Always use both folder and service ID when getting template folder

Currently there aren't any permission checks based on folder IDs in the admin app or the API, so it's possible for a user to modify the folder ID to perform operations on folders outside their service. Our usual way to avoid this is to always use service_id filter when fetching objects from the database.
2026-01-31 06:52:06 -05:00 · 2018-11-07 13:48:18 +00:00
parent 1dbb24065d
commit 36f41c23e1
3 changed files with 10 additions and 10 deletions
--- a/app/dao/template_folder_dao.py
+++ b/app/dao/template_folder_dao.py
@@ -3,8 +3,11 @@ from app.dao.dao_utils import transactional
 from app.models import TemplateFolder


-def dao_get_template_folder_by_id(template_folder_id):
-    return TemplateFolder.query.filter(TemplateFolder.id == template_folder_id).one()
+def dao_get_template_folder_by_id_and_service_id(template_folder_id, service_id):
+    return TemplateFolder.query.filter(
+        TemplateFolder.id == template_folder_id,
+        TemplateFolder.service_id == service_id
+    ).one()


@transactional
--- a/app/template_folder/rest.py
+++ b/app/template_folder/rest.py
@@ -4,7 +4,7 @@ from sqlalchemy.orm.exc import NoResultFound

 from app.dao.template_folder_dao import (
    dao_create_template_folder,
-    dao_get_template_folder_by_id,
+    dao_get_template_folder_by_id_and_service_id,
    dao_update_template_folder,
    dao_delete_template_folder
 )
@@ -49,13 +49,10 @@ def create_template_folder(service_id):

    if data.get('parent_id') is not None:
        try:
-            parent_folder = dao_get_template_folder_by_id(data['parent_id'])
+            dao_get_template_folder_by_id_and_service_id(data['parent_id'], service_id)
        except NoResultFound:
            raise InvalidRequest("parent_id not found", status_code=400)

-        if parent_folder.service_id != service_id:
-            raise InvalidRequest("parent_id belongs to a different service", status_code=400)
-
    template_folder = TemplateFolder(
        service_id=service_id,
        name=data['name'].strip(),
@@ -73,7 +70,7 @@ def rename_template_folder(service_id, template_folder_id):

    validate(data, post_rename_template_folder_schema)

-    template_folder = dao_get_template_folder_by_id(template_folder_id)
+    template_folder = dao_get_template_folder_by_id_and_service_id(template_folder_id, service_id)
    template_folder.name = data['name']

    dao_update_template_folder(template_folder)
@@ -83,7 +80,7 @@ def rename_template_folder(service_id, template_folder_id):

@template_folder_blueprint.route('/<uuid:template_folder_id>', methods=['DELETE'])
 def delete_template_folder(service_id, template_folder_id):
-    template_folder = dao_get_template_folder_by_id(template_folder_id)
+    template_folder = dao_get_template_folder_by_id_and_service_id(template_folder_id, service_id)

    # don't allow deleting if there's anything in the folder (even if it's just more empty subfolders)
    if template_folder.subfolders or template_folder.templates: