 'id' | 'permissions' | 'isAPI'>, user: APIUser | NonAPIUser,
permission: string | string[], permission: string | string[],
projectId?: string, projectId?: string,
environment?: string, environment?: string,
@ -198,7 +201,7 @@ export class AccessService {
} }
async getPermissionsForUser( async getPermissionsForUser(
user: Pick<IUser, 'id' | 'isAPI' | 'permissions'>, user: APIUser | NonAPIUser,
): Promise<IUserPermission[]> { ): Promise<IUserPermission[]> {
if (user.isAPI) { if (user.isAPI) {
return user.permissions?.map((p) => ({ return user.permissions?.map((p) => ({