Closed scholvat closed 5 years ago
picklechips
commented
5 years ago Looks like your PRs got a little jumbled, but the main points of this one look good I think. I'll try to test everything this weekend and hopefully we can start getting things shipped
scholvat
commented
5 years ago This PR looks like a mess because it is based on the don info PR and has all of those changes in it. To see what actually changed, just look at the most recent commit in this branch
On Wed, Dec 26, 2018 at 11:59 PM Ryan Martin notifications@github.com wrote:
Looks like your PRs got a little jumbled, but the main points of this one look good I think. I'll try to test everything this weekend and hopefully we can start getting things shipped
— You are receiving this because you were assigned. Reply to this email directly, view it on GitHub https://github.com/CGUC/skybunk-server/pull/72#issuecomment-450074593, or mute the thread https://github.com/notifications/unsubscribe-auth/AJqudvR1PDeVCIIOEgUQfkLctkBCL_HMks5u9FOwgaJpZM4ZiMJn .
scholvat
commented
5 years ago Added another fix to prevent posts/comments being created via post requests that have incorrect or no authorization token
scholvat
commented
5 years ago Rebased to latest master, so now the files changed actually make sense.
scholvat
commented
5 years ago This breaks liking posts, since liking a comment uses the update post API call. To make this actually secure, there will have to be another endpoint dedicated for adding users to the liked list on posts. Work in progress, since it will also need a corresponding client update.
Based on don info PR, should be merged after that. Fixes the following security vulnerabilities:
-Any user can delete any post or comment -Any user can add or delete any channel -No user can update a channel due to a typo -Any user can change any other user's profile picture