Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Having two permissions with same ID in manifest.webapp should trigger a warning or an error #3118

Open
Ldoppea opened this issue Aug 23, 2021 · 1 comment
Open

Having two permissions with same ID in manifest.webapp should trigger a warning or an error #3118

Ldoppea opened this issue Aug 23, 2021 · 1 comment
Labels
enhancement

Comments

@Ldoppea
Copy link
Member

Ldoppea commented Aug 23, 2021

In cozy-pass-wab manifest I had two different rules using the same ID :

  "permissions": {
    ...
    "contacts": {
      "description": "Required to share passwords with other people",
      "type": "com.bitwarden.contacts",
      "verbs": ["ALL"]
    },
    ...
    "contacts": {
      "description": "Required to share passwords with other people",
      "type": "io.cozy.contacts",
      "verbs": ["GET", "POST"]
    },
    ...
  }

With this configuration, the stack starts without any warning but if I query a DELETE on bitwarden/contacts/:id then I get an invalid token error.

This stack seems to use authorizations from io.cozy.contacts.

However if I fix the manifest everything is working fine and I can DELETE my bitwarden's contact :

  "permissions": {
    ...
    "contacts_bitwarden": {
      "description": "Required to share passwords with other people",
      "type": "com.bitwarden.contacts",
      "verbs": ["ALL"]
    },
    ...
    "contacts": {
      "description": "Required to share passwords with other people",
      "type": "io.cozy.contacts",
      "verbs": ["GET", "POST"]
    },
    ...
  }

My understanding is that the stack is indexing permissions by unique ID and if multiple rules have the same ID, then the last rule replace all rules with the same ID that were previously declared.

Maybe we should detect this scenario and trigger a warning or an error when the app is installed.
Ldoppea added a commit to cozy/cozy-pass-web that referenced this issue Aug 23, 2021
@Ldoppea
fix: use unique ID in manifest.webapp permissions
61b8bbe 
Permissions for `com.bitwarden.contacts` and `io.cozy.contacts` were
using the same ID

With this configuration `com.bitwarden.contacts` rule was overwritten
by `io.cozy.contacts` that is declared later in the json

This fix is related to this issue: cozy/cozy-stack#3118
Ldoppea added a commit to cozy/cozy-pass-web that referenced this issue Sep 3, 2021
@Ldoppea
fix: use unique ID in manifest.webapp permissions
8d653c3 
Permissions for `com.bitwarden.contacts` and `io.cozy.contacts` were
using the same ID

With this configuration `com.bitwarden.contacts` rule was overwritten
by `io.cozy.contacts` that is declared later in the json

This fix is related to this issue: cozy/cozy-stack#3118
@nono
Copy link
Member

nono commented Sep 7, 2021

The explanation is simple: the manifest is expected to be JSON, and in JSON, it is not possible to put twice the same key for an object.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nono @Ldoppea