Anyone can edit any bio

CHSCodeForChange / Sapphire-Web

The website/backend repository for Sapphire, a platform to help organizations manage volunteers.

https://sapphire-web.herokuapp.com

GNU General Public License v3.0

8 stars 2 forks source link

Anyone can edit any bio #33

Closed armaangoel78 closed 6 years ago

armaangoel78 commented 6 years ago

see title. This is a big problem and it brings into question other security flaws. We need to spend some quality time making sure that there are no holes in our system.

armaangoel78 commented 6 years ago

BTW to edit another profiles bio you just change the id in the url to their profile's id

jpaav commented 6 years ago

The easiest fix for this is to compare the profile and the user in the template

{% if request.user==profile.user %}
//Code to show edit buttons
{% endif %}

PS that's pseudo code im not sure about the profile.user bit that probably won't work