Skip to content

fixes for authorize after security breach Dec 2022 #3097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
raycarrick-ed wants to merge 2 commits into from
Closed

fixes for authorize after security breach Dec 2022 #3097

raycarrick-ed wants to merge 2 commits into from

Conversation

@raycarrick-ed
Copy link
Contributor

@raycarrick-ed raycarrick-ed commented Jan 25, 2022

Fixes DCC #682 .

Changes proposed in this PR:

  • results from a scan of all authorize statements to try fix any further issues after #3084

@raycarrick-ed raycarrick-ed requested a review from briri January 25, 2022 12:13
briri
briri approved these changes Jan 25, 2022
View reviewed changes
Copy link
Contributor

@briri briri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good @raycarrick-ed. I think user_signed_in? would be a better check than @user.is_a?(User)

app/policies/plan_policy.rb Outdated
end

def privately_visible?
@user.is_a?(User)
Copy link
Contributor

@briri briri Jan 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to change these 2 to user_signed_in?

Copy link
Contributor Author

@raycarrick-ed raycarrick-ed Jan 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That's better.

@briri
Copy link
Contributor

briri commented Jan 25, 2022

thanks for cleaning these policies up!

@raycarrick-ed
Change to testing user signed in
d2c46a9 
Helper user_signed_in? from devise isn't available in policy files. So using @user.present? instead which should be equivalent.
@raycarrick-ed raycarrick-ed deleted the authorize_fixes branch January 28, 2022 13:16
@briri briri mentioned this pull request Feb 14, 2022
Merged
@laurastandaert laurastandaert mentioned this pull request Feb 24, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@briri briri briri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raycarrick-ed @briri