Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: prevent non-admin users changing another user's gitAccount #1093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 10, 2025
Merged

fix: prevent non-admin users changing another user's gitAccount #1093

merged 4 commits into from
Jul 10, 2025

Conversation

@andypols
Copy link
Contributor

@andypols andypols commented Jul 7, 2025

Summary

A recent penetration test identified a security issue in the /api/v1/auth/gitAccount endpoint:

  • Users can add or update their own GitHub/GitLab account names.
  • Admins can add or update GitHub/GitLab account names for any user.
  • However, the API does not enforce this restriction — any user can change the Git account name for any other user, regardless of their permissions.

Root Cause

The API only checks that the requester is authenticated; it does not verify whether the user is updating their own account or has admin privileges.

Fix

This PR introduces a guard clause that ensures the requesting user is either:

  • Updating their own Git account
  • Has admin privileges.

This change brings the backend access control in line with the intended behaviour already enforced in the UI.

I’ve added a new auth.test.js. I chose not to expand the existing testLogin.test.js because I wanted to test at a lower level, where I can directly assert that the database is updated as expected.

While the current endpoint lives under /auth, updating a user's Git account may conceptually belong on the /user endpoint. However, this change is out of scope for this fix and has been deferred.

@netlify
Copy link

netlify bot commented Jul 7, 2025
edited
Loading

Deploy Preview for endearing-brigadeiros-63f9d0 ready!

Name Link
🔨 Latest commit d407b3b
🔍 Latest deploy log https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/686fbda3cdd1850008683210
😎 Deploy Preview https://deploy-preview-1093--endearing-brigadeiros-63f9d0.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@github-actions github-actions bot added the fix label Jul 7, 2025
jescalada
jescalada approved these changes Jul 9, 2025
View reviewed changes
Copy link
Contributor

@jescalada jescalada left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍🏼

andypols and others added 3 commits July 9, 2025 10:55
@andypols @jescalada
Update test/services/routes/auth.test.js
a587b4a 
That makes sense - shows the intent

Co-authored-by: Juan Escalada <[email protected]>
Signed-off-by: Andy Pols <[email protected]>
@andypols @jescalada
Update src/service/routes/auth.js
cb2649b 
Ah sorry, I have different setting on my IDE.  I will run `npm run format` in future.  Thanks for tip

Co-authored-by: Juan Escalada <[email protected]>
Signed-off-by: Andy Pols <[email protected]>
@JamieSlome
Merge branch 'main' into fix-prevent-anyone-changing-gitaccounts
d407b3b
@JamieSlome JamieSlome enabled auto-merge July 10, 2025 13:18
@codecov
Copy link

codecov bot commented Jul 10, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.41%. Comparing base (9560617) to head (d407b3b).
Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1093      +/-   ##
==========================================
+ Coverage   77.37%   77.41%   +0.03%     
==========================================
  Files          55       55              
  Lines        2272     2276       +4     
  Branches      255      255              
==========================================
+ Hits         1758     1762       +4     
  Misses        484      484              
  Partials       30       30

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JamieSlome JamieSlome merged commit f64c5e6 into finos:main Jul 10, 2025
14 checks passed
@andypols andypols deleted the fix-prevent-anyone-changing-gitaccounts branch July 14, 2025 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jescalada jescalada jescalada approved these changes

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andypols @jescalada @JamieSlome