Skip to content

Issue 5069 fix #329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Issue 5069 fix #329

wants to merge 3 commits into from

Conversation

PrakashDurlabhji
Copy link
Contributor

@PrakashDurlabhji PrakashDurlabhji commented Oct 15, 2020
edited by luizrrodrigues
Loading

@PrakashDurlabhji PrakashDurlabhji mentioned this pull request Oct 15, 2020
Open
@luizrrodrigues
Copy link
Collaborator

@rootelement Can you check if we able to filter without auth?

Thanks.

@PrakashDurlabhji
Copy link
Contributor Author

@luizrrodrigues we are able to filter without auth.

@luizrrodrigues
Copy link
Collaborator

@luizrrodrigues we are able to filter without auth.

I mean filter by groups without auth.

@ThomasKranitsas ThomasKranitsas self-requested a review October 16, 2020 10:15
ThomasKranitsas
ThomasKranitsas suggested changes Oct 16, 2020
View reviewed changes
Copy link
Contributor

@ThomasKranitsas ThomasKranitsas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please see my comments

src/services/ChallengeService.js
@@ -306,10 +306,6 @@ async function searchChallenges (currentUser, criteria) {

// Filter all groups from the criteria to make sure the user can access those
if (!_.isUndefined(criteria.group) || !_.isUndefined(criteria.groups)) {
// check group access
if (_.isUndefined(currentUser)) {
throw new errors.BadRequestError('Authentication is required to filter challenges based on groups')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fix is clearly wrong.

Currently, if the currentUser is not set, we're throwing an error.
By removing that code, you are making the rest of the code prone to cannot get property "<prop>" of undefined errors.

Also, there's currently no check on whether a group is public or not which means, even if you bypass the above errors, you will still get wrong results back as the accessibleGroups, which is used to determine if the user has access to the requested groups, will be empty (since the user is not authenticated).

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ThomasKranitsas , I'll remove this from Bug Bash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@luizrrodrigues luizrrodrigues luizrrodrigues left review comments

@ThomasKranitsas ThomasKranitsas ThomasKranitsas requested changes

@rootelement rootelement Awaiting requested review from rootelement

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PrakashDurlabhji @luizrrodrigues @ThomasKranitsas