Merge pull request #1814 from CVEProject/dr_cross_admin_conversation_bug

Fixes a cross-admin conversation bug where users could post conversations to targets outside of their own organization.

Author: david-rocca

src/controller/conversation.controller/conversation.controller.js

@@ -50,6 +50,14 @@ async function createConversationForTargetUUID (req, res, next) {
     }
 
     const isSecretariat = await orgRepo.isSecretariatByShortName(req.ctx.org)
+
+    if (!isSecretariat) {
+      const orgUUID = await orgRepo.getOrgUUID(req.ctx.org)
+      if (targetUUID !== orgUUID) {
+        return res.status(403).json({ error: 'UNAUTHORIZED', message: 'Unauthorized' })
+      }
+    }
+
     const result = await repo.createConversation(targetUUID, body, user, isSecretariat, { session })
     await session.commitTransaction()
     if (!result) {

test/integration-tests/conversation/conversationTest.js

@@ -160,6 +160,24 @@ describe('Testing Conversation endpoints', () => {
   })
 
   context('Negative Tests', () => {
+    it('Should fail to post a conversation to a different org as a non-Secretariat Admin', async () => {
+      const conversation = {
+        visibility: 'public',
+        body: 'test'
+      }
+      const randomUUID = '123e4567-e89b-12d3-a456-426614174000'
+      await chai.request(app)
+        .post(`/api/conversation/target/${randomUUID}`)
+        .set(constants.nonSecretariatUserHeaders2) // Admin of win_5
+        .send(conversation)
+        .then((res, err) => {
+          expect(err).to.be.undefined
+          expect(res).to.have.status(403)
+          expect(res.body).to.haveOwnProperty('error')
+          expect(res.body.error).to.equal('UNAUTHORIZED')
+        })
+    })
+
     it('Should fail to post a conversation with no body', async () => {
       await chai.request(app)
         .post(`/api/conversation/target/${orgUUID}`)