reactioncommerce/reaction

Surchages query missing permission validation

Open

#6,634 创建于 2022年11月7日

在 GitHub 查看
 (9 评论) (0 反应) (1 负责人)JavaScript (12,181 star) (2,198 fork)batch import
buggood first issueneeds triage

描述

Prerequisites

  • Are you running the latest version?
  • Are you able to consistently reproduce the issue?
  • Did you search the issue queue for existing issue? Search issues

Issue Description

The surcharges query in api-plugin-surcharges is missing the read permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-surcharges/src/queries/surcharges.js#L15

This means every user can query the surcharges regardless the permission they have.

Possible Solution

An example of a query that has the desired permission validation. https://github.com/reactioncommerce/reaction/blob/b11e47f05a3d3042b76385e992960dfafb36a286/packages/api-plugin-accounts/src/queries/groups.js#L14

贡献者指南

技术栈
javascriptgraphqlnodejs
领域
backendapi
议题类型
security
难度面向新贡献者的预计实现难度,1 表示很小改动,5 表示专家级工作。
2
预计时间有经验贡献者完成调查、实现、测试并准备 pull request 的粗略时间范围。
1-3 hours
活动状态议题当前的可参与程度:新鲜、活跃、陈旧、阻塞或等待维护者输入。
stale
清晰度议题是否清楚说明期望改动、验收标准和下一步。
clear
前置要求
Node.jsGraphQLReaction permission system
新手友好度1-100 的估计分数,表示该议题对首次贡献者的友好程度。
85
研究方向
Start by examining the file at packages/api plugin surcharges/src/queries/surcharges.js around line 15. Compare it with the example query at packages/api plugin accounts/src/queries/groups.js line 14 to understand how the permission check should be implemented. Check the current implementation to see if any permission is already used from context. Look at the GraphQL schema and the relevant permission constants (e.g., 'read'). Then implement the fix following the same pattern and add tests.