You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When author is given in a non-owner query filter, buildUnpublishedRecordsBySubscribeAuthorFilter() is always called resulting an internal query that includes the author of query as the author in the filter.
While this is not an elevation in privilege, it is functionally incorrect. Suspecting this issue also affects RecordsSubscribe since the code is a copy from RecordsQuery.
Adding the following test in handlers/records-query.spec.ts will reproduce the issue:
it('should not override the `author` in filter in non-owner query if given.',async()=>{constalice=awaitDidKeyResolver.generate();constbob=awaitDidKeyResolver.generate();constcarol=awaitDidKeyResolver.generate();constprotocolDefinition=freeForAll;constprotocolsConfig=awaitTestDataGenerator.generateProtocolsConfigure({author: alice,
protocolDefinition
});constprotocolsConfigureReply=awaitdwn.processMessage(alice.did,protocolsConfig.message);expect(protocolsConfigureReply.status.code).to.equal(202);// Bob write a recordconstrecordByBob=awaitTestDataGenerator.generateRecordsWrite({author : bob,protocol : protocolDefinition.protocol,schema : protocolDefinition.types.post.schema,dataFormat : protocolDefinition.types.post.dataFormats[0],protocolPath : 'post'});constbobWriteResult=awaitdwn.processMessage(alice.did,recordByBob.message,{dataStream: recordByBob.dataStream});expect(bobWriteResult.status.code).to.equal(202);constrecordByCarol=awaitTestDataGenerator.generateRecordsWrite({author : carol,protocol : protocolDefinition.protocol,schema : protocolDefinition.types.post.schema,dataFormat : protocolDefinition.types.post.dataFormats[0],protocolPath : 'post'});constcarolWriteResult=awaitdwn.processMessage(alice.did,recordByCarol.message,{dataStream: recordByCarol.dataStream});expect(carolWriteResult.status.code).to.equal(202);// Bob query for Carol's recordconstqueryByBob=awaitRecordsQuery.create({filter: {author : carol.did,schema : protocolDefinition.types.post.schema,},signer: Jws.createSigner(bob)});// Verify that no record is return to Bob.constreplyToBobQuery=awaitdwn.processMessage(alice.did,queryByBob.message);expect(replyToBobQuery.status.code).to.equal(200);expect(replyToBobQuery.entries?.length).to.equal(0);// actual result: an entry with Bob being the author is returned.});
The text was updated successfully, but these errors were encountered:
thehenrytsai
changed the title
Given author in non-owner query filter is overwritten
Given author in non-owner query/subscribe filter is overwritten
Jan 24, 2024
When
author
is given in a non-owner query filter,buildUnpublishedRecordsBySubscribeAuthorFilter()
is always called resulting an internal query that includes the author of query as the author in the filter.While this is not an elevation in privilege, it is functionally incorrect. Suspecting this issue also affects
RecordsSubscribe
since the code is a copy fromRecordsQuery
.Adding the following test in
handlers/records-query.spec.ts
will reproduce the issue:The text was updated successfully, but these errors were encountered: