Fix security hole that made all schedules public

gordon-cs · Jul 12, 2024 · b46292c · b46292c
1 parent 13d0d6a
commit b46292c
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 5 deletions.
diff --git a/Gordon360/Controllers/ScheduleController.cs b/Gordon360/Controllers/ScheduleController.cs
@@ -10,7 +10,9 @@
 namespace Gordon360.Controllers;
 
 [Route("api/[controller]")]
-public class ScheduleController(IScheduleService scheduleService) : ControllerBase
+public class ScheduleController(IProfileService profileService,
+ IScheduleService scheduleService,
+ IAccountService accountService) : GordonControllerBase
 {
 
  /// <summary>
@@ -21,9 +23,24 @@ public class ScheduleController(IScheduleService scheduleService) : ControllerBa
  [Route("{username}/allcourses")]
  public async Task<ActionResult<CoursesBySessionViewModel>> GetAllCourses(string username)
  {
- IEnumerable<CoursesBySessionViewModel> result = await scheduleService.GetAllCoursesAsync(username);
- return Ok(result);
-
+ var groups = AuthUtils.GetGroups(User);
+ FacultyStaffProfileViewModel? fac = profileService.GetFacultyStaffProfileByUsername(username);
+ StudentProfileViewModel? student = profileService.GetStudentProfileByUsername(username);
+ AlumniProfileViewModel? alumni = profileService.GetAlumniProfileByUsername(username);
+ // Everyone can see faculty schedules.
+ // Some users can see student and alumni schedules,
+ // but check that they can see this student or alumni.
+ if ((fac != null) ||
+ (accountService.CanISeeStudentSchedule(groups) &&
+ (student != null &&
+ accountService.CanISeeThisStudent(groups, student)) ||
+ (alumni != null &&
+ accountService.CanISeeAlumni(groups))))
+ {
+ IEnumerable<CoursesBySessionViewModel> result = await scheduleService.GetAllCoursesAsync(username);
+ return Ok(result);
+ }
+ return Forbid();
  }
 
  /// <summary>
@@ -35,6 +52,6 @@ public async Task<ActionResult<CoursesBySessionViewModel>> GetAllCourses(string
  public async Task<ActionResult<bool>> GetCanReadStudentSchedules()
  {
  var groups = AuthUtils.GetGroups(User);
- return groups.Contains(AuthGroup.Advisors);
+ return accountService.CanISeeStudentSchedule(groups);
  }
 }
diff --git a/Gordon360/Documentation/Gordon360.xml b/Gordon360/Documentation/Gordon360.xml
diff --git a/Gordon360/Services/AccountService.cs b/Gordon360/Services/AccountService.cs
@@ -106,6 +106,18 @@ public bool CanISeeStudents(IEnumerable<AuthGroup> viewerGroups)
  return false;
  }
 
+ /// <summary>Indicates whether a user making a request is authorized to see
+ /// course schedule information for students.</summary>
+ /// <param name="viewerGroups">The authentication groups associated with the 
+ /// user making the request.</param>
+ /// <returns>True if the user making the request is authorized to see
+ /// schedule information for students, and false otherwise.</returns>
+ public bool CanISeeStudentSchedule(IEnumerable<AuthGroup> viewerGroups)
+ {
+ return viewerGroups.Contains(AuthGroup.Advisors);
+ }
+
+
  /// <summary>Indicates whether a user making a request is authorized to see
  /// profile information for this particular student. Some students are not shown
  /// because of FERPA protections.</summary>

diff --git a/Gordon360/Services/ServiceInterfaces.cs b/Gordon360/Services/ServiceInterfaces.cs
@@ -72,6 +72,7 @@ public interface IAccountService
  AccountViewModel GetAccountByEmail(string email);
  AccountViewModel GetAccountByUsername(string username);
  public bool CanISeeStudents(IEnumerable<AuthGroup> viewerGroups);
+ public bool CanISeeStudentSchedule(IEnumerable<AuthGroup> viewerGroups);
  public bool CanISeeThisStudent(IEnumerable<AuthGroup> viewerGroups, StudentProfileViewModel? student);
  public bool CanISeeFacstaff(IEnumerable<AuthGroup> viewerGroups);
  public bool CanISeeAlumni(IEnumerable<AuthGroup> viewerGroups);