GriffinSauce / Grouplanner

Easy regular planning with groups
0 stars 0 forks source link

Check security #54

Open GriffinSauce opened 10 years ago

GriffinSauce commented 10 years ago

At some point, probably after #11 we'll need to do a complete once over with security in mind.

Things like validating input, preventing XSS, preventing misuse of the API etc.

HalleyInteractive commented 9 years ago

It seems that a group is accessible to anyone that knows the URL and is logged in. It doesn't matter if you are a member of the group.

GriffinSauce commented 9 years ago

Some interesting reads: https://github.com/jfromaniello/passport.socketio https://auth0.com/blog/2014/01/15/auth-with-socket-io/

That's regarding pure socket auth, whether the user (we think) we're speaking with is actually that user. After that we have permissions.

Since the user is always refreshed from the DB in passport I think we should store their permissions in the user model:

permissions:[
    "groupid":{
        basic:true, // Read group and set availability
        plan:true,  // Plan/unplan dates (and send mail regarding them)
        admin:false // Change group info and settings
    }
]

When a user loses access to a group or a specific permission we can simply update that on the user. The next time a user tries a forbidden action the data is refreshed and access denied.

It would also be friendly when we have two-way communication to update the UI when permissions are gained or lost. (perhaps simply force a page refresh)

HalleyInteractive commented 9 years ago

We also need to add SSL support. For the time being we can maybe apply for a free certificate at: https://www.globalsign.com/en/ssl/ssl-open-source/

HalleyInteractive commented 9 years ago

Lets Encrypt sounds even better for this: https://letsencrypt.org/