Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure the api endpoints #151

Open
atulya2109 opened this issue Apr 3, 2021 · 4 comments
Open

Secure the api endpoints #151

atulya2109 opened this issue Apr 3, 2021 · 4 comments
Assignees
@atulya2109
Labels
bug Something isn't working security

Comments

@atulya2109
Copy link
Contributor

Describe the bug
This is an umbrella issue for all the issues that could be related to securing endpoints. For example, when creating a test the class id is passed in the POST Request but it isn't verified on the back end whether the user is the admin of the class or not. Therefore, anyone can create tests in any class. Similarly, in delete test endpoint as well it should be checked whether the user has delete privileges or not.

To Reproduce
Steps to reproduce the behavior:

  1. Open the network tab on chrome or firefox before creating a test to log the POST request sent to the server.
  2. Import this request in Postman.
  3. Change the class field in the body of the request.
  4. Returns a 200 Status Code and creates entry in database.

Expected behavior
Test creation should fail instead of creating it in another class.

Desktop (please complete the following information):

  • OS: Any
  • Browser: Any
  • Version: Any

Additional context
There are many other security issues in other end points as well.
@VenomFate-619
Copy link

Yes, we should create middlewares to check whether the user is created of that class

@aavishkarmishra aavishkarmishra added gssoc21 Level2 Bug Fixing, adding small features labels Apr 4, 2021
@aavishkarmishra
Copy link
Member

@atulya2109 are you willing to work on this issue?

@atulya2109
Copy link
Contributor Author

@aavishkarmishra Yeah, sure.

@atulya2109 atulya2109 mentioned this issue Apr 5, 2021
Merged
5 tasks
@aavishkarmishra aavishkarmishra linked a pull request Apr 6, 2021 that will close this issue
Test API routes more secured now #156
Merged
5 tasks
@iamabhi222 iamabhi222 removed a link to a pull request Apr 7, 2021
Test API routes more secured now #156
Merged
5 tasks
@atulya2109
Copy link
Contributor Author

@aavishkarmishra The pull request was merged but my points weren't updated. Please look into it

@aavishkarmishra aavishkarmishra added good first issue Good for newcomers Level0 Minor Documentation Level1 Major Documentation Level3 New features, major bug fixing bug Something isn't working security and removed gssoc21 Level0 Minor Documentation Level1 Major Documentation Level2 Bug Fixing, adding small features Level3 New features, major bug fixing good first issue Good for newcomers labels Jun 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atulya2109 atulya2109

Labels
bug Something isn't working security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atulya2109 @aavishkarmishra @VenomFate-619