Skip to content

Commit

Permalink
Move email, name from url to body to protect PII (#3528)
Browse files Browse the repository at this point in the history
  • Loading branch information
@imnasnainaec
imnasnainaec authored Jan 21, 2025
1 parent 0b4e971 commit 25cff36
Show file tree
Hide file tree
Showing 6 changed files with 105 additions and 81 deletions.
10 changes: 6 additions & 4 deletions Backend/Controllers/SpeakerController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.ModelBinding;

namespace BackendFramework.Controllers
{
Expand Down Expand Up @@ -96,9 +97,9 @@ public async Task<IActionResult> GetSpeaker(string projectId, string speakerId)

/// <summary> Creates a <see cref="Speaker"/> for the specified projectId </summary>
/// <returns> Id of created Speaker </returns>
[HttpGet("create/{name}", Name = "CreateSpeaker")]
[HttpPut("create", Name = "CreateSpeaker")]
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(string))]
public async Task<IActionResult> CreateSpeaker(string projectId, string name)
public async Task<IActionResult> CreateSpeaker(string projectId, [FromBody, BindRequired] string name)
{
// Check permissions
if (!await _permissionService.HasProjectPermission(
Expand Down Expand Up @@ -193,9 +194,10 @@ public async Task<IActionResult> RemoveConsent(string projectId, string speakerI

/// <summary> Updates the <see cref="Speaker"/>'s name for the specified projectId and speakerId </summary>
/// <returns> Id of updated Speaker </returns>
[HttpGet("update/{speakerId}/{name}", Name = "UpdateSpeakerName")]
[HttpPut("update/{speakerId}", Name = "UpdateSpeakerName")]
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(string))]
public async Task<IActionResult> UpdateSpeakerName(string projectId, string speakerId, string name)
public async Task<IActionResult> UpdateSpeakerName(
string projectId, string speakerId, [FromBody, BindRequired] string name)
{
// Check permissions
if (!await _permissionService.HasProjectPermission(
Expand Down
10 changes: 5 additions & 5 deletions Backend/Controllers/UserController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,9 +154,9 @@ public async Task<IActionResult> GetUser(string userId)
}

/// <summary> Returns <see cref="User"/> with the specified email address. </summary>
[HttpGet("getemail/{email}", Name = "GetUserByEmail")]
[HttpPut("getbyemail", Name = "GetUserByEmail")]
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(User))]
public async Task<IActionResult> GetUserByEmail(string email)
public async Task<IActionResult> GetUserByEmail([FromBody, BindRequired] string email)
{
if (!_permissionService.IsCurrentUserAuthorized(HttpContext))
{
Expand Down Expand Up @@ -200,17 +200,17 @@ public async Task<IActionResult> CreateUser([FromBody, BindRequired] User user)

/// <summary> Checks whether specified email address is taken or empty. </summary>
[AllowAnonymous]
[HttpGet("isemailtaken/{email}", Name = "IsEmailUnavailable")]
[HttpPut("isemailtaken", Name = "IsEmailUnavailable")]
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(bool))]
public async Task<IActionResult> IsEmailUnavailable(string email)
public async Task<IActionResult> IsEmailUnavailable([FromBody, BindRequired] string email)
{
var isUnavailable = string.IsNullOrWhiteSpace(email) || await _userRepo.GetUserByEmail(email) is not null;
return Ok(isUnavailable);
}

/// <summary> Updates <see cref="User"/> with specified id. </summary>
/// <returns> Id of updated user. </returns>
[HttpPut("{userId}", Name = "UpdateUser")]
[HttpPut("updateuser/{userId}", Name = "UpdateUser")]
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(string))]
public async Task<IActionResult> UpdateUser(string userId, [FromBody, BindRequired] User user)
{
Expand Down
2 changes: 1 addition & 1 deletion Backend/Controllers/UserRoleController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -366,7 +366,7 @@ public async Task<IActionResult> ChangeOwner(string projectId, string oldUserId,
if (newResult != ResultOfUpdate.Updated)
{
return StatusCode(StatusCodes.Status304NotModified, newRoleId);
};
}

