Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue in positive routes #3

Open
arvindsankariitm opened this issue Apr 19, 2023 · 1 comment
Open

Potential security issue in positive routes #3

arvindsankariitm opened this issue Apr 19, 2023 · 1 comment
Assignees
@arvindsankariitm

Comments

@arvindsankariitm
Copy link
Contributor

The mark_duplicate route (and a few others) in our Flask application allows any user to mark any ticket as a duplicate when only the user who created the ticket should be able to mark it as such. This poses a security vulnerability as it could potentially allow users to mark tickets created by other users as solved.

We need to update this route to ensure that only the user who created the ticket can mark it as a duplicate. We should also consider implementing additional security measures such as input validation to prevent any malicious input from users.
@arvindsankariitm arvindsankariitm self-assigned this Apr 19, 2023
@cdxpb
Copy link
Contributor

cdxpb commented Apr 19, 2023

yes, please implement that. i've also changed some of the routes to no longer accept user_id from the api requests but use the authentication to get user_id of the current user. this particular issue should be resolved by checking if current_user.id == ticket.user_id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arvindsankariitm arvindsankariitm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cdxpb @arvindsankariitm