Updating related resources does not check against the related records

[brianswko]

When updating resources e.g. PATCH /articles/:id/relationships/comments or PATCH /articles/:id with related resources that the user does not have access to, I would expect either a 403 or 404 response instead of a 2xx.

jsonapi-authorization/spec/requests/relationship_operations_spec.rb

Lines 179 to 182 in c7b6907

	it do
	pending 'TODO: Maybe this actually should be succesful?'
	is_expected.to be_not_found
	end

is marked as a pending spec with a not found response, but it currently returns a 204 and updates the article with comments that the user does not have access to. edit: this was a problem with the spec, not the code itself

jsonapi-authorization/spec/requests/tricky_operations_spec.rb

Line 212 in c7b6907

it { is_expected.to be_successful }

explicitly checks that if a user sends a PATCH to an article with comments that the user does not have access to, that a successful response is returned (and though the spec doesn't test it, the article now includes those comments that the user doesn't have access to.

I've confirmed that even when writing a custom ArticlePolicy#replace_comments? method, the comments that are passed in are already limited to those that are in scope by

jsonapi-authorization/lib/jsonapi/authorization/authorizing_processor.rb

Line 335 in c7b6907

resource_class.find_by_keys(assoc_value, context: context).map(&:_model)

so the method never has a chance to raise an error or return false.

I believe this is a bug, and that it started with ad9aad2 when related_models_with_context was added and used find_by_keys instead of _model_class.where(...). I'd change it back in a PR but am uncertain what other ramifications that may have.

Thoughts?

[valscion]

Thank you for the detailed report. This does seem like a bug.

Checking the spec you highlighted more closely:

jsonapi-authorization/spec/requests/relationship_operations_spec.rb

Lines 173 to 183 in c7b6907

	context 'limited by policy scope on comments' do
	let(:comments_scope) { Comment.none }
	before do
	allow_operation('replace_to_many_relationship', source_record: article, new_related_records: new_comments, relationship_type: :comments)
	end
	it do
	pending 'TODO: Maybe this actually should be succesful?'
	is_expected.to be_not_found
	end
	end

It should assert that replace_to_many_relationship was called with all the new comments and not an empty array. Is that not the case? I'm no longer certain if the keywords must all match for allow_operation, but it seems like they must or else the authorization stubbing would not work?

jsonapi-authorization/spec/support/authorization_stubs.rb

Lines 4 to 9 in c7b6907

	def allow_operation(operation, authorizer: instance_double(AUTHORIZER_CLASS), **kwargs)
	allow(authorizer).to receive(operation).with(**kwargs).and_return(nil)
	allow(AUTHORIZER_CLASS).to receive(:new).with(context: kind_of(Hash)).and_return(authorizer)
	authorizer
	end

[brianswko]

That is the problem, that replace_to_many_relationship was called with new_comments (which is comprised solely of comments that the user does not have access to) and the stub forced the authorizer not to raise an error. Because it did not return an error, the spec continued on to attach those comments to the article.

In a non-stubbed test, the authorizer would have checked if the user had update? permissions on the comments (or replace_comments? on the policy) and raised an error at that time. (Side note: It feels like there is a massive over-reliance on stubs in all these request specs)

To clarify:

jsonapi-authorization/spec/requests/relationship_operations_spec.rb

Lines 173 to 183 in c7b6907

	context 'limited by policy scope on comments' do
	let(:comments_scope) { Comment.none }
	before do
	allow_operation('replace_to_many_relationship', source_record: article, new_related_records: new_comments, relationship_type: :comments)
	end
	it do
	pending 'TODO: Maybe this actually should be succesful?'
	is_expected.to be_not_found
	end
	end

is just a broken spec (whether pending or not). The behavior when hitting PATCH /articles/:id/relationships/comments seems correct and raises a 403 (in prod code without stubs) when the user does not have update capabilities on the given comments.

The bigger problem is:

jsonapi-authorization/spec/requests/tricky_operations_spec.rb

Line 212 in c7b6907

it { is_expected.to be_successful }

indicates that the behavior of PATCH /articles/:id is broken when comments are included in the relationships, as it does not raise any errors and continues to update relationships that the user should not have any permissions to see, much less modify.

The difference: Hitting the relationships endpoints goes to

jsonapi-authorization/lib/jsonapi/authorization/authorizing_processor.rb

Lines 186 to 194 in c7b6907

	def authorize_replace_to_many_relationships
	source_resource = @resource_klass.find_by_key(
	params[:resource_id],
	context: context
	)
	source_record = source_resource._model
	relationship_type = params[:relationship_type].to_sym
	new_related_records = model_class_for_relationship(relationship_type).find(params[:data])

which uses a find, and hitting the main resource endpoint goes to

jsonapi-authorization/lib/jsonapi/authorization/authorizing_processor.rb

Lines 116 to 125 in c7b6907

	def authorize_replace_fields
	source_record = @resource_klass.find_by_key(
	params[:resource_id],
	context: context
	)._model
	authorizer.replace_fields(
	source_record: source_record,
	related_records_with_context: related_models_with_context
	)
	end

which uses related_models_with_context.

I believe that creation may also be impacted since it uses related_models_with_context, but I haven't had a chance to verify that yet.

[valscion]

Thank you so much for the digging in extensively. This helps clarify the potential impact this issue has a lot.

So it seems that all the places where we end up calling:

resource_class.find_by_keys

method, can return less records than they should, ending up in a situation where the authorization never sees the records the user should not be able to see in the first place. Yikes 😬

(Side note: It feels like there is a massive over-reliance on stubs in all these request specs)

Yeah, that's true. We didn't come up with another easy-enough alternative back when the specs were done that would've afforded the separation of DefaultPunditAuthorizer from Pundit policies itself.

I don't have any ideas on what to do about those tests now anymore. Converting them to something else than stubs seems like a daunting task.

Would it be possible to assert that the stubbed authorization methods are indeed called with the given parameters and error out otherwise? It seems we wrote those stubs as an expectation of sorts in the spec, but my memory about the details is fuzzy.

---

Would you be able to start a PR that would replace the find_by_keys calls with _model_class.where(...) as you proposed in your original message? We could figure out together what to do about the specs that would be failing after that change.

Any improvements that would also help us avoid accidents like this would also be huge.