Commit 435dd018 authored by Robert Speicher's avatar Robert Speicher Committed by Robert Speicher

Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'

Restrict Todo API mark_as_done endpoint to the user's todos only
parent c52d1453
---
title: Restrict Todo API mark_as_done endpoint to the user's todos only
merge_request:
author:
type: security
...@@ -60,7 +60,7 @@ module API ...@@ -60,7 +60,7 @@ module API
end end
post ':id/mark_as_done' do post ':id/mark_as_done' do
TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user) TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
todo = Todo.find(params[:id]) todo = current_user.todos.find(params[:id])
present todo, with: Entities::Todo, current_user: current_user present todo, with: Entities::Todo, current_user: current_user
end end
......
...@@ -12,7 +12,7 @@ module API ...@@ -12,7 +12,7 @@ module API
end end
delete ':id' do delete ':id' do
TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user) TodoService.new.mark_todos_as_done_by_ids(params[:id], current_user)
todo = Todo.find(params[:id]) todo = current_user.todos.find(params[:id])
present todo, with: ::API::Entities::Todo, current_user: current_user present todo, with: ::API::Entities::Todo, current_user: current_user
end end
......
...@@ -129,6 +129,12 @@ describe API::Todos do ...@@ -129,6 +129,12 @@ describe API::Todos do
post api("/todos/#{pending_1.id}/mark_as_done", john_doe) post api("/todos/#{pending_1.id}/mark_as_done", john_doe)
end end
it 'returns 404 if the todo does not belong to the current user' do
post api("/todos/#{pending_1.id}/mark_as_done", author_1)
expect(response.status).to eq(404)
end
end end
end end
......
...@@ -38,6 +38,12 @@ describe API::V3::Todos do ...@@ -38,6 +38,12 @@ describe API::V3::Todos do
delete v3_api("/todos/#{pending_1.id}", john_doe) delete v3_api("/todos/#{pending_1.id}", john_doe)
end end
it 'returns 404 if the todo does not belong to the current user' do
delete v3_api("/todos/#{pending_1.id}", author_1)
expect(response.status).to eq(404)
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment