Fix unauthenticated access to table styles. Closes #43.

Re-introduces use of the redis "privacy" hash key as an additional security measure for requests that do not involve PostgreSQL access. Accessing private table styles is tested with this commit. Accessing private table metadata or infowindow is _not_ tested, but should also be fixed now.
2012-08-14 19:26:40 +02:00 · 2012-08-14 19:26:40 +02:00 · ca47fbd10b
commit ca47fbd10b
parent d1869af134
3 changed files with 17 additions and 4 deletions
--- a/lib/cartodb/carto_data.js
+++ b/lib/cartodb/carto_data.js
@ -94,10 +94,23 @@ module.exports = function() {
                        callback(err, true); 
                    });
                } else {
-                    // log to db as unprivileged user
-                    callback(err, true); 
+                    return true; // continue to check if the table is public/private
                }
            }
+            ,function (err, data){
+                if (err) throw err;
+                that.getDatabase(req, this);
+            },
+            function(err, data){
+                if (err) throw err;
+                var redisKey = _.template(that.table_key, {database_name: data, table_name: req.params.table});
+
+                that.retrieve(that.table_metadata_db, redisKey, 'privacy', this);
+            },
+            function(err, data){
+                if (err) throw err;
+                callback(err, data);
+             }
        );
    };

--- a/test/acceptance/server.js
+++ b/test/acceptance/server.js
@ -44,7 +44,7 @@ suite('server', function() {
        }, function() { done(); });
    });

-/* FAILS !
+    // See https://github.com/Vizzuality/Windshaft-cartodb/issues/43
    test("get'ing style of private table should fail when unauthenticated",
    function(done) {
        assert.response(server, {
@ -58,7 +58,6 @@ suite('server', function() {
          done();
        });
    });
-*/

    test("get'ing style of private table should succeed when authenticated",
    function(done) {
--- a/test/prepare_db.sh
+++ b/test/prepare_db.sh
@ -31,5 +31,6 @@ echo 'HSET rails:users:vizzuality database_name "'"${TEST_DB}"'"' | redis-cli -p
 echo "HSET rails:users:vizzuality map_key 1234" | redis-cli -p ${REDIS_PORT} -n 5
 echo "SADD rails:users:vizzuality:map_key 1235" | redis-cli -p ${REDIS_PORT} -n 5
 echo 'HSET rails:'"${TEST_DB}"':my_table infowindow "this, that, the other"' | redis-cli -p ${REDIS_PORT} -n 0
+echo 'HSET rails:'"${TEST_DB}"':test_table_private_1 privacy "0"' | redis-cli -p ${REDIS_PORT} -n 0

 echo "Finished preparing data. Run tests with expresso."