Adding current provider check in permission checker (#4282)

* Adding current provider check in permission checker * Adding extra check * fix * fix * moving to private function * rspec tests * fix

Adding current provider check in permission checker (#4282)
fcb8655c · Hadi Cheaito · GitHub · 751da1b5 · fcb8655c · fcb8655c
Unverified Commit fcb8655c authored Jan 3, 2023 by Hadi Cheaito Committed by GitHub Jan 3, 2023
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -76,7 +76,7 @@ RSpec/AnyInstance:
  Enabled: false

 Metrics/CyclomaticComplexity:
-  Max: 14
+  Max: 15

 Metrics/PerceivedComplexity:
  Max: 13

--- a/app/controllers/api/v1/rooms_controller.rb
+++ b/app/controllers/api/v1/rooms_controller.rb
@@ -64,7 +64,7 @@ module Api
      def create
        return render_error status: :bad_request, errors: 'RoomLimitError' unless PermissionsChecker.new(
          permission_names: 'RoomLimit',
-          user_id: room_params[:user_id], current_user:, friendly_id: nil, record_id: nil
+          user_id: room_params[:user_id], current_user:, friendly_id: nil, record_id: nil, current_provider:
        ).call

        # TODO: amir - ensure accessibility for authenticated requests only.

--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -123,7 +123,7 @@ module Api
      def create_default_room(user)
        return unless user.rooms.count <= 0
        return unless PermissionsChecker.new(permission_names: 'CreateRoom', user_id: user.id, current_user: user, friendly_id: nil,
-                                             record_id: nil).call
+                                             record_id: nil, current_provider:).call

        Room.create(name: "#{user.name}'s Room", user_id: user.id)
      end

--- a/app/controllers/concerns/authorizable.rb
+++ b/app/controllers/concerns/authorizable.rb
@@ -16,13 +16,13 @@ module Authorizable
  # PermissionsChecker service will return a true or false depending on whether the current_user's role has the provided permission_name
  def ensure_authorized(permission_names, user_id: nil, friendly_id: nil, record_id: nil)
    # TODO: - should this return a status: :not_found instead of :unauthorized if the user doesn't have the permission AND the param doesn't exists?
-
    return render_error status: :forbidden unless PermissionsChecker.new(
      current_user:,
      permission_names:,
      user_id:,
      friendly_id:,
-      record_id:
+      record_id:,
+      current_provider:
    ).call
  end


--- a/app/services/permissions_checker.rb
+++ b/app/services/permissions_checker.rb
 # frozen_string_literal: true

 class PermissionsChecker
-  def initialize(current_user:, permission_names:, user_id:, friendly_id:, record_id:)
+  def initialize(current_user:, permission_names:, user_id:, friendly_id:, record_id:, current_provider:)
    @current_user = current_user
    @permission_names = permission_names
    @user_id = user_id
    @friendly_id = friendly_id
    @record_id = record_id
+    @current_provider = current_provider
  end

  def call
+    # check to see if current_user has SuperAdmin role
    return true if @current_user.role == Role.find_by(name: 'SuperAdmin', provider: 'bn')

+    # checking if user is trying to access users/rooms/recordings from different provider
+    return false unless current_provider_check
+
    return true if RolePermission.joins(:permission).exists?(
      role_id: @current_user.role_id,
      permission: { name: @permission_names },
@@ -74,4 +79,20 @@ class PermissionsChecker

    true
  end
+
+  def current_provider_check
+    # check to see if current user is trying to access another provider
+    return false if @current_user.provider != @current_provider
+
+    # check to see if current_user is trying to access a user from another provider
+    return false if @user_id.present? && (@current_user.provider != User.find(@user_id.to_s).provider)
+
+    # check to see if current_user is trying to access a room from another provider
+    return false if @friendly_id.present? && (@current_user.provider != Room.find_by(friendly_id: @friendly_id.to_s).user.provider)
+
+    # check to see if current_user is trying to access a recording from another provider
+    return false if @record_id.present? && (@current_user.provider != Recording.find_by(record_id: @record_id.to_s).user.provider)
+
+    true
+  end
 end
--- a/spec/services/permissions_checker_spec.rb
+++ b/spec/services/permissions_checker_spec.rb
@@ -15,7 +15,8 @@ describe PermissionsChecker, type: :service do
        permission_names: permission.name,
        user_id: '',
        friendly_id: '',
-        record_id: ''
+        record_id: '',
+        current_provider: user.provider
      ).call).to be(true)
    end

