Comments (13)
sreynen
commented on August 25, 2024
Currently /admin/1/incoming gets /allmessages, which returns every incoming message sent to the Twilio account, regardless of which org the message was part of. Also currently an admin on any org can go to /admin/1/incoming, even if they're not an admin on org ID 1. While client-side org check would be nice, I think the important check for security is on the server (since clients can lie), so my plan is to change /allmessages to /allmessages/{orgID}, confirm the current user is admin on {orgID}, and only return messages from the local database that are attached to {orgID}.
from spoke.
sreynen
commented on August 25, 2024
I went through all the resolvers and mutations to see how they limit access, and here's what I found, with things that I think need tighter security in bold.
Mutations:
- sendReply: only works in development mode, no security concern
- exportCampaign: requires user is org admin
- editOrganizationRoles: requires user is org owner or admin
- joinOrganization: currently anyone can become a texter in any org p1 -- see https://github.com/MoveOnOrg/Spoke/pull/123
- updateTextingHours: requires user is org owner
- updateTextingHoursEnforcement: requires user is org owner
- createInvite: currently anyone can create an invite p2
- createCampaign: requires user is org admin
- unarchiveCampaign: requires user is org admin
- archiveCampaign: requires user is org admin
- startCampaign: requires user is org admin
- editCampaign: requires user is org admin
- createCannedResponse: currently anyone can create a canned response for any user p1 @shakalee14
- createOrganization: requires valid inviteId
- editCampaignContactMessageStatus: currently anyone can edit any message status p1 -- needs assignment security check -- see https://github.com/MoveOnOrg/Spoke/pull/131
- createOptOut: currently anyone can create an opt-out for any contact p1 -- needs assignment security check @shakalee14
- sendMessage: currently anyone can send a message p2
- deleteQuestionResponses: currently anyone can delete responses p1 -- needs assignment security check @shakalee14
- updateQuestionResponses: currently anyone can update responses p1 -- needs assignment security check @shakalee14
Resolvers:
- campaign: requires user is org admin
- assignment: currently requires user is org texter, but not necessarily on loaded assignment p1 -- needs assignment security check -- @sandramchung PR
- organization: currently anyone can load any org p2
- invite: currently requires only logged in user p1 -- see https://github.com/MoveOnOrg/Spoke/pull/125
- inviteByHash: requires logged in user and valid hash
- currentUser: users can only load self
- contact: currently anyone can load any contact p1 -- @sandramchung PR
- organizations: currently only super-admin can load all orgs
from spoke.
shakalee14
commented on August 25, 2024
twilio security one-liner
https://github.com/MoveOnOrg/Spoke/pull/112
from spoke.
shakalee14
commented on August 25, 2024
createInvite: currently anyone can create an invite
- Only admins should be able to create a campaign. Previously you had to email an admin for a link. Should we revert to that behavior?
from spoke.
sreynen
commented on August 25, 2024
Limiting invite creation to admins sounds right to me.
from spoke.
sandramchung
commented on August 25, 2024
For the item contact: currently anyone can load any contact p1:
- texters should be able to load only the contacts assigned to them
- campaign owners can load any contact in the campaigns they own
- admins can load any contact in their organization
from spoke.
shakalee14
commented on August 25, 2024
Nexmo message checking requires us to email [email protected] and request one of the following options:
- Outbound messages can be signed.
- Outbound messages must be signed.
- Inbound messages and DLRs sent to your webhook endpoint are signed.
And then implement a signature workflow. Since we are not working with nexmo and its not a one-liner, I'm going to remove this as a checkbox.
from spoke.
shakalee14
commented on August 25, 2024
Circling back on this, I think createInvite is a p1 issue. We don't want anyone to be able to create an invite to be an admin.
from spoke.
sreynen
commented on August 25, 2024
I marked createInvite as p2 and the invite resolver as p1 thinking we don't want anyone to be able to use an invite, but there's not much harm in creating an invite one can't actually use.
from spoke.
shakalee14
commented on August 25, 2024
https://github.com/MoveOnOrg/Spoke/pull/134 removes create invite org handler from login link for now
from spoke.
sandramchung
commented on August 25, 2024
Per flag in standup, we should set aside a chunk of time to test and document what we've done here.
from spoke.
sandramchung
commented on August 25, 2024
Today I realized that 1) we should document what the permissions should be before we encode them, and 2) I don't understand what the roles (superadmin, owner, admin, texter) mean / what their experience and access should look like per org or campaign. Right now all roles are set per organization.
from spoke.
shakalee14
commented on August 25, 2024
Current roles - owner, admin, texter
from spoke.
Related Issues (20)
- Feature Request: UI to clear Redis cache
- Bug: Admin sidebar not appearing until 2nd refresh
- Feature Request: Set an expiration date on texterroles Redis keys HOT 4
- Main UI - Mobile Update HOT 1
- Feature Request: Typing Message HOT 4
- App crashes immediately in Heroku HOT 5
- Bug: Not able to text all contacts when timezone enforcement is disabled
- Feature Request: Support Postgres versions 15+
- Feature Request: Convert Auth0 Rule to Action
- Bug: Back Button Opt-Out Bug HOT 1
- Bug: Twilio Deprecating Node16 HOT 1
- Feature Request: Forgot Password Option in UI -> Let Users Reset Passwords HOT 1
- Transition all `MoveOnOrg` links in codebase to point towards `StateVoicesNational`
- Apollo Client Update v1 to v3
- Bug: GHCR Failure HOT 3
- Bug: Error when trying to save canned responses HOT 2
- Feature Request: Reply reassignment by batch feature (MoveOn) HOT 2
- Campaign contact "updated_at" not updated when reassigning contacts
- Feature Request: Update data export spacing
- Take Conversations Drop Down
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spoke.