From 4e687a06ea02255f77f6b40c3b741f2293375614 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Sat, 29 Jun 2019 13:45:37 +0200
Subject: [PATCH 1/2] Patch cypher injection vulnerability

@mattwr18 this patches the vulnerability. However we should never do
string interpolation with user input.
---
 backend/src/schema/resolvers/users.spec.js | 2 +-
 backend/src/schema/types/schema.gql        | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/backend/src/schema/resolvers/users.spec.js b/backend/src/schema/resolvers/users.spec.js
index 352d38eaa..9df5473bf 100644
--- a/backend/src/schema/resolvers/users.spec.js
+++ b/backend/src/schema/resolvers/users.spec.js
@@ -143,7 +143,7 @@ describe('users', () => {
     let deleteUserVariables
     let asAuthor
     const deleteUserMutation = gql`
-      mutation($id: ID!, $resource: [String]) {
+      mutation($id: ID!, $resource: [Deletable]) {
         DeleteUser(id: $id, resource: $resource) {
           id
           contributions {
diff --git a/backend/src/schema/types/schema.gql b/backend/src/schema/types/schema.gql
index 1ef83bac3..8b0f422c8 100644
--- a/backend/src/schema/types/schema.gql
+++ b/backend/src/schema/types/schema.gql
@@ -40,7 +40,7 @@ type Mutation {
   follow(id: ID!, type: FollowTypeEnum): Boolean!
   # Unfollow the given Type and ID
   unfollow(id: ID!, type: FollowTypeEnum): Boolean!
-  DeleteUser(id: ID!, resource: [String]): User
+  DeleteUser(id: ID!, resource: [Deletable]): User
 }
 
 type Statistics {
@@ -92,6 +92,11 @@ type Report {
   user: User @relation(name: "REPORTED", direction: "OUT")
 }
 
+enum Deletable {
+  Post
+  Comment
+}
+
 enum ShoutTypeEnum {
   Post
   Organization

From 118e53fa022207410e7167686183ffbf42f6348e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= <wolle.huss@pjannto.com>
Date: Sat, 29 Jun 2019 19:21:20 +0200
Subject: [PATCH 2/2] Added a missing `Deletable`

---
 webapp/components/DeleteData/DeleteData.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapp/components/DeleteData/DeleteData.vue b/webapp/components/DeleteData/DeleteData.vue
index 14b6bc9c3..293e65221 100644
--- a/webapp/components/DeleteData/DeleteData.vue
+++ b/webapp/components/DeleteData/DeleteData.vue
@@ -111,7 +111,7 @@ export default {
       this.$apollo
         .mutate({
           mutation: gql`
-            mutation($id: ID!, $resource: [String]) {
+            mutation($id: ID!, $resource: [Deletable]) {
               DeleteUser(id: $id, resource: $resource) {
                 id
               }