🐛 Fix: Ensure backend service provides user id when updating an event #214
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update Event API relies on providing event id and user id to MongoDB API in order to update an event. The frontend provides the event object which contains the event id and the user id. The issues are: - When editing the event, the user id inside the request body event payload is not provided sometimes (no 100% reproduce rate but happens often enough) - We should not depend on the frontend to provide a user id, backend service should overwrite it based on the authenticated user. This ensures that the software does not have a security risk Interestingly I could not reproduce this behaviour on production, I reproduced it only on latest upstream changes. As for why the frontend is not providing the user id sometimes, I am still investigating this. This commit serves as a solution to close this security gap and close the linked issue I believe. Even if this commit solves the issue, we should still investigate why this unexpected behaviour is occurring as it could be a cause for larger issues in the future
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Should fix issue
After attempting to reproduce the issue and following the trail, I realized the error mentioned in the issue is occurring whenever an event is unlinked from a user (a
userproperty, that represents the user id, does not exist in the mongodb event document)the
userproperty is unlinked whenever we overwrite the event without auserproperty.This happens because we rely on frontend request body event payload containing a
userproperty, but as explained below there are instances when its not provided.Update Event API relies on providing event id and user id to MongoDB API in order to update an event. The frontend provides the event object which contains the event id and the user id.
The issues are:
Interestingly I could not reproduce this behaviour on production, I reproduced it only on latest upstream changes.
As for why the frontend is not providing the user id sometimes, I am still investigating this.
Even if this PR solves the issue, we should still investigate why this unexpected behaviour is occurring as it could be a cause for larger issues in the future