Forbid instanciating templates of foreign users

Closes #173 Includes testcase
2014-02-28 16:05:46 +01:00 · 2014-02-28 16:05:46 +01:00 · bddc65a504
commit bddc65a504
parent ddd2628c19
3 changed files with 30 additions and 3 deletions
--- a/NEWS.md
+++ b/NEWS.md
@ -8,6 +8,7 @@ Enhancements:
 - Clarify obscure "ECONNREFUSED" error message (#171)
 - Change some http status responses to be more appropriate to the case
 - Forbid using map signatures of foreign users (#172)
+ - Forbid instanciating templates of foreign users (#173)

 Bug fixes:

--- a/lib/cartodb/cartodb_windshaft.js
+++ b/lib/cartodb/cartodb_windshaft.js
@ -454,7 +454,14 @@ var CartodbWindshaft = function(serverOptions) {
      // Format of template_id: [<template_owner>]@<template_id>
      var tpl_id = req.params.template_id.split('@');
      if ( tpl_id.length > 1 ) {
-        if ( tpl_id[0] ) cdbuser = tpl_id[0];
+        if ( tpl_id[0] && tpl_id[0] != cdbuser ) {
+          var err = new Error('Cannot instanciate map of user "'
+                              + tpl_id[0] + '" on database of user "'
+                              + cdbuser + '"')
+          err.http_status = 403;
+          callback(err);
+          return;
+        }
        tpl_id = tpl_id[1];
      }
      var auth_token = req.query.auth_token;
--- a/test/acceptance/templates.js
+++ b/test/acceptance/templates.js
@ -817,8 +817,8 @@ suite('template_api', function() {
          assert.response(server, post_request, {},
            function(res) { next(null, res); });
        },
-        function instanciateAuth(err, res)
-        {
+        // See https://github.com/CartoDB/Windshaft-cartodb/issues/173
+        function instanciateForeignDB(err, res) {
          if ( err ) throw err;
          assert.equal(res.statusCode, 401,
            'Unexpected success instanciating template with no auth: '
@ -828,6 +828,25 @@ suite('template_api', function() {
            "Missing 'error' from response body: " + res.body);
          assert.ok(parsed.error.match(/unauthorized/i),
            'Unexpected error for unauthorized instance : ' + parsed.error);
+          var post_request = {
+              url: '/tiles/template/' + tpl_id + '?auth_token=valid2',
+              method: 'POST',
+              headers: {host: 'foreign', 'Content-Type': 'application/json' },
+              data: JSON.stringify(template_params)
+          }
+          var next = this;
+          assert.response(server, post_request, {},
+            function(res) { next(null, res); });
+        },
+        function instanciateAuth(err, res)
+        {
+          if ( err ) throw err;
+          assert.equal(res.statusCode, 403, res.statusCode + ': ' + res.body);
+          var parsed = JSON.parse(res.body);
+          assert.ok(parsed.hasOwnProperty('error'),
+            "Missing 'error' from response body: " + res.body);
+          assert.ok(parsed.error.match(/cannot instanciate/i),
+            'Unexpected error for forbidden instance : ' + parsed.error);
          var post_request = {
              url: '/tiles/template/' + tpl_id + '?auth_token=valid2',
              method: 'POST',