#191 I am able to edit another persons hub without being logged in
Opened 7 years ago by skrzepto. Modified 7 years ago

I was writing unitests for this in the logged in and then logged out state and noticed I can edit someone else's hub without being logged in.

For example

  1. Not logged in i access http://127.0.0.1:5000/ralph/
  2. go to http://127.0.0.1:5000/ralph/edit I was able to get into this on some occasions but now throws 400 errors
  3. http://127.0.0.1:5000/ralph/add I'm able to edit this hub and do as I please and I'm not logged in

I think we need to

  1. require login for that route
  2. make sure the owner of that hub is the only one editing it

While hubs do have authentication the entire authorization layer is currently
missing indeed :)

okay would the end behvior return a http status of 403? i'd like to write the tests for this route

okay would the end behvior return a http status of 403? i'd like to write the tests for this route

Since the code isn't written it's hard to say, but 403 seems reasonable in this
context, so let's go with it and adjust later if we need :)

Login to comment on this ticket.

Metadata