Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AUTH_ROLE_ENUM.BULK_DOWNLOAD might be inconsistent with onlyOrgWithRole #1013

Closed
ElectricNroff opened this issue Feb 9, 2023 · 0 comments
Closed
Assignees

Comments

@ElectricNroff
Copy link
Contributor

An organization with AUTH_ROLE_ENUM.BULK_DOWNLOAD needs to access the GET /cve endpoint, which is otherwise only available to the Secretariat. It does not need to be able to perform any write operations on the CVE Services database. However,

async function onlyOrgWithRole (req, res, next) {
const shortName = req.ctx.org
const orgRepo = req.ctx.repositories.getOrgRepository()
try {
const org = await orgRepo.findOneByShortName(shortName)
if (org === null) {
logger.info({ uuid: req.ctx.uuid, message: shortName + ' does NOT exist ' })
return res.status(404).json(error.orgDoesNotExist(shortName))
} else if (org.authority.active_roles.length > 0) {
logger.info({ uuid: req.ctx.uuid, message: org.short_name + ' has a role ' })
next()
} else {
logger.info({ uuid: req.ctx.uuid, message: org.short_name + ' does NOT have a role ' })
return res.status(403).json(error.orgHasNoRole(shortName))

enables certain write access by an organization with any role.

Possibly the simplest solution would be to rename onlyOrgWithRole to onlyOrgWithPartnerRole, and return the 403 error when the only role is in the dataRetrieval role category instead of the Partner role category. For example, if org.authority.active_roles.length equals 1, and the organization has the BULK_DOWNLOAD role, then the outcome is a 403 error.

There might be a future requirement for a SECRETARIAT_READ_ONLY role, in which any GET request is completed in the same way as for the SECRETARIAT role, but POST and PUT are denied. (I don't know whether this will happen, or what the time scale of the requirement might be.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants