github_mirrors/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter.git synced 2025-02-02 23:21:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: implicit app permissions bug

Browse Source
This commit is contained in:
KernelDeimos 2024-08-19 00:58:19 -04:00
parent 48fea77a20
commit 6b4a19e12a
4 changed files with 46 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/backend/src/services/auth/PermissionService.js
View File

@ -24,6 +24,7 @@ const {
const { get_user, get_app } = require("../../helpers"); const { get_user, get_app } = require("../../helpers");
const { AssignableMethodsFeature } = require("../../traits/AssignableMethodsFeature"); const { AssignableMethodsFeature } = require("../../traits/AssignableMethodsFeature");
const { Context } = require("../../util/context"); const { Context } = require("../../util/context");
const { get_a_letter, cylog } = require("../../util/debugutil");
const BaseService = require("../BaseService"); const BaseService = require("../BaseService");
const { DB_WRITE } = require("../database/consts"); const { DB_WRITE } = require("../database/consts");
const { UserActorType, Actor, AppUnderUserActorType, AccessTokenActorType, SiteActorType } = require("./Actor"); const { UserActorType, Actor, AppUnderUserActorType, AccessTokenActorType, SiteActorType } = require("./Actor");
@ -220,6 +221,10 @@ class PermissionService extends BaseService {
if ( ! Array.isArray(permission_options) ) { if ( ! Array.isArray(permission_options) ) {
permission_options = [permission_options]; permission_options = [permission_options];
} }
// TODO: command to enable these logs
// const l = get_a_letter();
// cylog(l, 'ACT & PERM:', actor.uid, permission_options);
const start_ts = Date.now(); const start_ts = Date.now();
await require('../../structured/sequence/scan-permission') await require('../../structured/sequence/scan-permission')
@ -229,6 +234,10 @@ class PermissionService extends BaseService {
reading, reading,
}); });
const end_ts = Date.now(); const end_ts = Date.now();
// TODO: command to enable these logs
// cylog(l, 'READING', JSON.stringify(reading, null, ' '));
reading.push({ reading.push({
$: 'time', $: 'time',
value: end_ts - start_ts, value: end_ts - start_ts,

7
src/backend/src/structured/sequence/scan-permission.js
View File

@ -56,7 +56,12 @@ module.exports = new Sequence([
} }
}, },
async function explode_permission (a) { async function explode_permission (a) {
const { reading, permission_options } = a.values(); let { reading, permission_options } = a.values();
// VERY nasty bugs can happen if this array is not cloned!
// (this was learned the hard way)
permission_options = [...permission_options];
for ( let i=0 ; i < permission_options.length ; i++ ) { for ( let i=0 ; i < permission_options.length ; i++ ) {
const permission = permission_options[i]; const permission = permission_options[i];
permission_options[i] = permission_options[i] =

19
src/backend/src/unstructured/permission-scanners.js
View File

@ -213,15 +213,22 @@ const PERMISSION_SCANNERS = [
const app_uid = actor.type.app.uid; const app_uid = actor.type.app.uid;
const issuer_actor = actor.get_related_actor(UserActorType);
const issuer_reading = await a.icall('scan', issuer_actor, permission_options);
for ( const permission of permission_options ) { for ( const permission of permission_options ) {
{ {
const implied = default_implicit_user_app_permissions[permission]; const implied = default_implicit_user_app_permissions[permission];
if ( implied ) { if ( implied ) {
reading.push({ reading.push({
$: 'option', $: 'path',
source: 'implied', permission,
source: 'user-app-implied',
by: 'user-app-hc-1', by: 'user-app-hc-1',
data: implied, data: implied,
issuer_username: actor.type.user.username,
reading: issuer_reading,
}); });
} }
} { } {
@ -233,11 +240,13 @@ const PERMISSION_SCANNERS = [
} }
if ( implicit_permissions[permission] ) { if ( implicit_permissions[permission] ) {
reading.push({ reading.push({
$: 'option', $: 'path',
permission, permission,
source: 'implied', source: 'user-app-implied',
by: 'user-app-hc-2', by: 'user-app-hc-2',
data: implicit_permissions[permission], data: implicit_permissions[permission],
issuer_username: actor.type.user.username,
reading: issuer_reading,
}); });
} }
} }
@ -246,7 +255,7 @@ const PERMISSION_SCANNERS = [
let sql_perm = permission_options.map(() => let sql_perm = permission_options.map(() =>
`\`permission\` = ?`).join(' OR '); `\`permission\` = ?`).join(' OR ');
if ( permission_options.length > 1 ) sql_perm = '(' + sql_perm + ')'; if ( permission_options.length > 1 ) sql_perm = '(' + sql_perm + ')';
// SELECT permission // SELECT permission
const rows = await db.read( const rows = await db.read(
'SELECT * FROM `user_to_app_permissions` ' + 'SELECT * FROM `user_to_app_permissions` ' +

17
src/backend/src/util/debugutil.js Normal file
View File

@ -0,0 +1,17 @@
const LETTERS = ['A','B','C','D','E','F','G','H','I','J','K','L','M','N'];
let curr_letter_ = 0;
const ind = () => {
let v = curr_letter_;
curr_letter_++;
curr_letter_ = curr_letter_ % LETTERS.length;
return v;
};
module.exports = {
get_a_letter: () => LETTERS[ind()],
cylog: (...a) => {
console.log(`\x1B[36;1m`, ...a);
}
};