Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🧹🔐 Room: Don't always provide a current_room #1167

Closed
wants to merge 1 commit into from
Closed

🧹🔐 Room: Don't always provide a current_room #1167

wants to merge 1 commit into from

Conversation

zspencer
Copy link
Member

@zspencer zspencer commented Mar 2, 2023

There are many pages that are not in a room, and the policy_scope of current_room could result in a false safety.

That said, we probably should also be writing request specs to confirm that folks get 404 on endpoints outside of their scope...

@zspencer
Room: Don't always provide a current_room
d923849 
- #926
- #1155

There are many pages that are not in a `room`, and the `policy_scope` of
`current_room` could result in a false safety.

That said, we probably should *also* be writing `request` specs to
confirm that folks get 404 on endpoints outside of their scope...
@zspencer zspencer added 🔐 security Relates to security vulnerabilities 🧹 refactor Includes non-behavioral changes labels Mar 2, 2023
@zspencer zspencer requested review from anaulin, KellyAH, daltonrpruitt and a team March 2, 2023 19:55
@zspencer zspencer marked this pull request as draft March 2, 2023 19:57
@zspencer
Copy link
Member Author

zspencer commented Mar 2, 2023

I think this is a mite dangerous, in particular because we do have the idea of an entrance, so I think it's probably best if we don't apply this change.

@anaulin
Copy link
Member

anaulin commented Mar 4, 2023
edited
Loading

Yeah, I don't think it is worth removing current_room. The policy_scope here feels fine, and it feels right to have a current_room at the ApplicationController level. I say let's drop this for now. (We can always revisit if we run into issues again.)

@zspencer zspencer closed this Mar 4, 2023
@zspencer zspencer deleted the security/policy-scope-on-per-controller-basis branch March 4, 2023 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anaulin anaulin Awaiting requested review from anaulin

@KellyAH KellyAH Awaiting requested review from KellyAH

@daltonrpruitt daltonrpruitt Awaiting requested review from daltonrpruitt

Assignees
No one assigned
Labels
🧹 refactor Includes non-behavioral changes 🔐 security Relates to security vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zspencer @anaulin