Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: include new validation on validateAdminUserAccess #181

Open
wants to merge 9 commits into
base: master
Choose a base branch
from

Conversation

giurigaud
Copy link
Contributor

@giurigaud giurigaud commented Oct 11, 2024

What problem is this solving?

Currently, when accessing organization management, any user can make any change. The goal is to implement a minimum control of viewing/changing.
VTEX already has two features in the license manager that are not used, called:
Buyer Organization View
Buyer Organization Edit
These two features could be used to facilitate the requested changes.

How to test it?

  • Create an admin user that does not have the buyer_organization_view permission
  • Log in to the admin with this user
  • Call getOrganizations via graphql ide https://giurigaud--b2bstore005.myvtex.com/admin/graphql-ide/, it needs to have the "buyer_organization_view" permission, you will get a 403 error.

query { getOrganizations(search: "giu") { data { id name } pagination { page pageSize total } } }

  • The same can be done with createOrganization for example and the buyer_organization_edit permission.
    mutation { createOrganization(input: { name: "Nome da Organização" tradeName: "Nome Comercial" b2bCustomerAdmin: { email: "admin@exemplo.com" firstName: "Nome" lastName: "Sobrenome" } defaultCostCenter: { name: "Centro de Custo Padrão" address: { country: "BRA" postalCode: "12345-678" city: "Cidade" state: "Estado" street: "Rua Exemplo" number: "123" } } }) { id status message } }

Workspace

Screenshots or example usage:

Screenshot 2024-10-14 at 15 15 18

Describe alternatives you've considered, if any.

Related to / Depends on

How does this PR make you feel?

![https://giphy.com/gifs/Friends-season-5-episode-111-the-one-where-everybody-finds-out-YnBntKOgnUSBkV7bQH](put .gif link here - can be found under "advanced" on giphy)

Copy link

vtex-io-ci-cd bot commented Oct 11, 2024

Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖

Please select which version do you want to release:

  • Patch (backwards-compatible bug fixes)

  • Minor (backwards-compatible functionality)

  • Major (incompatible API changes)

And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.

  • No thanks, I would rather do it manually 😞

@vtex-io-docs-bot
Copy link

Beep boop 🤖

I noticed you didn't make any changes at the docs/ folder

  • There's nothing new to document 🤔
  • I'll do it later 😞

In order to keep track, I'll create an issue if you decide now is not a good time

  • I just updated 🎉🎉

@giurigaud giurigaud marked this pull request as draft October 11, 2024 15:33
Copy link
Contributor

@enzomerca enzomerca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I think that is the idea! I just left some small comments.

node/resolvers/directives/helper.ts Outdated Show resolved Hide resolved
node/resolvers/directives/helper.ts Outdated Show resolved Hide resolved
node/resolvers/directives/helper.ts Outdated Show resolved Hide resolved
node/clients/LMClient.ts Outdated Show resolved Hide resolved
@giurigaud giurigaud marked this pull request as ready for review October 14, 2024 18:09
@giurigaud giurigaud changed the title draft: include new validation on validateAdminUserAccess feat: include new validation on validateAdminUserAccess Oct 14, 2024
Comment on lines 28 to 29
@validateAdminUserAccess(orgPermission: "buyer_organization_view")
@validateStoreUserAccess(orgPermission: "buyer_organization_view")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have just one validate directive per API (in this case we should keep only the @validateStoreUserAccess

directive @validateAdminUserAccess on FIELD | FIELD_DEFINITION
directive @validateStoreUserAccess on FIELD | FIELD_DEFINITION
directive @validateAdminUserAccess(
orgPermission: String
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to change orgPermission to something more meaningful... maybe requiredPermission?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree

@@ -11,6 +11,7 @@ type Query {
sortedBy: String = "created"
): OrganizationRequestResult
@cacheControl(scope: PRIVATE, maxAge: SHORT)
@validateAdminUserAccess(orgPermission: "buyer_organization_view")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for now lets not add the directive to APIs that don't have it. Lets just add the parameter to APIs that already have either validateAdminUserAccess or validateStoreUserAccess.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but if we don't add in getOrganizations for example the permissions will pass. Will it really be like that?

userEmail: string,
resourceCode: string
) => {
const productCode = B2B_LM_PRODUCT_CODE // resource name on lincense manager = B2B
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the actual name of this resource is Buyer Organization actually (I gave you the wrong info before). So lets update the comment here

Suggested change
const productCode = B2B_LM_PRODUCT_CODE // resource name on lincense manager = B2B
const productCode = B2B_LM_PRODUCT_CODE // resource name on lincense manager = Buyer Organization

@@ -24,6 +26,24 @@ export default class LMClient extends ExternalClient {
})
}

public checkUserAdminPermission = async (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
public checkUserAdminPermission = async (
public checkAdminUserRequiredPermission = async (

Comment on lines 36 to 44
const checkOrgPermission = await this.get<boolean>(
`/api/license-manager/pvt/accounts/${account}/products/${productCode}/logins/${userEmail}/resources/${resourceCode}/granted`
)

if (!checkOrgPermission) {
throw new ForbiddenError('Unauthorized Access')
}

return checkOrgPermission
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const checkOrgPermission = await this.get<boolean>(
`/api/license-manager/pvt/accounts/${account}/products/${productCode}/logins/${userEmail}/resources/${resourceCode}/granted`
)
if (!checkOrgPermission) {
throw new ForbiddenError('Unauthorized Access')
}
return checkOrgPermission
const checkRequiredPermission = await this.get<boolean>(
`/api/license-manager/pvt/accounts/${account}/products/${productCode}/logins/${userEmail}/resources/${resourceCode}/granted`
)
if (!checkRequiredPermission) {
throw new ForbiddenError('Unauthorized Access')
}
return checkRequiredPermission

@@ -2,7 +2,8 @@ import { isUserPartOfBuyerOrg } from '../Queries/Users'

export const validateAdminToken = async (
context: Context,
adminUserAuthToken: string
adminUserAuthToken: string,
orgPermission?: 'buyer_organization_edit' | 'buyer_organization_view'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(lets change orgPermission everywhere to requiredPermission

Suggested change
orgPermission?: 'buyer_organization_edit' | 'buyer_organization_view'
requiredPermission?: 'buyer_organization_edit' | 'buyer_organization_view'

@@ -14,3 +14,5 @@ export const ORGANIZATION_REQUEST_STATUSES = {
export const MARKETING_TAGS = {
VBASE_BUCKET: 'b2b_marketing_tags',
}

export const B2B_LM_PRODUCT_CODE = '97' // resource name on lincense manager = B2B
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update comment here as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants