reactioncommerce/reaction

Surchages query missing permission validation

Open

#6634 opened on Nov 7, 2022

View on GitHub
 (9 comments) (0 reactions) (1 assignee)JavaScript (12,181 stars) (2,198 forks)batch import
buggood first issueneeds triage

Description

Prerequisites

  • Are you running the latest version?
  • Are you able to consistently reproduce the issue?
  • Did you search the issue queue for existing issue? Search issues

Issue Description

The surcharges query in api-plugin-surcharges is missing the read permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-surcharges/src/queries/surcharges.js#L15

This means every user can query the surcharges regardless the permission they have.

Possible Solution

An example of a query that has the desired permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-accounts/src/queries/groups.js#L14

Contributor guide

Tech stack
javascriptgraphqlnodejs
Domain
backendapi
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Node.jsGraphQLReaction permission system
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
85
Research direction
Start by examining the file at packages/api plugin surcharges/src/queries/surcharges.js around line 15. Compare it with the example query at packages/api plugin accounts/src/queries/groups.js line 14 to understand how the permission check should be implemented. Check the current implementation to see if any permission is already used from context. Look at the GraphQL schema and the relevant permission constants (e.g., 'read'). Then implement the fix following the same pattern and add tests.