[Bug]: Can update env from other app_id

[shiipou]

What happened?

We can update an env from an other app_id if we just change in the URL the :env_id parameter.
It seems there is no check that the :env_id that is a children of the :app_id.

Also, if someone pay the subscription, everybody will be able to update the app using the API.
The authorize rules is a or if placed on the same function.

What browsers are you seeing the problem on?

Other (specify above)

Version

lenra/server:1.3.2

Relevant log output

def update(conn, %{"env_id" => env_id} = params) do
    with {:ok, _app} <- get_app_and_allow(conn, params),
         {:ok, env} <- Apps.fetch_env(env_id), # ←← Here 
         {:ok, %{updated_env: env}} <- Apps.update_env(env.id, params) do
      conn
      |> reply(env)
    end
  end

defmodule LenraWeb.EnvsController.Policy do
  def authorize(:update, %User{id: user_id}, %App{creator_id: user_id}), do: true
  def authorize(:update, %App{id: app_id}, %Subscription{application_id: app_id}), do: true
end

[jonas-martinez]

@taorepoara We might need to prioritise this issue.

[taorepoara]

🎉 This issue has been resolved in version 1.3.3 🎉

The release is available on:

• GitHub release
• v1.3.3

Your semantic-release bot 📦🚀