Patches for compliance (#1819)

Co-authored-by: Gasper Grom <gasper.grom@gmail.com> Co-authored-by: Joana Maia <joana@crowd.dev>
CrowdDotDev · Nov 15, 2023 · 08bf721 · 08bf721
1 parent 26a140e
commit 08bf721
Show file tree

Hide file tree

Showing 17 changed files with 113 additions and 10 deletions.
diff --git a/backend/src/api/tenant/index.ts b/backend/src/api/tenant/index.ts
@@ -15,6 +15,7 @@ export default (app) => {
   app.get(`/tenant`, safeWrap(require('./tenantList').default))
   app.get(`/tenant/url`, safeWrap(require('./tenantFind').default))
   app.get(`/tenant/:id`, safeWrap(require('./tenantFind').default))
+  app.get(`/tenant/:id/name`, safeWrap(require('./tenantFindName').default))
   app.get(`/tenant/:tenantId/membersToMerge`, safeWrap(require('./tenantMembersToMerge').default))
   app.get(
     `/tenant/:tenantId/organizationsToMerge`,

diff --git a/backend/src/api/tenant/tenantFind.ts b/backend/src/api/tenant/tenantFind.ts
@@ -1,10 +1,13 @@
 import identifyTenant from '../../segment/identifyTenant'
 import TenantService from '../../services/tenantService'
 import Error404 from '../../errors/Error404'
+import PermissionChecker from '../../services/user/permissionChecker'
+import Permissions from '../../security/permissions'
 
 export default async (req, res) => {
+  req.currentTenant = { id: req.params.id }
+  new PermissionChecker(req).validateHas(Permissions.values.memberRead)
   let payload
-
   if (req.params.id) {
     payload = await new TenantService(req).findById(req.params.id)
   } else {

diff --git a/backend/src/api/tenant/tenantFindName.ts b/backend/src/api/tenant/tenantFindName.ts
@@ -0,0 +1,23 @@
+import identifyTenant from '../../segment/identifyTenant'
+import TenantService from '../../services/tenantService'
+import Error404 from '../../errors/Error404'
+
+export default async (req, res) => {
+  // This endpoint is unauthenticated on purpose, but public reprots.
+  const payload = await new TenantService(req).findById(req.params.id)
+
+  if (payload) {
+    if (req.currentUser) {
+      identifyTenant({ ...req, currentTenant: payload })
+    }
+
+    const payloadOut = {
+      name: payload.name,
+      id: payload.id,
+    }
+
+    await req.responseHandler.success(req, res, payloadOut)
+  } else {
+    throw new Error404()
+  }
+}
diff --git a/backend/src/database/repositories/userRepository.ts b/backend/src/database/repositories/userRepository.ts
@@ -547,12 +547,22 @@ export default class UserRepository {
         status: 'active',
       },
     })
+
     record = {
       ...record,
       ...record.json,
     }
     delete record.json
 
+    // Remove sensitive fields
+    delete record.password
+    delete record.emailVerificationToken
+    delete record.emailVerificationTokenExpiresAt
+    delete record.providerId
+    delete record.passwordResetToken
+    delete record.passwordResetTokenExpiresAt
+    delete record.jwtTokenInvalidBefore
+
     if (!record) {
       throw new Error404()
     }

diff --git a/backend/src/i18n/en.ts b/backend/src/i18n/en.ts
@@ -45,6 +45,8 @@ const en = {
       invalidToken: 'Invalid or expired password reset link',
       error: `Invalid email`,
     },
+    passwordInvalid:
+      'Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.',
     emailAddressVerificationEmail: {
       invalidToken: 'Invalid or expired email verification link.',
       error: `Email not recognized.`,

diff --git a/backend/src/security/permissions.ts b/backend/src/security/permissions.ts
@@ -99,7 +99,7 @@ class Permissions {
       },
       userRead: {
         id: 'userRead',
-        allowedRoles: [roles.admin, roles.readonly],
+        allowedRoles: [roles.admin],
         allowedPlans: [
           plans.essential,
           plans.growth,
@@ -110,7 +110,7 @@ class Permissions {
       },
       userAutocomplete: {
         id: 'userAutocomplete',
-        allowedRoles: [roles.admin, roles.readonly],
+        allowedRoles: [roles.admin],
         allowedPlans: [
           plans.essential,
           plans.growth,

diff --git a/backend/src/services/auth/authService.ts b/backend/src/services/auth/authService.ts
@@ -38,6 +38,12 @@ class AuthService {
 
       const existingUser = await UserRepository.findByEmail(email, options)
 
