From d988b44c00566512f34dae133baacd571b82f6aa Mon Sep 17 00:00:00 2001 From: Fr3akyMurk Date: Tue, 27 Feb 2024 14:29:41 +0100 Subject: [PATCH 1/5] Vulnerability Fix: Deny edits from other users. Users currently can go to other peoples posts and edit them without any checks if its their post or not, all they have to do is figure out the id for the post and go to /editor/[postId], do their edits and save it. This can be very bad (not so much in this circumstance). --- src/app/(main)/editor/[postId]/_components/post-editor.tsx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/app/(main)/editor/[postId]/_components/post-editor.tsx b/src/app/(main)/editor/[postId]/_components/post-editor.tsx index 7744251..a562c56 100644 --- a/src/app/(main)/editor/[postId]/_components/post-editor.tsx +++ b/src/app/(main)/editor/[postId]/_components/post-editor.tsx @@ -50,6 +50,11 @@ export const PostEditor = ({ post }: Props) => { resolver: zodResolver(schema), }); const onSubmit = form.handleSubmit(async (values) => { + if (user.id !== post.userId) { + toast('You do not have permission to edit this post.'); + return; + } + updatePost.mutate({ id: post.id, ...values }); }); From 68d1e04691a86f048752e0ed1017cda94c30fe43 Mon Sep 17 00:00:00 2001 From: Fr3akyMurk Date: Tue, 27 Feb 2024 15:05:48 +0100 Subject: [PATCH 2/5] Add the missing code (forgot to add a few lines) --- src/app/(main)/editor/[postId]/_components/post-editor.tsx | 2 ++ src/app/(main)/editor/[postId]/page.tsx | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/app/(main)/editor/[postId]/_components/post-editor.tsx b/src/app/(main)/editor/[postId]/_components/post-editor.tsx index a562c56..e66e551 100644 --- a/src/app/(main)/editor/[postId]/_components/post-editor.tsx +++ b/src/app/(main)/editor/[postId]/_components/post-editor.tsx @@ -21,11 +21,13 @@ import { api } from "@/trpc/react"; import { Pencil2Icon } from "@/components/icons"; import { LoadingButton } from "@/components/loading-button"; import Link from "next/link"; +import { toast } from "sonner"; const markdownlink = "https://remarkjs.github.io/react-markdown/" // Can also be changed for something like /markdown interface Props { post: RouterOutputs["post"]["get"]; + user: any; } const schema = z.object({ diff --git a/src/app/(main)/editor/[postId]/page.tsx b/src/app/(main)/editor/[postId]/page.tsx index 0603606..230dfa3 100644 --- a/src/app/(main)/editor/[postId]/page.tsx +++ b/src/app/(main)/editor/[postId]/page.tsx @@ -29,7 +29,7 @@ export default async function EditPostPage({ params }: Props) { back to dashboard - + ); } From f34b9ba8eff928b9ef7f44d5c41b1faf02c46342 Mon Sep 17 00:00:00 2001 From: Fr3akymurk Date: Tue, 27 Feb 2024 19:25:07 +0100 Subject: [PATCH 3/5] Fixed linting & code errors. --- .../[postId]/_components/post-editor.tsx | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/app/(main)/editor/[postId]/_components/post-editor.tsx b/src/app/(main)/editor/[postId]/_components/post-editor.tsx index e66e551..81205f2 100644 --- a/src/app/(main)/editor/[postId]/_components/post-editor.tsx +++ b/src/app/(main)/editor/[postId]/_components/post-editor.tsx @@ -27,7 +27,10 @@ const markdownlink = "https://remarkjs.github.io/react-markdown/" // Can also be interface Props { post: RouterOutputs["post"]["get"]; - user: any; +} + +type usertype = { + id: string; } const schema = z.object({ @@ -39,7 +42,7 @@ const schema = z.object({ .max(2048 * 2), }); -export const PostEditor = ({ post }: Props) => { +export const PostEditor = ({ post }: Props, user: usertype) => { if (!post) return null; const formRef = useRef(null); const updatePost = api.post.update.useMutation(); @@ -52,13 +55,18 @@ export const PostEditor = ({ post }: Props) => { resolver: zodResolver(schema), }); const onSubmit = form.handleSubmit(async (values) => { - if (user.id !== post.userId) { - toast('You do not have permission to edit this post.'); + if (user.id == post.userId) { + updatePost.mutate({ id: post.id, ...values }); return; } - - updatePost.mutate({ id: post.id, ...values }); + if (!user) { + toast('You need to log in to edit this post.'); + return; + } + toast('You do not have permission to edit this post.'); + return; }); + return ( <> From 33fafd9d003f3a38d1ceea7fb7195130873d20d6 Mon Sep 17 00:00:00 2001 From: Fr3akymurk Date: Tue, 27 Feb 2024 19:28:53 +0100 Subject: [PATCH 4/5] Fixed typescript issues. --- .../editor/[postId]/_components/post-editor.tsx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/app/(main)/editor/[postId]/_components/post-editor.tsx b/src/app/(main)/editor/[postId]/_components/post-editor.tsx index 81205f2..45fe7c3 100644 --- a/src/app/(main)/editor/[postId]/_components/post-editor.tsx +++ b/src/app/(main)/editor/[postId]/_components/post-editor.tsx @@ -25,14 +25,15 @@ import { toast } from "sonner"; const markdownlink = "https://remarkjs.github.io/react-markdown/" // Can also be changed for something like /markdown -interface Props { - post: RouterOutputs["post"]["get"]; -} - type usertype = { id: string; } +interface Props { + post: RouterOutputs["post"]["get"]; + user: usertype; +} + const schema = z.object({ title: z.string().min(3).max(255), excerpt: z.string().min(3).max(255), @@ -42,7 +43,7 @@ const schema = z.object({ .max(2048 * 2), }); -export const PostEditor = ({ post }: Props, user: usertype) => { +export const PostEditor = ({ post, user }: Props) => { if (!post) return null; const formRef = useRef(null); const updatePost = api.post.update.useMutation(); From af6c1a2cc350e3b6a5b991c183bbafbdbe9bd7c0 Mon Sep 17 00:00:00 2001 From: Fr3akymurk Date: Tue, 27 Feb 2024 19:33:48 +0100 Subject: [PATCH 5/5] Overall fixes, read the comment. --- src/app/(main)/editor/[postId]/_components/post-editor.tsx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/app/(main)/editor/[postId]/_components/post-editor.tsx b/src/app/(main)/editor/[postId]/_components/post-editor.tsx index 45fe7c3..f2986df 100644 --- a/src/app/(main)/editor/[postId]/_components/post-editor.tsx +++ b/src/app/(main)/editor/[postId]/_components/post-editor.tsx @@ -58,12 +58,10 @@ export const PostEditor = ({ post, user }: Props) => { const onSubmit = form.handleSubmit(async (values) => { if (user.id == post.userId) { updatePost.mutate({ id: post.id, ...values }); + toast('Saved the post successfully.'); return; } - if (!user) { - toast('You need to log in to edit this post.'); - return; - } + toast('You do not have permission to edit this post.'); return; });