@@ -26,7 +27,8 @@ describe PermissionsChecker, type: :service do
        permission_names: permission.name,
        user_id: '',
        friendly_id: '',
-        record_id: ''
+        record_id: '',
+        current_provider: user.provider
      ).call).to be(false)
    end

@@ -37,7 +39,8 @@ describe PermissionsChecker, type: :service do
        permission_names: 'ManageUsers',
        user_id: user.id,
        friendly_id: '',
-        record_id: ''
+        record_id: '',
+        current_provider: user.provider
      ).call).to be(true)
    end

@@ -53,7 +56,8 @@ describe PermissionsChecker, type: :service do
          permission_names: [permission.name, permission2.name],
          user_id: user.id,
          friendly_id: '',
-          record_id: ''
+          record_id: '',
+          current_provider: user.provider
        ).call).to be(true)
      end

@@ -63,7 +67,8 @@ describe PermissionsChecker, type: :service do
          permission_names: %w[ManageRoles ManageRooms ManageUsers],
          user_id: user.id,
          friendly_id: '',
-          record_id: ''
+          record_id: '',
+          current_provider: user.provider
        ).call).to be(true)
      end

@@ -75,9 +80,67 @@ describe PermissionsChecker, type: :service do
          permission_names: [],
          user_id: super_admin_user.id,
          friendly_id: '',
-          record_id: ''
+          record_id: '',
+          current_provider: super_admin_user.provider
        ).call).to be(true)
      end
+
+      context 'Current Provider Checks' do
+        it 'checks the current user provider and returns false if not equal to current provider' do
+          role = create(:role, provider: 'bn')
+          user_bn_provider = create(:user, provider: 'bn', role:)
+          expect(described_class.new(
+            current_user: user_bn_provider,
+            permission_names: [],
+            user_id: '',
+            friendly_id: '',
+            record_id: '',
+            current_provider: user.provider
+          ).call).to be(false)
+        end
+
+        it 'checks the current user provider and returns false if the provider is not equal to user\'s provider' do
+          role = create(:role, provider: 'bn')
+          user_bn_provider = create(:user, provider: 'bn', role:)
+          expect(described_class.new(
+            current_user: user_bn_provider,
+            permission_names: [],
+            user_id: user.id,
+            friendly_id: '',
+            record_id: '',
+            current_provider: user_bn_provider.provider
+          ).call).to be(false)
+        end
+
+        it 'checks the current user provider and returns false if the provider is not equal to rooms\'s user provider' do
+          role = create(:role, provider: 'bn')
+          user_bn_provider = create(:user, provider: 'bn', role:)
+          room = create(:room, user:)
+          expect(described_class.new(
+            current_user: user_bn_provider,
+            permission_names: [],
+            user_id: '',
+            friendly_id: room.friendly_id,
+            record_id: '',
+            current_provider: user_bn_provider.provider
+          ).call).to be(false)
+        end
+
+        it 'checks the current user provider and returns false if the provider is not equal to the recording\'s user provider' do
+          role = create(:role, provider: 'bn')
+          user_bn_provider = create(:user, provider: 'bn', role:)
+          room = create(:room, user:)
+          recording = create(:recording, room:)
+          expect(described_class.new(
+            current_user: user_bn_provider,
+            permission_names: [],
+            user_id: '',
+            friendly_id: '',
+            record_id: recording.record_id,
+            current_provider: user_bn_provider.provider
+          ).call).to be(false)
+        end
+      end
    end
  end
 end