+      const passwordRegex = /^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$/
+
+      if (!passwordRegex.test(password)) {
+        throw new Error400(options.language, 'auth.passwordInvalid')
+      }
+
       // Generates a hashed password to hide the original one.
       const hashedPassword = await bcrypt.hash(password, BCRYPT_SALT_ROUNDS)
 

diff --git a/frontend/src/i18n/en.js b/frontend/src/i18n/en.js
@@ -813,7 +813,7 @@ const en = {
   /* eslint-disable */
   validation: {
     mixed: {
-      default: 'path} is invalid',
+      default: '{path} is invalid',
       required: 'This field is required',
       oneOf:
         '{path} must be one of the following values: ${values}',

diff --git a/frontend/src/modules/auth/pages/signin-page.vue b/frontend/src/modules/auth/pages/signin-page.vue
@@ -72,6 +72,11 @@
                 class="h-4 flex items-center ri-error-warning-line text-base text-red-500"
               />
               <span
+                v-if="error === 'Password is invalid'"
+                class="pl-1 text-2xs text-red-500 leading-4.5"
+              >Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.</span>
+              <span
+                v-else
                 class="pl-1 text-2xs text-red-500 leading-4.5"
               >{{ error }}</span>
             </div>

diff --git a/frontend/src/modules/auth/pages/#-page.vue b/frontend/src/modules/auth/pages/#-page.vue
@@ -129,6 +129,11 @@
                 class="h-4 flex items-center ri-error-warning-line text-base text-red-500"
               />
               <span
+                v-if="error === 'Password is invalid'"
+                class="pl-1 text-2xs text-red-500 leading-4.5"
+              >Passwords must have at least one letter, one number, one symbol, and be at least 8 characters long.</span>
+              <span
+                v-else
                 class="pl-1 text-2xs text-red-500 leading-4.5"
               >{{ error }}</span>
             </div>

diff --git a/frontend/src/modules/layout/components/menu/workspace/menu-workspace-popover.vue b/frontend/src/modules/layout/components/menu/workspace/menu-workspace-popover.vue
@@ -15,7 +15,7 @@
               :disable-active-class="true"
               link-class="!p-3 !h-10 !mb-0 !mt-1 !text-xs"
             />
-            <div class="px-1">
+            <div v-if="hasPermissionsForSettings" class="px-1">
               <div class="p-3 h-10 text-xs text-black mt-1 rounded hover:bg-gray-50 cursor-pointer" @click.stop="emit('edit', tenant)">
                 Edit workspace
               </div>
@@ -25,8 +25,14 @@
       </section>
 
       <!-- Add workspace -->
-      <section class="px-2 pb-3 border-b border-gray-100">
+      <section
+        class="border-b border-gray-100"
+        :class="{
+          'px-2 pb-3': hasPermissionsForSettings,
+        }"
+      >
         <div
+          v-if="hasPermissionsForSettings"
           class="px-3 h-10 text-sm font-normal rounded hover:bg-gray-50 cursor-pointer flex items-center text-brand-500"
           @click="emit('add')"
         >
@@ -102,6 +108,7 @@ import { computed } from 'vue';
 import { useUserStore } from '@/modules/user/store/pinia';
 import { storeToRefs } from 'pinia';
 import { FeatureFlag } from '@/utils/featureFlag';
+import { SettingsPermissions } from '@/modules/settings/settings-permissions';
 
 const emit = defineEmits<{(e:'add'): any, (e: 'edit', value: TenantModel): any}>();
 
@@ -113,6 +120,17 @@ const userStore = useUserStore();
 const { isDeveloperModeActive } = storeToRefs(userStore);
 const { updateDeveloperMode } = userStore;
 
