Skip to content

Commit

Permalink
security: expose encoded hashid for unit entity and decode for /units…
Browse files Browse the repository at this point in the history
…/:id

Modify unit_entity.rb to expose the id as the hashid rather than actual id, this will affect all endpoints returni
ng units
Modify units_api.rb to decode the hashed id for the /units/:id endpoint
  • Loading branch information
sneaky-patriki committed Apr 16, 2022
1 parent a32c58f commit 699668a
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
5 changes: 4 additions & 1 deletion app/api/entities/unit_entity.rb
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,10 @@ def is_staff?(user, unit)
end

expose :code
expose :id
expose :id do |unit|
hashid = Hashids.new("unit_salt", 8)
hashid.encode(unit.id)
end
expose :name
expose :my_role do |unit, options|
role = unit.role_for(options[:user])
Expand Down
15 changes: 8 additions & 7 deletions app/api/units_api.rb
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ class UnitsApi < Grape::API
end
end

hashid = Hashids.new("unit_salt", 8)

desc 'Get units related to the current user for admin purposes'
params do
optional :include_in_active, type: Boolean, desc: 'Include units that are not active'
Expand All @@ -36,17 +38,16 @@ class UnitsApi < Grape::API

units = units.where('active = true') unless params[:include_in_active]

hashid = Hashids.new("unit_salt")

units.each do |unit|
unit.id = hashid.encode(unit.id)
end

present units, with: Entities::UnitEntity, user: current_user, summary_only: true
end

desc "Get a unit's details"
get '/units/:id' do
id = params[:id]
puts id.class
unit_id = hashid.decode(id)[0]
puts unit_id
puts unit_id.class
unit = Unit.includes(
{unit_roles: [:role, :user]},
{task_definitions: :tutorial_stream},
Expand All @@ -58,7 +59,7 @@ class UnitsApi < Grape::API
:group_sets,
:groups,
:group_memberships
).find(params[:id])
).find(unit_id)

unless (authorise? current_user, unit, :get_unit) || (authorise? current_user, User, :admin_units)
error!({ error: "Couldn't find Unit with id=#{params[:id]}" }, 403)
Expand Down

0 comments on commit 699668a

Please sign in to comment.