// Change the old owner to a project admin
oldUserRole.Role = Role.Administrator;
Expand Down
78 changes: 46 additions & 32 deletions src/api/api/speaker-api.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,22 +49,23 @@ export const SpeakerApiAxiosParamCreator = function (
/**
*
* @param {string} projectId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
createSpeaker: async (
projectId: string,
name: string,
body: string,
options: any = {}
): Promise<RequestArgs> => {
// verify required parameter 'projectId' is not null or undefined
assertParamExists("createSpeaker", "projectId", projectId);
// verify required parameter 'name' is not null or undefined
assertParamExists("createSpeaker", "name", name);
const localVarPath = `/v1/projects/{projectId}/speakers/create/{name}`
.replace(`{${"projectId"}}`, encodeURIComponent(String(projectId)))
.replace(`{${"name"}}`, encodeURIComponent(String(name)));
// verify required parameter 'body' is not null or undefined
assertParamExists("createSpeaker", "body", body);
const localVarPath = `/v1/projects/{projectId}/speakers/create`.replace(
`{${"projectId"}}`,
encodeURIComponent(String(projectId))
);
// use dummy base URL string because the URL constructor only accepts absolute URLs.
const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
let baseOptions;
Expand All @@ -73,13 +74,15 @@ export const SpeakerApiAxiosParamCreator = function (
}

const localVarRequestOptions = {
method: "GET",
method: "PUT",
...baseOptions,
...options,
};
const localVarHeaderParameter = {} as any;
const localVarQueryParameter = {} as any;

localVarHeaderParameter["Content-Type"] = "application/json";

setSearchParams(localVarUrlObj, localVarQueryParameter, options.query);
let headersFromBaseOptions =
baseOptions && baseOptions.headers ? baseOptions.headers : {};
Expand All @@ -88,6 +91,11 @@ export const SpeakerApiAxiosParamCreator = function (
...headersFromBaseOptions,
...options.headers,
};
localVarRequestOptions.data = serializeDataIfNeeded(
body,
localVarRequestOptions,
configuration
);

return {
url: toPathString(localVarUrlObj),
Expand Down Expand Up @@ -382,27 +390,26 @@ export const SpeakerApiAxiosParamCreator = function (
*
* @param {string} projectId
* @param {string} speakerId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
updateSpeakerName: async (
projectId: string,
speakerId: string,
name: string,
body: string,
options: any = {}
): Promise<RequestArgs> => {
// verify required parameter 'projectId' is not null or undefined
assertParamExists("updateSpeakerName", "projectId", projectId);
// verify required parameter 'speakerId' is not null or undefined
assertParamExists("updateSpeakerName", "speakerId", speakerId);
// verify required parameter 'name' is not null or undefined
assertParamExists("updateSpeakerName", "name", name);
// verify required parameter 'body' is not null or undefined
assertParamExists("updateSpeakerName", "body", body);
const localVarPath =
`/v1/projects/{projectId}/speakers/update/{speakerId}/{name}`
`/v1/projects/{projectId}/speakers/update/{speakerId}`
.replace(`{${"projectId"}}`, encodeURIComponent(String(projectId)))
.replace(`{${"speakerId"}}`, encodeURIComponent(String(speakerId)))
.replace(`{${"name"}}`, encodeURIComponent(String(name)));
.replace(`{${"speakerId"}}`, encodeURIComponent(String(speakerId)));
// use dummy base URL string because the URL constructor only accepts absolute URLs.
const localVarUrlObj = new URL(localVarPath, DUMMY_BASE_URL);
let baseOptions;
Expand All @@ -411,13 +418,15 @@ export const SpeakerApiAxiosParamCreator = function (
}

const localVarRequestOptions = {
method: "GET",
method: "PUT",
...baseOptions,
...options,
};
const localVarHeaderParameter = {} as any;
const localVarQueryParameter = {} as any;