+const hasPermissionsForSettings = computed(
+  () => {
+    const settingsPermissions = new SettingsPermissions(
+      currentTenant.value,
+      currentUser.value,
+    );
+
+    return settingsPermissions.edit || settingsPermissions.lockedForCurrentPlan;
+  },
+);
+
 const tenants = computed<TenantModel[]>(() => {
   const currentTenantId = currentTenant.value.id;
   const restTenants = rows.value.filter((ten: TenantModel) => ten.id !== currentTenantId)

diff --git a/frontend/src/modules/layout/config/links/api-keys.ts b/frontend/src/modules/layout/config/links/api-keys.ts
@@ -1,4 +1,5 @@
 import { MenuLink } from '@/modules/layout/types/MenuLink';
+import { SettingsPermissions } from '@/modules/settings/settings-permissions';
 
 const apiKeys: MenuLink = {
   id: 'api-keys',
@@ -7,7 +8,14 @@ const apiKeys: MenuLink = {
   routeOptions: {
     query: { activeTab: 'api-keys' },
   },
-  display: () => true,
+  display: ({ user, tenant }) => {
+    const settingsPermissions = new SettingsPermissions(
+      tenant,
+      user,
+    );
+
+    return settingsPermissions.edit || settingsPermissions.lockedForCurrentPlan;
+  },
   disable: () => false,
 };
 

diff --git a/frontend/src/modules/layout/config/links/plans-billing.ts b/frontend/src/modules/layout/config/links/plans-billing.ts
@@ -1,4 +1,5 @@
 import { MenuLink } from '@/modules/layout/types/MenuLink';
+import { SettingsPermissions } from '@/modules/settings/settings-permissions';
 
 const plansBilling: MenuLink = {
   id: 'plans-billing',
@@ -7,7 +8,14 @@ const plansBilling: MenuLink = {
   routeOptions: {
     query: { activeTab: 'plans' },
   },
-  display: () => true,
+  display: ({ user, tenant }) => {
+    const settingsPermissions = new SettingsPermissions(
+      tenant,
+      user,
+    );
+
+    return settingsPermissions.edit || settingsPermissions.lockedForCurrentPlan;
+  },
   disable: () => false,
 };
 

diff --git a/frontend/src/modules/layout/config/links/users-permissions.ts b/frontend/src/modules/layout/config/links/users-permissions.ts
@@ -1,4 +1,5 @@
 import { MenuLink } from '@/modules/layout/types/MenuLink';
+import { SettingsPermissions } from '@/modules/settings/settings-permissions';
 
 const usersPermissions: MenuLink = {
   id: 'users-permissions',
@@ -7,7 +8,14 @@ const usersPermissions: MenuLink = {
   routeOptions: {
     query: { activeTab: 'users' },
   },
-  display: () => true,
+  display: ({ user, tenant }) => {
+    const settingsPermissions = new SettingsPermissions(
+      tenant,
+      user,
+    );
+
+    return settingsPermissions.edit || settingsPermissions.lockedForCurrentPlan;
+  },
   disable: () => false,
 };
 

diff --git a/frontend/src/modules/report/pages/report-view-page-public.vue b/frontend/src/modules/report/pages/report-view-page-public.vue
@@ -267,7 +267,7 @@ export default {
         id: this.id,
         tenantId: this.tenantId,
       });
-      this.currentTenant = await TenantService.find(
+      this.currentTenant = await TenantService.findName(
         this.tenantId,
       );
     } else {

diff --git a/frontend/src/modules/tenant/tenant-service.js b/frontend/src/modules/tenant/tenant-service.js
@@ -119,6 +119,11 @@ export class TenantService {
     return response.data;
   }
 
+  static async findName(id) {
+    const response = await authAxios.get(`/tenant/${id}/name`);
+    return response.data;
+  }
+
   static async findByUrl(url) {
     const response = await authAxios.get('/tenant/url', {
       params: { url },

diff --git a/frontend/src/modules/user/user-model.js b/frontend/src/modules/user/user-model.js
@@ -31,6 +31,7 @@ const fields = {
   }),
   password: new StringField('password', label('password'), {
     required: true,
+    matches: /^(?=.*[A-Za-z])(?=.*\d)(?=.*[@$!%*#?&])[A-Za-z\d@$!%*#?&]{8,}$/,
   }),
   passwordConfirmation: new StringField(
     'passwordConfirmation',