From 477e29aa82f9d8adf5e79119fb635e5481936719 Mon Sep 17 00:00:00 2001
From: akhandpratapsingh88 <akhand.pratapsingh@hcl.com>
Date: Thu, 11 May 2023 19:20:27 +0530
Subject: [PATCH] Fix for below High vulnerabilities 1) Insecure Direct Object
 References (CWE-639) -Broken Access Control 2) Unauthorized Access to Admin
 Logs (CWE-200)  - Security Misconfiguration

---
 src/AdminSite/Controllers/ApplicationLogController.cs | 2 ++
 src/CustomerSite/Controllers/HomeController.cs        | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/src/AdminSite/Controllers/ApplicationLogController.cs b/src/AdminSite/Controllers/ApplicationLogController.cs
index e5813177..51696783 100644
--- a/src/AdminSite/Controllers/ApplicationLogController.cs
+++ b/src/AdminSite/Controllers/ApplicationLogController.cs
@@ -4,11 +4,13 @@
 using Marketplace.SaaS.Accelerator.DataAccess.Contracts;
 using Marketplace.SaaS.Accelerator.DataAccess.Entities;
 using Marketplace.SaaS.Accelerator.Services.Services;
+using Marketplace.SaaS.Accelerator.Services.Utilities;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 
 namespace Marketplace.SaaS.Accelerator.AdminSite.Controllers;
 
+[ServiceFilter(typeof(KnownUserAttribute))]
 public class ApplicationLogController : BaseController
 {
     private readonly ILogger<ApplicationLogController> logger;
diff --git a/src/CustomerSite/Controllers/HomeController.cs b/src/CustomerSite/Controllers/HomeController.cs
index dc788b32..4063d024 100644
--- a/src/CustomerSite/Controllers/HomeController.cs
+++ b/src/CustomerSite/Controllers/HomeController.cs
@@ -404,6 +404,13 @@ public IActionResult SubscriptionLogDetail(Guid subscriptionId)
         {
             if (this.User.Identity.IsAuthenticated)
             {
+                // Validate subscription from same customer
+                var subscriptionDetail = this.subscriptionService.GetPartnerSubscription(this.CurrentUserEmailAddress, subscriptionId).FirstOrDefault();
+                if(subscriptionDetail == null)
+                {
+                    return this.RedirectToAction(nameof(this.Index));
+                }
+
                 List<SubscriptionAuditLogs> subscriptionAudit = new List<SubscriptionAuditLogs>();
                 subscriptionAudit = this.subscriptionLogRepository.GetSubscriptionBySubscriptionId(subscriptionId).ToList();
                 return this.PartialView(subscriptionAudit);