From bddc65a504e3e75726f4e946b91464d70fec9e4a Mon Sep 17 00:00:00 2001
From: Sandro Santilli <strk@keybit.net>
Date: Fri, 28 Feb 2014 16:05:46 +0100
Subject: [PATCH] Forbid instanciating templates of foreign users

Closes #173
Includes testcase
---
 NEWS.md                          |  1 +
 lib/cartodb/cartodb_windshaft.js |  9 ++++++++-
 test/acceptance/templates.js     | 23 +++++++++++++++++++++--
 3 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/NEWS.md b/NEWS.md
index facb4be5..f16f28c6 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -8,6 +8,7 @@ Enhancements:
  - Clarify obscure "ECONNREFUSED" error message (#171)
  - Change some http status responses to be more appropriate to the case
  - Forbid using map signatures of foreign users (#172)
+ - Forbid instanciating templates of foreign users (#173)
 
 Bug fixes:
 
diff --git a/lib/cartodb/cartodb_windshaft.js b/lib/cartodb/cartodb_windshaft.js
index 566fd60c..a592d308 100644
--- a/lib/cartodb/cartodb_windshaft.js
+++ b/lib/cartodb/cartodb_windshaft.js
@@ -454,7 +454,14 @@ var CartodbWindshaft = function(serverOptions) {
       // Format of template_id: [<template_owner>]@<template_id>
       var tpl_id = req.params.template_id.split('@');
       if ( tpl_id.length > 1 ) {
-        if ( tpl_id[0] ) cdbuser = tpl_id[0];
+        if ( tpl_id[0] && tpl_id[0] != cdbuser ) {
+          var err = new Error('Cannot instanciate map of user "'
+                              + tpl_id[0] + '" on database of user "'
+                              + cdbuser + '"')
+          err.http_status = 403;
+          callback(err);
+          return;
+        }
         tpl_id = tpl_id[1];
       }
       var auth_token = req.query.auth_token;
diff --git a/test/acceptance/templates.js b/test/acceptance/templates.js
index 7f156635..563f5330 100644
--- a/test/acceptance/templates.js
+++ b/test/acceptance/templates.js
@@ -817,8 +817,8 @@ suite('template_api', function() {
           assert.response(server, post_request, {},
             function(res) { next(null, res); });
         },
-        function instanciateAuth(err, res)
-        {
+        // See https://github.com/CartoDB/Windshaft-cartodb/issues/173
+        function instanciateForeignDB(err, res) {
           if ( err ) throw err;
           assert.equal(res.statusCode, 401,
             'Unexpected success instanciating template with no auth: '
@@ -828,6 +828,25 @@ suite('template_api', function() {
             "Missing 'error' from response body: " + res.body);
           assert.ok(parsed.error.match(/unauthorized/i),
             'Unexpected error for unauthorized instance : ' + parsed.error);
+          var post_request = {
+              url: '/tiles/template/' + tpl_id + '?auth_token=valid2',
+              method: 'POST',
+              headers: {host: 'foreign', 'Content-Type': 'application/json' },
+              data: JSON.stringify(template_params)
+          }
+          var next = this;
+          assert.response(server, post_request, {},
+            function(res) { next(null, res); });
+        },
+        function instanciateAuth(err, res)
+        {
+          if ( err ) throw err;
+          assert.equal(res.statusCode, 403, res.statusCode + ': ' + res.body);
+          var parsed = JSON.parse(res.body);
+          assert.ok(parsed.hasOwnProperty('error'),
+            "Missing 'error' from response body: " + res.body);
+          assert.ok(parsed.error.match(/cannot instanciate/i),
+            'Unexpected error for forbidden instance : ' + parsed.error);
           var post_request = {
               url: '/tiles/template/' + tpl_id + '?auth_token=valid2',
               method: 'POST',