邮件域邀请角色权限错误漏洞修复

### 漏洞概述 该漏洞涉及在通过电子邮件创建角色时，访问权限可能具有错误的角色。具体表现为，当尝试捕获一个bug时，发现通过电子邮件地址创建的访问权限有时具有错误的角色。 ### 影响范围 - **模块**：`api/invitations` - **文件**： - `test_api_domain_invitations_create.py` - `test_invitations.py` ### 修复方案 1. **测试用例更新**： - 在 `test_api_domain_invitations_create.py` 中，更新了测试用例以确保通过电子邮件创建的访问权限具有正确的角色。 - 在 `test_invitations.py` 中，更新了测试用例以验证通过电子邮件创建的访问权限是否具有正确的角色。 2. **代码变更**： - 在 `test_api_domain_invitations_create.py` 中，添加了以下代码： ```python def test_api_domain_invitations_should_not_create_duplicate_invitations(): # ... response = client.post( f"/api/v1.0/mail-domains/{invitation.domain.slug}/invitations/", json={ "email": existing_invitation.email, "role": "owner", "role": "viewer", }, ) assert response.status_code == status.HTTP_400_BAD_REQUEST assert response.json()["all_"] == [ "Mail domain invitation with this Email address and Domain already exists." ] assert models.MailDomainInvitation.objects.count() == 1 and specifically, not 2 inv = models.MailDomainInvitation.objects.get() assert inv.role == existing_invitation.role ``` - 在 `test_invitations.py` 中，添加了以下代码： ```python def test_models_domain_invitation_should_convert_invitations_to_accesses_upon(): # ... invitation_to_domain = factories.MailDomainInvitationFactory( domain=domain, email=email, role=enum.MailDomainRoleChoices.OWNER ) invitation_to_domain2 = factories.MailDomainInvitationFactory(email=email) invitation_domain2 = factories.MailDomainInvitationFactory(email=email) # ... assert models.MailDomainAccess.objects.filter( domain=invitation_to_domain.domain, user=new_user ).exists() assert models.MailDomainAccess.objects.filter( domain=invitation_to_domain2.domain, user=new_user ).exists() # ... ``` ### POC代码 ```python def test_api_domain_invitations_should_not_create_duplicate_invitations(): # ... response = client.post( f"/api/v1.0/mail-domains/{invitation.domain.slug}/invitations/", json={ "email": existing_invitation.email, "role": "owner", "role": "viewer", }, ) assert response.status_code == status.HTTP_400_BAD_REQUEST assert response.json()["all_"] == [ "Mail domain invitation with this Email address and Domain already exists." ] assert models.MailDomainInvitation.objects.count() == 1 and specifically, not 2 inv = models.MailDomainInvitation.objects.get() assert inv.role == existing_invitation.role ``` ```python def test_models_domain_invitation_should_convert_invitations_to_accesses_upon(): # ... invitation_to_domain = factories.MailDomainInvitationFactory( domain=domain, email=email, role=enum.MailDomainRoleChoices.OWNER ) invitation_to_domain2 = factories.MailDomainInvitationFactory(email=email) invitation_domain2 = factories.MailDomainInvitationFactory(email=email) # ... assert models.MailDomainAccess.objects.filter( domain=invitation_to_domain.domain, user=new_user ).exists() assert models.MailDomainAccess.objects.filter( domain=invitation_to_domain2.domain, user=new_user ).exists() # ... ```

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

邮件域邀请角色权限错误漏洞修复

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

邮件域邀请角色权限错误漏洞修复

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！