Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

core/helpers/layouts.js need some refactoring #562

Closed
newsiberian opened this issue Dec 9, 2015 · 4 comments
Closed

core/helpers/layouts.js need some refactoring #562

newsiberian opened this issue Dec 9, 2015 · 4 comments

Comments

@newsiberian
Copy link
Contributor

Hello, I'm going through checkout/login workflow and there is a bug: If guest adds a product to the cart and checkout, he will see workflow stage one checkout/login, BUT if he refresh the page reactionTemplate method will jump over this stage to second stage. I think this could happen because of this code. Currently we doesn't have Layouts collection.
First question is what this snippet should do?

Second question: Please, take a look at this part. I believe, we should remove this part because this could be a security issue when user could override cart._id. The same claims for this line.

Also, there is a bug in line 41. This is a fixed version. it occurs when a guest comes to /checkout route for the first time visiting the site.

I think I missed that this method reactionTemplate also used in the dashboard order.
I think that this method is security sensitive, thats why I'm not changing it by myself right now.

aaronjudd pushed a commit that referenced this issue Dec 11, 2015
@newsiberian
Copy link
Contributor Author

Please, read more about sensitive data here. It fits the description of what is happening in the lines 36,41.

@aaronjudd
Copy link
Contributor

Client side data is never trusted, the access is controlled in server publications in cart.js. The client should never have access to any data that the user doesn't already have permissions to access. A query such as find or findOne are querying client side data that has been Meteor.published (filtered on the server) and using security rules . Specifically see this

@newsiberian
Copy link
Contributor Author

Oh, I get it) Thanks for explanation. Then the last part of this issue - is this part of code is still valid?

@aaronjudd
Copy link
Contributor

This is part of the functionality of reactionTemplates helper and is meant to allow control of layouts based on permissions of the user. For instance, a shopping club member might have some special member checkout steps and that template would display based on layout permissions defined in the Shops collection and the package registry.

This is all part of a larger incremental implementation of #148 and #517 and is used here: https://gist.github.com/newsiberian/a71f3791cdddd08c3e67#file-layout-js-L91

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants