Closed zhanghan177 closed 7 years ago
I agree
Yeah I was looking at the db_cafe thing too and there's no protection there either - meaning anyone can come along and remove the last scanned item, reset the money, or change which items exist
Looking at some Django docs, we could use the login_required decorator to start with, and then maybe move on to modifying functions in the respective views.py files to only give write access to admin users/Officers
We're already authenticating partially in our templates with request.user.is_superuser
, looks like we just need to expand the scope of that to the actual views too.
Made a pull request, check it out!
That's horrible! For example, even if I am a pure electee, I can still access to http://127.0.0.1:8000/electee_turn_ins/ and (potentially) modify my turn_ins. This vuln might be common in many different routes as well.
What do you think?