Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Given author in non-owner query/subscribe filter is overwritten #669

Open
thehenrytsai opened this issue Jan 22, 2024 · 0 comments
Open

Given author in non-owner query/subscribe filter is overwritten #669

thehenrytsai opened this issue Jan 22, 2024 · 0 comments
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@thehenrytsai
Copy link
Member

thehenrytsai commented Jan 22, 2024
edited

When author is given in a non-owner query filter, buildUnpublishedRecordsBySubscribeAuthorFilter() is always called resulting an internal query that includes the author of query as the author in the filter.

While this is not an elevation in privilege, it is functionally incorrect. Suspecting this issue also affects RecordsSubscribe since the code is a copy from RecordsQuery.

Adding the following test in handlers/records-query.spec.ts will reproduce the issue:

      it('should not override the `author` in filter in non-owner query if given.', async () => {
        const alice = await DidKeyResolver.generate();
        const bob = await DidKeyResolver.generate();
        const carol = await DidKeyResolver.generate();

        const protocolDefinition = freeForAll;

        const protocolsConfig = await TestDataGenerator.generateProtocolsConfigure({
          author: alice,
          protocolDefinition
        });
        const protocolsConfigureReply = await dwn.processMessage(alice.did, protocolsConfig.message);
        expect(protocolsConfigureReply.status.code).to.equal(202);

        // Bob write a record
        const recordByBob = await TestDataGenerator.generateRecordsWrite({
          author       : bob,
          protocol     : protocolDefinition.protocol,
          schema       : protocolDefinition.types.post.schema,
          dataFormat   : protocolDefinition.types.post.dataFormats[0],
          protocolPath : 'post'
        });
        const bobWriteResult = await dwn.processMessage(alice.did, recordByBob.message, { dataStream: recordByBob.dataStream });
        expect(bobWriteResult.status.code).to.equal(202);

        const recordByCarol = await TestDataGenerator.generateRecordsWrite({
          author       : carol,
          protocol     : protocolDefinition.protocol,
          schema       : protocolDefinition.types.post.schema,
          dataFormat   : protocolDefinition.types.post.dataFormats[0],
          protocolPath : 'post'
        });
        const carolWriteResult = await dwn.processMessage(alice.did, recordByCarol.message, { dataStream: recordByCarol.dataStream });
        expect(carolWriteResult.status.code).to.equal(202);

        // Bob query for Carol's record
        const queryByBob = await RecordsQuery.create({
          filter: {
            author : carol.did,
            schema : protocolDefinition.types.post.schema,
          },
          signer: Jws.createSigner(bob)
        });

        // Verify that no record is return to Bob.
        const replyToBobQuery = await dwn.processMessage(alice.did, queryByBob.message);
        expect(replyToBobQuery.status.code).to.equal(200);
        expect(replyToBobQuery.entries?.length).to.equal(0);
        
        // actual result: an entry with Bob being the author is returned.
      });
@thehenrytsai thehenrytsai added bug Something isn't working good first issue Good for newcomers labels Jan 22, 2024
@thehenrytsai thehenrytsai mentioned this issue Jan 22, 2024
Merged
@thehenrytsai thehenrytsai changed the title Given author in non-owner query filter is overwritten Given author in non-owner query/subscribe filter is overwritten Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thehenrytsai