Thanks to visit codestin.com
Credit goes to github.com

Skip to content

An external user should not be able to modify invoice URL to view any invoice in Miru. #422

Merged
aniketkaushik merged 14 commits intodevelopfrom
change-url-to-view-any-invoice
Jun 14, 2022
Merged

An external user should not be able to modify invoice URL to view any invoice in Miru. #422
aniketkaushik merged 14 commits intodevelopfrom
change-url-to-view-any-invoice

Conversation

@aniketkaushik
Copy link
Contributor

@aniketkaushik aniketkaushik commented May 30, 2022

Notion card

https://saeloun.notion.site/An-external-user-should-not-be-able-to-modify-invoice-URL-to-view-any-invoice-in-Miru-940481f83c804debbc448855a759a673

Checklist:

  • I have manually tested all workflows
  • I have performed a self-review of my own code
  • I have added automated tests for my code

@aniketkaushik aniketkaushik force-pushed the change-url-to-view-any-invoice branch from c6ed8b9 to 0bfeda1 Compare May 30, 2022 08:52
@github-actions
Copy link

github-actions bot commented May 30, 2022
edited
Loading

Current Code Coverage Percent of this PR:

88.12 %

Files having coverage below 100%

Impacted Files Coverage
/app/controllers/users/invitations_controller.rb 86.36 %
/app/policies/payments/provider_policy.rb 85.71 %
/app/services/invoice_payment/checkout.rb 44.0 %
/app/services/invoice_payment/pdf_generation.rb 70.97 %
/app/services/report/filters.rb 87.1 %
/app/controllers/internal_api/v1/profile_controller.rb 96.88 %
/app/controllers/internal_api/v1/payment_settings_controller.rb 93.33 %
/app/controllers/internal_api/v1/payments/providers_controller.rb 94.74 %
/lib/benchmarking/benchmarker.rb 0.0 %

akhilgkrishnan
akhilgkrishnan reviewed May 30, 2022
View reviewed changes
@supriya3105
Copy link
Contributor

supriya3105 commented Jun 1, 2022

@aniket-k-kaushik Please resolve the conflicts . @apoorv-mishra @akhilgkrishnan Please review the PR.

@aniketkaushik aniketkaushik force-pushed the change-url-to-view-any-invoice branch from a99e6e5 to d35fa04 Compare June 2, 2022 08:24
@supriya3105 supriya3105 requested a review from apoorv1316 June 2, 2022 11:37
apoorv-mishra
apoorv-mishra suggested changes Jun 2, 2022
View reviewed changes
@aniketkaushik aniketkaushik force-pushed the change-url-to-view-any-invoice branch from fc5d26c to 952e5a2 Compare June 2, 2022 13:03
apoorv-mishra
apoorv-mishra suggested changes Jun 3, 2022
View reviewed changes
db/migrate/20220530064957_add_external_view_key_to_invoice.rb

class AddExternalViewKeyToInvoice < ActiveRecord::Migration[7.0]
def change
add_column :invoices, :external_view_key, :string
Copy link
Contributor

@apoorv-mishra apoorv-mishra Jun 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Better to add a unique constraint for external_view_key as well. Refer this

apoorv-mishra
apoorv-mishra suggested changes Jun 3, 2022
View reviewed changes
apoorv-mishra
apoorv-mishra approved these changes Jun 3, 2022
View reviewed changes
Copy link
Contributor

@apoorv-mishra apoorv-mishra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aniketkaushik aniketkaushik force-pushed the change-url-to-view-any-invoice branch from 244babd to de2171c Compare June 6, 2022 16:53
@supriya3105
Copy link
Contributor

supriya3105 commented Jun 9, 2022

@apoorv1316 Can you get this tested on someone else's system today.

@aniketkaushik aniketkaushik force-pushed the change-url-to-view-any-invoice branch from 391c210 to c65d146 Compare June 11, 2022 19:26
rohitjoshixyz
rohitjoshixyz reviewed Jun 13, 2022
View reviewed changes
Copy link
Contributor

@rohitjoshixyz rohitjoshixyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good but we could potentially use UUID which is more conventional way of achieving the same https://pawelurbanek.com/uuid-order-rails @aniket-k-kaushik @apoorv-mishra @akhilgkrishnan @sudeeptarlekar

@supriya3105
Copy link
Contributor

supriya3105 commented Jun 14, 2022

@apoorv1316 Can you coordinate this with Aniket and Anas and make sure we are closing this today.

@apoorv1316
Copy link
Collaborator

apoorv1316 commented Jun 14, 2022

@supriya3105 I have approved it.

@aniketkaushik aniketkaushik merged commit 001d1d4 into develop Jun 14, 2022
@aniketkaushik aniketkaushik deleted the change-url-to-view-any-invoice branch June 14, 2022 11:58
vipulnsward pushed a commit that referenced this pull request Feb 15, 2026
@aniketkaushik
An external user should not be able to modify invoice URL to view any…
b3348ed 
… invoice in Miru. (#422)

* added external random key to accsess view

* added uniqueness

* seed update

* minor update

* fix

* fix

* securerandom

* test fix

* path fix

* test fix

* test fix 2

* add uniqueness external_view_key

* added uniques true to migration

* test fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@apoorv1316 apoorv1316 apoorv1316 approved these changes

@akhilgkrishnan akhilgkrishnan Awaiting requested review from akhilgkrishnan

+2 more reviewers

@rohitjoshixyz rohitjoshixyz rohitjoshixyz left review comments

@apoorv-mishra apoorv-mishra apoorv-mishra approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

PR: merged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@aniketkaushik @supriya3105 @apoorv1316 @apoorv-mishra @akhilgkrishnan @rohitjoshixyz