Unauthorized access to files - Elixir

Need

To prevent unauthorized access to files

Context

Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications
Usage of Ecto.Repo for interacting with databases

Description

Non compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

    path = "/sharepoint/files/#{user.id}/"
    send_resp(conn, 200, "File updated at #{path}")
  end
end

The Elixir code allows a user to update their data and get access to a specific path in the Sharepoint. However, it doesn't perform any validation or checks on the user input, which could lead to unauthorized access to files.

Steps

Validate user input
Check whether the user is authenticated
Check whether the authenticated user is the same user that is trying to update the data
Only give access to the specific path in the Sharepoint if the user is authenticated and is the same user that is trying to update the data

Compliant code

        defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def update(conn, params) do
    user = MyApp.Repo.get!(User, params["id"])
    user = MyApp.Repo.update!(User.changeset(user, params))

    if user && conn.assigns.current_user && conn.assigns.current_user.id == user.id do
      path = "/sharepoint/files/#{user.id}/"
      send_resp(conn, 200, "File updated at #{path}")
    else
      send_resp(conn, 403, "Unauthorized")
    end
  end
end

The secure Elixir code checks whether the user is authenticated and is the same user that is trying to update the data before giving access to the specific path in the Sharepoint.

References

201. Unauthorized access to files