localVarHeaderParameter["Content-Type"] = "application/json";

setSearchParams(localVarUrlObj, localVarQueryParameter, options.query);
let headersFromBaseOptions =
baseOptions && baseOptions.headers ? baseOptions.headers : {};
Expand All @@ -426,6 +435,11 @@ export const SpeakerApiAxiosParamCreator = function (
...headersFromBaseOptions,
...options.headers,
};
localVarRequestOptions.data = serializeDataIfNeeded(
body,
localVarRequestOptions,
configuration
);

return {
url: toPathString(localVarUrlObj),
Expand Down Expand Up @@ -506,20 +520,20 @@ export const SpeakerApiFp = function (configuration?: Configuration) {
/**
*
* @param {string} projectId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
async createSpeaker(
projectId: string,
name: string,
body: string,
options?: any
): Promise<
(axios?: AxiosInstance, basePath?: string) => AxiosPromise<string>
> {
const localVarAxiosArgs = await localVarAxiosParamCreator.createSpeaker(
projectId,
name,
body,
options
);
return createRequestFunction(
Expand Down Expand Up @@ -682,14 +696,14 @@ export const SpeakerApiFp = function (configuration?: Configuration) {
*
* @param {string} projectId
* @param {string} speakerId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
async updateSpeakerName(
projectId: string,
speakerId: string,
name: string,
body: string,
options?: any
): Promise<
(axios?: AxiosInstance, basePath?: string) => AxiosPromise<string>
Expand All @@ -698,7 +712,7 @@ export const SpeakerApiFp = function (configuration?: Configuration) {
await localVarAxiosParamCreator.updateSpeakerName(
projectId,
speakerId,
name,
body,
options
);
return createRequestFunction(
Expand Down Expand Up @@ -754,17 +768,17 @@ export const SpeakerApiFactory = function (
/**
*
* @param {string} projectId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
createSpeaker(
projectId: string,
name: string,
body: string,
options?: any
): AxiosPromise<string> {
return localVarFp
.createSpeaker(projectId, name, options)
.createSpeaker(projectId, body, options)
.then((request) => request(axios, basePath));
},
/**
Expand Down Expand Up @@ -863,18 +877,18 @@ export const SpeakerApiFactory = function (
*
* @param {string} projectId
* @param {string} speakerId
* @param {string} name
* @param {string} body
* @param {*} [options] Override http request option.
* @throws {RequiredError}
*/
updateSpeakerName(
projectId: string,
speakerId: string,
name: string,
body: string,
options?: any
): AxiosPromise<string> {
return localVarFp
.updateSpeakerName(projectId, speakerId, name, options)
.updateSpeakerName(projectId, speakerId, body, options)
.then((request) => request(axios, basePath));
},
/**
Expand Down Expand Up @@ -916,7 +930,7 @@ export interface SpeakerApiCreateSpeakerRequest {
* @type {string}
* @memberof SpeakerApiCreateSpeaker
*/
readonly name: string;
readonly body: string;
}

/**
Expand Down Expand Up @@ -1056,7 +1070,7 @@ export interface SpeakerApiUpdateSpeakerNameRequest {
* @type {string}
* @memberof SpeakerApiUpdateSpeakerName
*/
readonly name: string;
readonly body: string;
}

/**
Expand Down Expand Up @@ -1108,7 +1122,7 @@ export class SpeakerApi extends BaseAPI {
return SpeakerApiFp(this.configuration)
.createSpeaker(
requestParameters.projectId,
requestParameters.name,
requestParameters.body,
options
)
.then((request) => request(this.axios, this.basePath));
Expand Down Expand Up @@ -1241,7 +1255,7 @@ export class SpeakerApi extends BaseAPI {
.updateSpeakerName(
requestParameters.projectId,
requestParameters.speakerId,
requestParameters.name,
requestParameters.body,
options
)
.then((request) => request(this.axios, this.basePath));
Expand Down
Loading

0 comments on commit 25cff36

Please sign in to comment.