reactioncommerce/reaction

Surchages query missing permission validation

Open

#6,634 opened on Nov 7, 2022

View on GitHub
 (9 comments) (0 reactions) (1 assignee)JavaScript (2,198 forks)batch import
buggood first issueneeds triage

Repository metrics

Stars
 (12,181 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Prerequisites

  • Are you running the latest version?
  • Are you able to consistently reproduce the issue?
  • Did you search the issue queue for existing issue? Search issues

Issue Description

The surcharges query in api-plugin-surcharges is missing the read permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-surcharges/src/queries/surcharges.js#L15

This means every user can query the surcharges regardless the permission they have.

Possible Solution

An example of a query that has the desired permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-accounts/src/queries/groups.js#L14

Contributor guide