HalleyInteractive
commented
9 years ago It seems that a group is accessible to anyone that knows the URL and is logged in. It doesn't matter if you are a member of the group.
Open GriffinSauce opened 9 years ago
HalleyInteractive
commented
9 years ago It seems that a group is accessible to anyone that knows the URL and is logged in. It doesn't matter if you are a member of the group.
GriffinSauce
commented
9 years ago Some interesting reads: https://github.com/jfromaniello/passport.socketio https://auth0.com/blog/2014/01/15/auth-with-socket-io/
That's regarding pure socket auth, whether the user (we think) we're speaking with is actually that user. After that we have permissions.
Since the user is always refreshed from the DB in passport I think we should store their permissions in the user model:
permissions:[
"groupid":{
basic:true, // Read group and set availability
plan:true, // Plan/unplan dates (and send mail regarding them)
admin:false // Change group info and settings
}
]When a user loses access to a group or a specific permission we can simply update that on the user. The next time a user tries a forbidden action the data is refreshed and access denied.
It would also be friendly when we have two-way communication to update the UI when permissions are gained or lost. (perhaps simply force a page refresh)
HalleyInteractive
commented
9 years ago We also need to add SSL support. For the time being we can maybe apply for a free certificate at: https://www.globalsign.com/en/ssl/ssl-open-source/
HalleyInteractive
commented
9 years ago Lets Encrypt sounds even better for this: https://letsencrypt.org/
At some point, probably after #11 we'll need to do a complete once over with security in mind.
Things like validating input, preventing XSS, preventing misuse of the API etc.