SPIKE: Permissions Audit

[brent-hoover]

Audit all existing queries and mutations to verify that we are doing a permissions check.

[sujithvn]

I have gone through the resolvers, queries & mutations and identified the ones which are not calling validatePermissions. The entries are listed in the below markdown table. The reason for skipping each of the entry is also noted in the table. The 2 entries from Surcharge where fix was required has been implemented via ticket #6634 (PR #6716)

Mutation/Query not using validatePermissions	Public access required	Plan/action	Reason for action
packages/api-plugin-accounts/src/mutations/addAccountToGroupBySlug.js		skip	internal function, not public
packages/api-plugin-accounts/src/mutations/createAuthGroupsForShop.js		skip	internal function, not public
packages/api-plugin-accounts/src/mutations/sendResetAccountPasswordEmail.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-accounts/src/queries/group.js		skip	using userHasPermission directly
packages/api-plugin-accounts/src/queries/groupsByAccount.js		skip	using userHasPermission directly
packages/api-plugin-address-validation/src/queries/addressValidation.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-address-validation/src/queries/addressValidationServices.js		to be verified	comment- // No permissions check necessary
packages/api-plugin-carts/src/mutations/addCartItems.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/convertAnonymousCartToNewAccountCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/createCart.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/reconcileCarts.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/reconcileCartsKeepAccountCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/reconcileCartsKeepAnonymousCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/reconcileCartsMerge.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/removeCartItems.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/removeMissingItemsFromCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/saveCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/saveManyCarts.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/setEmailOnAnonymousCart.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/setShippingAddressOnCart.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/mutations/transformAndValidateCart.js		skip	internal function, not public
packages/api-plugin-carts/src/mutations/updateCartItemsQuantity.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/queries/anonymousCartByCartId.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-carts/src/queries/getCommonOrderForCartGroup.js		skip	internal function, not public
packages/api-plugin-carts/src/resolvers/Cart/checkout.js		verified	only data reformat
packages/api-plugin-carts/src/resolvers/Cart/items.js		verified	only data reformat
packages/api-plugin-carts/src/resolvers/Cart/totalItemQuantity.js		verified	only data reformat
packages/api-plugin-carts/src/resolvers/CartItem/productTags.js		verified	calling queries.tagsByIds (NO validatePermissions), but tags expected to be in public domain
packages/api-plugin-catalogs/src/mutations/applyCustomPublisherTransforms.js		skip	internal function, not public
packages/api-plugin-catalogs/src/mutations/hashProduct.js		skip	internal function, not public
packages/api-plugin-catalogs/src/mutations/partialProductPublish.js		skip	internal function, not public
packages/api-plugin-catalogs/src/queries/catalogItemProduct.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-catalogs/src/queries/catalogItems.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-catalogs/src/queries/catalogItemsAggregate.js		skip	internal function, not public
packages/api-plugin-catalogs/src/queries/findCatalogProductsAndVariants.js		skip	internal function, not public
packages/api-plugin-catalogs/src/queries/findProductAndVariant.js		skip	internal function, not public
packages/api-plugin-catalogs/src/queries/findVariantInCatalogProduct.js		skip	internal function, not public
packages/api-plugin-catalogs/src/queries/vendors.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-discounts/src/queries/getDiscountsTotalForCart.js		skip	internal function, not public
packages/api-plugin-email/src/mutations/sendEmail.js		skip	internal function, not public
packages/api-plugin-email-templates/src/mutations/renderEmail.js		skip	internal function, not public
packages/api-plugin-inventory/src/queries/inventoryForProductConfiguration.js		skip	internal function, not public
packages/api-plugin-inventory/src/queries/inventoryForProductConfigurations.js		skip	internal function, not public
packages/api-plugin-inventory-simple/src/mutations/updateSimpleInventoryBulk.js		skip	internal function, not public
packages/api-plugin-navigation/src/queries/navigationTreeById.js		skip	using userHasPermission directly
packages/api-plugin-notifications/src/mutations/createNotification.js		skip	internal function, not public
packages/api-plugin-orders/src/mutations/placeOrder.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-orders/src/mutations/sendOrderEmail.js		skip	internal function, not public
packages/api-plugin-orders/src/queries/orderById.js		skip	calls getOrderQuery which does validatePermissions
packages/api-plugin-orders/src/queries/orderByReferenceId.js		skip	calls getOrderQuery which does validatePermissions
packages/api-plugin-orders/src/queries/refunds.js		skip	calls getOrderQuery which does validatePermissions
packages/api-plugin-orders/src/queries/refundsByPaymentId.js		skip	calls getOrderQuery which does validatePermissions
packages/api-plugin-payments/src/queries/availablePaymentMethods.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-payments/src/queries/getPaymentMethodConfigByName.js		skip	internal function, not public
packages/api-plugin-payments-stripe-sca/src/mutations/createStripePaymentIntent.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-pricing-simple/src/queries/getVariantPrice.js		skip	internal function, not public
packages/api-plugin-pricing-simple/src/resolvers - entries pointing to util folder		verified	All are xform functions which accepts raw inputs and transforms it like adding currency info etc
packages/api-plugin-settings/src/mutations/updateAppSettings.js [using userHasPermission directly]		skip	using userHasPermission directly
packages/api-plugin-settings/src/queries/appSettings.js		decided to Skip	This is not based on the roles/permissions, but individual permission objects. Refer shopSettingsConfig in reaction/packages/api-plugin-shipments-flat-rate/src/index.js
packages/api-plugin-shipments/src/mutations/selectFulfillmentOptionForGroup.js		skip	deprecated plugin
packages/api-plugin-shipments/src/mutations/updateFulfillmentOptionsForGroup.js		skip	deprecated plugin
packages/api-plugin-shipments/src/queries/getFulfillmentMethodsWithQuotes.js		skip	internal function, not public
packages/api-plugin-sitemap-generator/src/queries/sitemap.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-surcharges/src/queries/surchargeById.js		Fix pushed	raised PR #6716
packages/api-plugin-surcharges/src/queries/surcharges.js		Fix pushed	raised PR #6716
packages/api-plugin-tags/src/queries/tag.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-tags/src/queries/tags.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-tags/src/queries/tagsByIds.js	Yes	skip	to be accessed by anonymous users from the storefront
packages/api-plugin-taxes/src/mutations/getFulfillmentGroupTaxes.js		skip	internal function, not public
packages/api-plugin-taxes/src/mutations/setTaxesOnOrderFulfillmentGroup.js		skip	internal function, not public
packages/api-plugin-navigation/src/resolvers/NavigationTree/index.js		decided to Skip	calling xformNavigationTreeItem which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value
packages/api-plugin-surcharges/src/resolvers/Surcharge/index.js		decided to Skip	calling xformSurchargeAmount which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value
packages/api-plugin-surcharges/src/resolvers/AppliedSurcharge/index.js		decided to Skip	calling xformSurchargeAmount which queries DB without validation. These transform functions takes a raw value and transforms into a specific format. The DB query done is to get the details used for specific transformation. Ex: xformSurchargeAmount takes the node.amount, get the currency from Shop collection and returns an object with currency & value