New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG Don't auto grant session access when resampling images #477
BUG Don't auto grant session access when resampling images #477
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not 100% sure if this is worth covering with Unit test ... I can add some if we think it is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unit tests are probably worth it to ensure someone doesn't revert this in the future in order to fix something else
Just added some unit test ... I also specifically tested that they would have failed with the old logic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, some trivial changes to make to failed test messaging and whitespace changes
tests/php/ImageTest.php
Outdated
$assetStore = Injector::inst()->get(AssetStore::class); | ||
$this->assertFalse( | ||
$assetStore->isGranted('folder/a870de278b/test-image-high-quality__Resampled.jpg'), | ||
'Current user is not automatically granted access to resampled image' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'Current user is not automatically granted access to resampled image' | |
'Logged out user was granted access to draft resampled image' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about this?
'Current user is not automatically granted access to resampled image' | |
'Current user should not automatically be granted access to resampled image' |
tests/php/ImageManipulationTest.php
Outdated
$assetStore = Injector::inst()->get(AssetStore::class); | ||
$this->assertFalse( | ||
$assetStore->isGranted($fileUrl), | ||
'Current user is not automatically granted access' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'Current user is not automatically granted access' | |
'Logged out user was granted access to draft resampled image' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer assertion message to describe what is being asserted, rather than what has failed.
But I can see the message here could be confusing if you think Current user is not automatically granted access
describes what has failed.
What about this instead?
'Current user is not automatically granted access' | |
'Current user should not automatically be granted access to view thumbnail' |
33f81f2
to
d4880e1
Compare
Merge on green |
5da55df
to
78987e9
Compare
Just fixed the linting issue. |
We considered treating this as a security issue but decided that the amount of sensitive information in an image does not warrant it.
In some context, the CMS will grant your session permission to view a file irrespective of if you have access to view it. The specific thing we are trying to address here is being able to view a restricted image if it's added to a campaign.
Previous places where we addressed this included an option to allow automatic session grant via a config. I don't think we need to do this anymore since tho AssetStore now automatically grant you access to view files.