Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attendance & Vote POST/PUT Invalid User #386

Open
okyksl opened this issue Dec 20, 2018 · 3 comments
Open

Attendance & Vote POST/PUT Invalid User #386

okyksl opened this issue Dec 20, 2018 · 3 comments
Labels
Priority: Critical Type: Bug Type: Question
Milestone
Milestone #15 - P...

Comments

@okyksl
Copy link
Contributor

okyksl commented Dec 20, 2018
edited
Loading

Not tested, just observation from code review.

It seems to me that an external agent can put whatever user he/she desired to the req.body and get away with changing others' attendance and votes.

This possible entry of wrong user/creator is possible also in comment data model and might be applicable for other data models also. One needs to receive such fields directly from req.body.
@byklyci
Copy link
Contributor

byklyci commented Dec 21, 2018

For Attendance the Put is not properly work but in my observation from postman the Post is working.

@okyksl
Copy link
Contributor Author

okyksl commented Dec 21, 2018

Can you share us the exact input/output combinations? Can someone post attendance information for someone else?

@kemaltulum
Copy link
Contributor

Vote does not affect even though I got "voted successfully" message from backend

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority: Critical Type: Bug Type: Question
Projects
None yet
Milestone
Milestone #15 - Production Ready
Development

No branches or pull requests
3 participants
@kemaltulum @okyksl @byklyci