From 6b4a19e12a115be2c0e323d17340ab2ce2b6b025 Mon Sep 17 00:00:00 2001
From: KernelDeimos <eric.alex.dube@gmail.com>
Date: Mon, 19 Aug 2024 00:58:19 -0400
Subject: [PATCH] fix: implicit app permissions bug

---
 .../src/services/auth/PermissionService.js    |  9 +++++++++
 .../structured/sequence/scan-permission.js    |  7 ++++++-
 .../src/unstructured/permission-scanners.js   | 19 ++++++++++++++-----
 src/backend/src/util/debugutil.js             | 17 +++++++++++++++++
 4 files changed, 46 insertions(+), 6 deletions(-)
 create mode 100644 src/backend/src/util/debugutil.js

diff --git a/src/backend/src/services/auth/PermissionService.js b/src/backend/src/services/auth/PermissionService.js
index 49279955..57b1c2a9 100644
--- a/src/backend/src/services/auth/PermissionService.js
+++ b/src/backend/src/services/auth/PermissionService.js
@@ -24,6 +24,7 @@ const {
 const { get_user, get_app } = require("../../helpers");
 const { AssignableMethodsFeature } = require("../../traits/AssignableMethodsFeature");
 const { Context } = require("../../util/context");
+const { get_a_letter, cylog } = require("../../util/debugutil");
 const BaseService = require("../BaseService");
 const { DB_WRITE } = require("../database/consts");
 const { UserActorType, Actor, AppUnderUserActorType, AccessTokenActorType, SiteActorType } = require("./Actor");
@@ -220,6 +221,10 @@ class PermissionService extends BaseService {
         if ( ! Array.isArray(permission_options) ) {
             permission_options = [permission_options];
         }
+        
+        // TODO: command to enable these logs
+        // const l = get_a_letter();
+        // cylog(l, 'ACT & PERM:', actor.uid, permission_options);
 
         const start_ts = Date.now();
         await require('../../structured/sequence/scan-permission')
@@ -229,6 +234,10 @@ class PermissionService extends BaseService {
                 reading,
             });
         const end_ts = Date.now();
+        
+        // TODO: command to enable these logs
+        // cylog(l, 'READING', JSON.stringify(reading, null, '  '));
+
         reading.push({
             $: 'time',
             value: end_ts - start_ts,
diff --git a/src/backend/src/structured/sequence/scan-permission.js b/src/backend/src/structured/sequence/scan-permission.js
index b610b970..dedf7ab1 100644
--- a/src/backend/src/structured/sequence/scan-permission.js
+++ b/src/backend/src/structured/sequence/scan-permission.js
@@ -56,7 +56,12 @@ module.exports = new Sequence([
         }
     },
     async function explode_permission (a) {
-        const { reading, permission_options } = a.values();
+        let { reading, permission_options } = a.values();
+
+        // VERY nasty bugs can happen if this array is not cloned!
+        // (this was learned the hard way)
+        permission_options = [...permission_options];
+
         for ( let i=0 ; i < permission_options.length ; i++ ) {
             const permission = permission_options[i];
             permission_options[i] =
diff --git a/src/backend/src/unstructured/permission-scanners.js b/src/backend/src/unstructured/permission-scanners.js
index f9c3dd4f..90790321 100644
--- a/src/backend/src/unstructured/permission-scanners.js
+++ b/src/backend/src/unstructured/permission-scanners.js
@@ -213,15 +213,22 @@ const PERMISSION_SCANNERS = [
             
             const app_uid = actor.type.app.uid;
             
+            const issuer_actor = actor.get_related_actor(UserActorType);
+            const issuer_reading = await a.icall('scan', issuer_actor, permission_options);
+            
             for ( const permission of permission_options ) {
                 {
+
                     const implied = default_implicit_user_app_permissions[permission];
                     if ( implied ) {
                         reading.push({
-                            $: 'option',
-                            source: 'implied',
+                            $: 'path',
+                            permission,
+                            source: 'user-app-implied',
                             by: 'user-app-hc-1',
                             data: implied,
+                            issuer_username: actor.type.user.username,
+                            reading: issuer_reading,
                         });
                     }
                 } {
@@ -233,11 +240,13 @@ const PERMISSION_SCANNERS = [
                     }
                     if ( implicit_permissions[permission] ) {
                         reading.push({
-                            $: 'option',
+                            $: 'path',
                             permission,
-                            source: 'implied',
+                            source: 'user-app-implied',
                             by: 'user-app-hc-2',
                             data: implicit_permissions[permission],
+                            issuer_username: actor.type.user.username,
+                            reading: issuer_reading,
                         });
                     }
                 }
@@ -246,7 +255,7 @@ const PERMISSION_SCANNERS = [
             let sql_perm = permission_options.map(() =>
                 `\`permission\` = ?`).join(' OR ');
             if ( permission_options.length > 1 ) sql_perm = '(' + sql_perm + ')';
-
+            
             // SELECT permission
             const rows = await db.read(
                 'SELECT * FROM `user_to_app_permissions` ' +
diff --git a/src/backend/src/util/debugutil.js b/src/backend/src/util/debugutil.js
new file mode 100644
index 00000000..e9896eb4
--- /dev/null
+++ b/src/backend/src/util/debugutil.js
@@ -0,0 +1,17 @@
+const LETTERS = ['A','B','C','D','E','F','G','H','I','J','K','L','M','N'];
+
+let curr_letter_ = 0;
+
+const ind = () => {
+    let v = curr_letter_;
+    curr_letter_++;
+    curr_letter_ = curr_letter_ % LETTERS.length;
+    return v;
+};
+
+module.exports = {
+    get_a_letter: () => LETTERS[ind()],
+    cylog: (...a) => {
+        console.log(`\x1B[36;1m`, ...a);
+    }
+};