Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EndUser Transmission endpoints does not mask unauthorized attachment URLs #1889

Closed
oskogstad opened this issue Feb 16, 2025 · 1 comment
Closed

EndUser Transmission endpoints does not mask unauthorized attachment URLs #1889

oskogstad opened this issue Feb 16, 2025 · 1 comment
Assignees
@oskogstad
Labels
bug Something isn't working

Comments

@oskogstad
Copy link
Collaborator

oskogstad commented Feb 16, 2025
edited
Loading

Description

EndUser transmission endpoints gives out original URLs when the user is not authorized to see them

Reproduction

Create a transmission containing attachments, and with an authorization attribute you know the user does not have, not-authorized f.ex.
Fetch the dialog at api/v1/enduser/dialogs/{dialogId}, attachment URLs are all swapped out with our unauthorized URI.

Get the transmission via either single or list endpoint,
/api/v1/enduser/dialogs/{dialogId}/transmissions/{transmissionId}
and
/api/v1/enduser/dialogs/{dialogId}/transmissions

Expected behavior

URLs should be masked as urn:dialogporten:unauthorized

"urls": [
    {
        "id": "01950f63-abef-7131-8fd8-937ab93d523f",
        "url": "urn:dialogporten:unauthorized",
        "consumerType": "Gui"
    }
]

Actual behavior

Original URL is shown in both endpoints

"urls": [
    {
        "id": "01950f63-abef-7131-8fd8-937ab93d523f",
        "url": "https://digdir.apps.tt02.altinn.no/some-url",
        "consumerType": "Gui"
    }
]
@oskogstad oskogstad added the bug Something isn't working label Feb 16, 2025
@oskogstad oskogstad moved this to Code Review og PR in Dialogporten / Arbeidsflate Feb 16, 2025
@oskogstad oskogstad self-assigned this Feb 16, 2025
@oskogstad oskogstad mentioned this issue Feb 16, 2025
Merged
4 tasks
oskogstad added a commit that referenced this issue Feb 16, 2025
@oskogstad
fix(webapi): Mask unauthorized attachment URLs in EndUser transmissio…
f2f817b 
…n endpoints (#1890)

<!--- Provide a general summary of your changes in the Title above -->

## Description

EndUser transmission endpoints gives out original URLs when the user is
not authorized to see them

## Related Issue(s)

- #1889 

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [x] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)
@oskogstad oskogstad moved this from Code Review og PR to Testing in Dialogporten / Arbeidsflate Feb 17, 2025
@LeifHelstad
Copy link

LeifHelstad commented Mar 10, 2025
edited
Loading

Test

🟢 Har testet ut fra beskrivelsen i saken og det fungerer. URL-ene til vedleggene blir maskert.

Basert på dokumentasjonen https://docs.altinn.studio/dialogporten/reference/entities/transmission/ burde man for authorizationAttribute også kunne angitt en URN. Men her kan ikke avsender angi hva som helst, det er en URN-validering.

🟢 Test med en URN som org kan sende for, men som party her ikke kan åpne (muligens litt tilfeldig)

Image

@elsand elsand closed this as completed Mar 18, 2025
@github-project-automation github-project-automation bot moved this from Testing to Done in Dialogporten / Arbeidsflate Mar 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oskogstad oskogstad

Labels
bug Something isn't working
Projects
Dialogporten / Arbeidsflate
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elsand @oskogstad @LeifHelstad