Users can get all items by abusing the create poll API

HE-Arc / 1d6

Allows indecisive groups of people to find what they want to do.

https://1d6.srvz-webapp.he-arc.ch/

4 stars 0 forks source link

Users can get all items by abusing the create poll API #113

Open Blatoy opened 4 years ago

Blatoy commented 4 years ago

When creating a poll, items are given as id. This allows anyone to pass all the ids to see what they are.

This could be fixed by doing that when creating a poll:

If the item belongs to a group: check that the user is in the group
If not, check that the item id has not been used in any previous poll

This is one of the first thing to fix if we had more time for the project (or if the project is used seriously)

Blatoy commented 4 years ago

Note that this should also fix being able to create a poll without items (if given item doesn't have a valid id, it will silently fail to attach thus creating a poll without items)