Uploaded image for project: 'COmanage'
  1. COmanage
  2. CO-1668

PetitionController prematurely calls isAuthorized




      The beforeFilter method of the CoPetitionsController calls the isAuthorized method to, as the comment states, 'We need isAuthorized() to run to populate $permissions'

      However, isAuthorized requires the cur_co value to be set to the current CO. This cur_co is determined by the parent::beforeFilter and is ultimately determined by the coef enrollment-flow query parameter.

      The effect of this is that isAuthorized calls RoleComponent::calculateCMRoles and that in turn sets the Session Auth.User.co_person_id value to the first CoPerson it can find based on the current Auth.User.username, regardless of the current CO.

      This Auth.User.co_person_id value is used throughout the code to indicate an actorPersonId. However, in this case, it can be set to CoPerson that is linked to a different CO alltogether. This bug will only show up if the first database row returned happens to be the CoPerson of a different CO. If only one CoPerson is linked to an identifier, the bug does not reveal itself. If more CoPersons have the same identifier, the bug either appears never or always depending on the order of the rows returned by the database, whose sorting order is left to the database.

      The resolution seems to be that CoPetitionsController::beforeFilter either skips isAuthorized until after parent::beforeFilter, or that is sets cur_co before calling isAuthorized.




            benn.oshrin@at.internet2.edu Benn Oshrin
            michiel Michiel Uitdehaag (Inactive)
            0 Vote for this issue
            2 Start watching this issue