No custom JS for users from other root accounts (like siteadmin)

refs FOO-1264 TEST PLAN: 1) visit an account with custom JS as a siteadmin 2) you should not get custom JS in your page 3) masquerade as a user on the account 4) you should see custom JS Change-Id: I571f2d3d35ccd295d52c03f13b1f861a4ec71c29 Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/254148 Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com> Reviewed-by: Jacob Burroughs <jburroughs@instructure.com> QA-Review: Ethan Vizitei <evizitei@instructure.com> Product-Review: Ethan Vizitei <evizitei@instructure.com>
2020-12-03 10:10:42 -06:00 · 2020-12-03 10:10:42 -06:00 · 4fb9f66d3a
parent b9096bdbae
commit 4fb9f66d3a
3 changed files with 13 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -735,6 +735,10 @@ module ApplicationHelper

  def include_account_js
    return if params[:global_includes] == '0' || !@domain_root_account
+    # custom JS could be used to hijack user stuff.  Let's not allow
+    # it to be rendered unless the pseudonym is really
+    # from this account (or trusts, etc).
+    return if @current_pseudonym && !@current_pseudonym.works_for_account?(brand_config_account)

    includes = if @domain_root_account.allow_global_includes? && (abc = active_brand_config(ignore_high_contrast_preference: true))
      abc.css_and_js_overrides[:js_overrides]
--- a/spec/factories/pseudonym_session_factory.rb
+++ b/spec/factories/pseudonym_session_factory.rb
@ -32,7 +32,8 @@ module Factories
        :login_count => 1,
        :global_account_id => '10000000000001',
        :sis_user_id => 'U001',
-        :shard => Shard.default
+        :shard => Shard.default,
+        :works_for_account? => true
      )
      # at least one thing cares about the id of the pseudonym... using the
      # object_id should make it unique (but obviously things will fail if
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@ -363,6 +363,13 @@ describe ApplicationHelper do
          expect(output).to have_tag 'script', text: %r{https:\\/\\/example.com\\/site_admin\\/account.js}
        end

+        it "will not render for user that doesn't work with that account" do
+          @current_pseudonym = pseudonym_model
+          allow(@current_pseudonym).to receive(:works_for_account?).and_return(false)
+          allow(helper).to receive(:active_brand_config).and_return BrandConfig.create!(js_overrides: 'https://example.com/path/to/overrides.js')
+          expect(helper.include_account_js).to be_nil
+        end
+
        context "sub-accounts" do
          before { set_up_subaccounts }