marcel/familienarchiv
1
0
Fork 0
Code Issues 109 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(persons): guard review form actions with hasWriteAll server-side

Browse Source 
The four form actions on /persons/review (confirm, delete, merge,
rename) had no server-side permission check — a reader with a hand-
crafted POST could trigger writes that the backend then rejected with
FORBIDDEN, but only after the round-trip. Add the existing hasWriteAll
guard at the top of each action and short-circuit with fail(403,
FORBIDDEN). Mirrors the guard pattern in the rest of the persons
domain (review-only writers must be gated client-side AND server-side).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-28 10:33:23 +02:00
parent 4cc725d546
commit a9cac08f3c
2 changed files with 131 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
frontend/src/routes/persons/review/+page.server.ts
View File

@@ -31,7 +31,10 @@ export async function load({ url, fetch, locals }) {
} }
export const actions = { export const actions = {
confirm: async ({ request, fetch }) => { confirm: async ({ request, fetch, locals }) => {
if (!hasWriteAll(locals)) {
return fail(403, { error: getErrorMessage('FORBIDDEN') });
}
const id = (await request.formData()).get('id') as string; const id = (await request.formData()).get('id') as string;
const api = createApiClient(fetch); const api = createApiClient(fetch);
const result = await api.PATCH('/api/persons/{id}/confirm', { const result = await api.PATCH('/api/persons/{id}/confirm', {
@@ -45,7 +48,10 @@ export const actions = {
return { success: true }; return { success: true };
}, },
delete: async ({ request, fetch }) => { delete: async ({ request, fetch, locals }) => {
if (!hasWriteAll(locals)) {
return fail(403, { error: getErrorMessage('FORBIDDEN') });
}
const id = (await request.formData()).get('id') as string; const id = (await request.formData()).get('id') as string;
const api = createApiClient(fetch); const api = createApiClient(fetch);
const result = await api.DELETE('/api/persons/{id}', { const result = await api.DELETE('/api/persons/{id}', {
@@ -59,7 +65,10 @@ export const actions = {
return { success: true }; return { success: true };
}, },
merge: async ({ request, fetch }) => { merge: async ({ request, fetch, locals }) => {
if (!hasWriteAll(locals)) {
return fail(403, { error: getErrorMessage('FORBIDDEN') });
}
const formData = await request.formData(); const formData = await request.formData();
const id = formData.get('id') as string; const id = formData.get('id') as string;
const targetPersonId = formData.get('targetPersonId') as string; const targetPersonId = formData.get('targetPersonId') as string;
@@ -79,7 +88,10 @@ export const actions = {
return { success: true }; return { success: true };
}, },
rename: async ({ request, fetch }) => { rename: async ({ request, fetch, locals }) => {
if (!hasWriteAll(locals)) {
return fail(403, { error: getErrorMessage('FORBIDDEN') });
}
const formData = await request.formData(); const formData = await request.formData();
const id = formData.get('id') as string; const id = formData.get('id') as string;
const firstName = (formData.get('firstName') as string)?.trim() || undefined; const firstName = (formData.get('firstName') as string)?.trim() || undefined;

115
frontend/src/routes/persons/review/page.server.spec.ts Normal file
View File

@@ -0,0 +1,115 @@
import { describe, it, expect, vi, beforeEach } from 'vitest';
vi.mock('$lib/shared/api.server', () => ({
createApiClient: vi.fn(),
extractErrorCode: (e: unknown) => (e as { code?: string } | undefined)?.code
}));
import { actions } from './+page.server';
import { createApiClient } from '$lib/shared/api.server';
beforeEach(() => vi.clearAllMocks());
const writer = { groups: [{ permissions: ['READ_ALL', 'WRITE_ALL'] }] };
const reader = { groups: [{ permissions: ['READ_ALL'] }] };
/** Mock the typed client with a single response stubbed for every verb. */
function mockApi(response: { ok: boolean; status: number; error?: unknown }) {
const result = {
response: { ok: response.ok, status: response.status },
error: response.error,
data: response.ok ? {} : undefined
};
const apiCall = vi.fn(() => Promise.resolve(result));
vi.mocked(createApiClient).mockReturnValue({
GET: apiCall,
PATCH: apiCall,
POST: apiCall,
PUT: apiCall,
DELETE: apiCall
} as unknown as ReturnType<typeof createApiClient>);
return apiCall;
}
/** Build a SvelteKit RequestEvent with a FormData body and a user shape. */
function runAction(
action: (typeof actions)[keyof typeof actions],
formData: FormData,
user: unknown
) {
return action({
request: new Request('http://localhost', { method: 'POST', body: formData }),
fetch: vi.fn() as unknown as typeof fetch,
locals: { user } as App.Locals
// eslint-disable-next-line @typescript-eslint/no-explicit-any
} as any);
}
describe('persons/review confirm action — WRITE_ALL guard', () => {
it('returns fail(403) when the user lacks WRITE_ALL', async () => {
const apiCall = mockApi({ ok: true, status: 200 });
const fd = new FormData();
fd.append('id', 'p-1');
const result = await runAction(actions.confirm, fd, reader);
expect(apiCall).not.toHaveBeenCalled();
expect(result).toMatchObject({ status: 403 });
});
});
describe('persons/review delete action — WRITE_ALL guard', () => {
it('returns fail(403) when the user lacks WRITE_ALL', async () => {
const apiCall = mockApi({ ok: true, status: 200 });
const fd = new FormData();
fd.append('id', 'p-1');
const result = await runAction(actions.delete, fd, reader);
expect(apiCall).not.toHaveBeenCalled();
expect(result).toMatchObject({ status: 403 });
});
});
describe('persons/review merge action — WRITE_ALL guard', () => {
it('returns fail(403) when the user lacks WRITE_ALL', async () => {
const apiCall = mockApi({ ok: true, status: 200 });
const fd = new FormData();
fd.append('id', 'p-1');
fd.append('targetPersonId', 'p-2');
const result = await runAction(actions.merge, fd, reader);
expect(apiCall).not.toHaveBeenCalled();
expect(result).toMatchObject({ status: 403 });
});
});
describe('persons/review rename action — WRITE_ALL guard', () => {
it('returns fail(403) when the user lacks WRITE_ALL', async () => {
const apiCall = mockApi({ ok: true, status: 200 });
const fd = new FormData();
fd.append('id', 'p-1');
fd.append('lastName', 'Smith');
const result = await runAction(actions.rename, fd, reader);
expect(apiCall).not.toHaveBeenCalled();
expect(result).toMatchObject({ status: 403 });
});
});
// Sanity: writers still pass through (no 403 from the guard). Full happy-path coverage lives
// in the action-by-action describe blocks added later.
describe('persons/review confirm action — writer passes guard', () => {
it('does NOT short-circuit with 403 when the user has WRITE_ALL', async () => {
const apiCall = mockApi({ ok: true, status: 200 });
const fd = new FormData();
fd.append('id', 'p-1');
const result = await runAction(actions.confirm, fd, writer);
expect(apiCall).toHaveBeenCalled();
expect(result).toEqual({ success: true });
});
});