Fix: Security issue - Access control of a list submission

Gemfile

@@ -41,12 +41,12 @@ gem 'haml', '~> 5.2.2' # pin see https://github.com/ncbo/ontologies_api/pull/107
 gem 'redcarpet'
 
 # NCBO
-gem 'goo', github: 'ncbo/goo', branch: 'develop'
-gem 'ncbo_annotator', github: 'ncbo/ncbo_annotator', branch: 'develop'
-gem 'ncbo_cron', github: 'ncbo/ncbo_cron', branch: 'develop'
-gem 'ncbo_ontology_recommender', github: 'ncbo/ncbo_ontology_recommender', branch: 'develop'
-gem 'ontologies_linked_data', github: 'ncbo/ontologies_linked_data', branch: 'develop'
-gem 'sparql-client', github: 'ncbo/sparql-client', branch: 'develop'
+gem 'goo', github: 'ncbo/goo', branch: 'master'
+gem 'ncbo_annotator', github: 'ncbo/ncbo_annotator', branch: 'master'
+gem 'ncbo_cron', github: 'ncbo/ncbo_cron', branch: 'master'
+gem 'ncbo_ontology_recommender', github: 'ncbo/ncbo_ontology_recommender', branch: 'master'
+gem 'ontologies_linked_data', github: 'ncbo/ontologies_linked_data', branch: 'master'
+gem 'sparql-client', github: 'ncbo/sparql-client', branch: 'master'
 
 group :development do
   # bcrypt_pbkdf and ed35519 is required for capistrano deployments when using ed25519 keys; see https://github.com/miloserdow/capistrano-deploy/issues/42

Gemfile.lock

@@ -1,7 +1,7 @@
 GIT
   remote: https://github.com/ncbo/goo.git
-  revision: 83425ba6c05d051d86c6f5775540727ce4238443
-  branch: develop
+  revision: daea7822af9e5ca1961d6873a758735133a1b2db
+  branch: master
   specs:
     goo (0.0.2)
       addressable (~> 2.8)
@@ -15,8 +15,8 @@ GIT
 
 GIT
   remote: https://github.com/ncbo/ncbo_annotator.git
-  revision: 067104ae94c0e9d058cfbf419364fbf03f34de43
-  branch: develop
+  revision: 04226ac5840a328e6f906f15c769ee6ee5723102
+  branch: master
   specs:
     ncbo_annotator (0.0.1)
       goo
@@ -26,8 +26,8 @@ GIT
 
 GIT
   remote: https://github.com/ncbo/ncbo_cron.git
-  revision: ed14911ccb28375298c63e7ca1b388ed0c638abb
-  branch: develop
+  revision: 55ac1cad6a14dd7cb5264d4f53801a05537d9cb8
+  branch: master
   specs:
     ncbo_cron (0.0.1)
       dante
@@ -42,8 +42,8 @@ GIT
 
 GIT
   remote: https://github.com/ncbo/ncbo_ontology_recommender.git
-  revision: e6d4449d8b854f17bb54af6de142bc64bff22ab3
-  branch: develop
+  revision: f440ae855a217807fead1d20629a0f187997b973
+  branch: master
   specs:
     ncbo_ontology_recommender (0.0.1)
       goo
@@ -53,8 +53,8 @@ GIT
 
 GIT
   remote: https://github.com/ncbo/ontologies_linked_data.git
-  revision: 711ebf27722355a25a0e53a8204b4ae472902bd0
-  branch: develop
+  revision: a7ad210e846a390f203457be2459719214d142fe
+  branch: master
   specs:
     ontologies_linked_data (0.0.1)
       activesupport
@@ -73,8 +73,8 @@ GIT
 
 GIT
   remote: https://github.com/ncbo/sparql-client.git
-  revision: 55e7dbf858eb571c767bc67868f9af61663859cb
-  branch: develop
+  revision: d418d56a6c9ff5692f925b45739a2a1c66bca851
+  branch: master
   specs:
     sparql-client (1.0.1)
       json_pure (>= 1.4)
@@ -136,7 +136,8 @@ GEM
     domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
     ed25519 (1.3.0)
-    faraday (2.7.10)
+    faraday (2.7.11)
+      base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
@@ -156,8 +157,8 @@ GEM
     google-analytics-data (0.4.0)
       google-analytics-data-v1beta (>= 0.7, < 2.a)
       google-cloud-core (~> 1.6)
-    google-analytics-data-v1beta (0.8.1)
-      gapic-common (>= 0.19.1, < 2.a)
+    google-analytics-data-v1beta (0.9.0)
+      gapic-common (>= 0.20.0, < 2.a)
       google-cloud-errors (~> 1.0)
     google-cloud-core (1.6.0)
       google-cloud-env (~> 1.0)
@@ -238,7 +239,7 @@ GEM
       net-protocol
     net-ssh (7.2.0)
     netrc (0.11.0)
-    newrelic_rpm (9.4.2)
+    newrelic_rpm (9.5.0)
     oj (3.16.1)
     omni_logger (0.1.4)
       logger

controllers/ontology_submissions_controller.rb

@@ -19,9 +19,10 @@ class OntologySubmissionsController < ApplicationController
     ##
     # Display all submissions of an ontology
     get do
-      ont = Ontology.find(params["acronym"]).include(:acronym).first
+      ont = Ontology.find(params["acronym"]).include(:acronym, :administeredBy, :acl, :viewingRestriction).first
       error 422, "Ontology #{params["acronym"]} does not exist" unless ont
       check_last_modified_segment(LinkedData::Models::OntologySubmission, [ont.acronym])
+      check_access(ont)
       ont.bring(submissions: OntologySubmission.goo_attrs_to_load(includes_param))
       reply ont.submissions.sort {|a,b| b.submissionId.to_i <=> a.submissionId.to_i }  # descending order of submissionId
     end

helpers/access_control_helper.rb

@@ -6,15 +6,12 @@ module AccessControlHelper
 
       ##
       # For a given object, check the access control settings. If they are restricted, handle appropriately.
-      # For a list, this will filter out results. For single objects, if will throw an error if access is denied.
+      # For a list, this will filter out results.
+      # For single objects, if will throw an error if access is denied.
       def check_access(obj)
         return obj unless LinkedData.settings.enable_security
         if obj.is_a?(Enumerable)
-          if obj.first.is_a?(LinkedData::Models::Base) && obj.first.access_based_on?
-            check_access(obj.first)
-          else
             filter_access(obj)
-          end
         else
           if obj.respond_to?(:read_restricted?) && obj.read_restricted?
             readable = obj.readable?(env["REMOTE_USER"])

test/controllers/test_ontology_submissions_controller.rb

@@ -192,4 +192,48 @@ def test_download_acl_only
     end
   end
 
+  def test_ontology_submissions_access_controller
+    count, created_ont_acronyms, onts = create_ontologies_and_submissions(ont_count: 2, submission_count: 1, process_submission: false)
+    # case first submission is private
+    acronym = created_ont_acronyms.first
+    ont = onts.first.bring_remaining
+
+    begin
+      allowed_user = User.new({
+                                username: "allowed",
+                                email: "[email protected]",
+                                password: "12345"
+                              })
+      allowed_user.save
+      blocked_user = User.new({
+                                username: "blocked",
+                                email: "[email protected]",
+                                password: "12345"
+                              })
+      blocked_user.save
+
+      ont.acl = [allowed_user]
+      ont.viewingRestriction = "private"
+      ont.save
+
+      LinkedData.settings.enable_security = true
+
+      get "/submissions?apikey=#{allowed_user.apikey}"
+      assert_equal 200, last_response.status
+      submissions = MultiJson.load(last_response.body)
+      assert_equal 2, submissions.size
+
+      get "/submissions?apikey=#{blocked_user.apikey}"
+      assert_equal 200, last_response.status
+      submissions = MultiJson.load(last_response.body)
+      assert_equal 1, submissions.size
+    ensure
+      LinkedData.settings.enable_security = false
+      del = User.find("allowed").first
+      del.delete if del
+      del = User.find("blocked").first
+      del.delete if del
+    end
+  end
+
 end