You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be good to investigate if this is a special case because we so happen to have the contextId of the thread, and what happens if the descendent role specified is deeper, e.g. thread/foo/bar/baz, just to make sure there is no security holes.
If we were to disallow descendent roles, we'd do:
// Validate the `role` property of an `action` if exists.if(action.role!==undefined){// make sure the role specified is self, or uncle, or great uncle, or separate root record// ie. the role record specified should must share the same "ancestor-chain" with the record of this rule set// e.g. if the rule set protocol path is `a1/b1/c1` then the role record can be `a2` (an edge case), `a1/b2`, `a1/b1/c1`, `a1/b1/c2`// but NOT `a1/b2/c3`, or `a1/b2/c1/d1`.construleSetParentProtocolPath=ruleSetProtocolPath.substring(0,ruleSetProtocolPath.lastIndexOf('/'));// NOTE: substring(0, negative-number) returns empty string which is what we wantconstroleParentProtocolPath=action.role.substring(0,action.role.lastIndexOf('/'));if(!ruleSetParentProtocolPath.startsWith(roleParentProtocolPath)){thrownewDwnError(DwnErrorCode.ProtocolsConfigureRoleDoesNotShareSameAncestorsAsRuleSetRecord,`Role in action ${JSON.stringify(action)} for rule set ${ruleSetProtocolPath} does not share the same ancestors as the rule set record.`);}
The text was updated successfully, but these errors were encountered:
Maybe everything works, but it is unclear to me how the descendent role declared
thread-role.json
is being used for protocol authorization:It would be good to investigate if this is a special case because we so happen to have the
contextId
of the thread, and what happens if the descendent role specified is deeper, e.g.thread/foo/bar/baz
, just to make sure there is no security holes.If we were to disallow descendent roles, we'd do:
The text was updated successfully, but these errors were encountered: