looking over dhbox.py, I noticed that kill_dhbox doesn't have any sort of authorization check on who can POST to that endpoint. This strikes me as a security risk (or at least a grief risk).
It's possible to send a post request that will delete any user account and their DHBox from a totally unauthorized session. For example: curl -X POST "user=victim&next=/ http://dhboxhost/kill_dhbox will kill the user 'victim'.
kill_dhbox should check if the current user has the admin role before it deletes any user who isn't the current user.
Hello,
looking over dhbox.py, I noticed that kill_dhbox doesn't have any sort of authorization check on who can POST to that endpoint. This strikes me as a security risk (or at least a grief risk). It's possible to send a post request that will delete any user account and their DHBox from a totally unauthorized session. For example:
curl -X POST "user=victim&next=/ http://dhboxhost/kill_dhboxwill kill the user 'victim'. kill_dhbox should check if the current user has the admin role before it deletes any user who isn't the current user.