Skip to content

Commit

Permalink
🐛 Fix: Ensure backend service provides user id when updating an event (
Browse files Browse the repository at this point in the history 
…#214)

Update Event API relies on providing event id and user id to MongoDB API in order to update an event.
The frontend provides the event object which contains the event id and the user id.

The issues are:
- When editing the event, the user id inside the request body event payload is not provided sometimes (no 100% reproduce rate but happens often enough)
- We should not depend on the frontend to provide a user id, backend service should overwrite it based on the authenticated user. This ensures that the software does not have a security risk

Interestingly I could not reproduce this behaviour on production, I reproduced it only on latest upstream changes.

As for why the frontend is not providing the user id sometimes, I am still investigating this. This commit serves as a solution to close this security gap and close the linked issue I believe.

Even if this commit solves the issue, we should still investigate why this unexpected behaviour is occurring as it could be a cause for larger issues in the future
  • Loading branch information
@that-one-arab
that-one-arab authored Jan 7, 2025
1 parent 67db6a0 commit b79eba0
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion packages/backend/src/event/queries/event.queries.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,10 @@ export const updateEvent = async (
eventId: string,
event: Schema_Event
) => {
const _event = { ...event };
const _event = {
...event,
user: userId,
};

if ("_id" in event) {
delete _event._id; // mongo doesn't allow changing this field directly
Expand Down

0 comments on commit b79eba0

Please sign in to comment.