BUG - Security Issue - User is able to see other users' applications

Question

BUG - Security Issue - User is able to see other users' applications

Closed this issue a month ago · 16 comments

rstens commented 2 months ago

It is possible to retrieve the details of an application from another user by simply changing the url:

Login with BCREG0025
https://strr-ui-dev.web.app/application-details/2
This was an application done by BCREG0040

Answer 1 · 2024-09-13T00:17:21.000Z

@jdyck-fw Probably a high risk item that we want to address.

Answer 2 · 2024-09-18T17:09:33.000Z

Hey team! Please add your planning poker estimate with Zenhub @avni-work @dimak1 @rstens @shaangill025

Answer 3 · 2024-09-18T17:50:25.000Z

The 403 error message is covered in #22512. Here's the design in Figma.

Answer 4 · 2024-09-20T23:14:56.000Z

Logged in as BCRE0013: https://strr-ui-dev.web.app/application-details/77 (Created by BCREG0040)
I basically see an empty screen, no error message, no feedback etc. Yes, it prevents me from reviewing somebody else's application but I think we can do better with an error message.

@andyyanggov Could you please shine your light on this one?

Answer 5 · 2024-09-20T23:22:00.000Z

Perhaps the error page hasn't been implemented yet. As mentioned in my previous comment, this should be a 403 page that looks like this:

Answer 6 · 2024-09-20T23:25:03.000Z

BTW, I see similar screen when I get a basic 404 (trying for an application which is simply not there)

Answer 7 · 2024-09-20T23:31:04.000Z

I think this should be handled in a separate ticket. Basically to display/redirect to unauthorized or not found pages based on the API response error codes. This would need to be implemented across many other pages and not just application-details.

Answer 8 · 2024-09-20T23:36:39.000Z

Agree - New tickets to be created

Answer 9 · 2024-09-20T23:41:31.000Z

https://app.zenhub.com/workspaces/strr-65b2a7146835aa0cdf315b79/issues/gh/bcgov/entity/23471
https://app.zenhub.com/workspaces/strr-65b2a7146835aa0cdf315b79/issues/gh/bcgov/entity/23473

Answer 10 · 2024-09-22T16:00:12.000Z

Reopening this ticket as the fix is not correct.

Answer 11 · 2024-09-23T18:21:49.000Z

@rstens You can verify with https://strr-ui-dev.web.app/application-details/77

Try with user other than BCREG0040, should not be accessible
Try with user BCREG0040 but with different profile [not smith autos]

Answer 12 · 2024-09-25T23:13:50.000Z

@kris-daxiom @shaangill025 I need some clarity on this issue. I understood that Lekshmi made some changes so that information created by a user is available to all profiles to that user. Or am I mistaken?

Answer 13 · 2024-09-26T00:07:30.000Z

@rstens That would be done after bcgov/STRR#152 is merged

Answer 14 · 2024-09-26T00:23:15.000Z

@rstens Prior to this fix, the application created in one account was visible in another account that belongs to the same user. Applications should be visible only in the account using which it was created.

Answer 15 · 2024-09-26T15:42:23.000Z

Ability to not see other account is work on top of Shaanjot's work, so Shaanjot will review this for QA.

Answer 16 · 2024-09-27T15:03:21.000Z

BREG2025 [BCREG2025 Test Account] - 87, 88
BREG2023 [Business Name 1] - 84, 85
BREG2023 [test strr 1] - 86

Tested and verified.