search

Heello / Issues

Bug and feature tracking
1 stars 0 forks source link

users/notifications metadata - can echo an echo of my ping? #35

Closed katanacrimson closed 11 years ago

katanacrimson commented 11 years ago

Not entirely sure I'm reading this right, but, it appears that the API is replying that, in users/notifications, an echo of a ping I made is something that I can echo myself.

    {
        "id": 12771311,
        "type": "echo",
        "created_at": "2013-06-11T05:50:53Z",
        "data": {
            "ping": {
                "id": 11545705,
                "text": null,
                "user_id": 1984189,
                "echo_id": 11275595,
                "reply_id": null,
                "checkin": false,
                "created_at": "2013-06-11T05:50:53Z",
                "user": {
                    "id": 1984189,
                    "username": "amarnath",
                    "name": "Amarnath Verma",
                    "bio": "",
                    "website": "",
                    "location": "",
                    "timezone": "Kolkata",
                    "created_at": "2013-05-31T05:52:28Z",
                    "avatar": "//d2trw7474qpa0b.cloudfront.net/amarnath/thumb.jpg?6e5fbb03cda86bda4dac28ad92340046",
                    "background": "//d2dh8keolssd5w.cloudfront.net/default.png",
                    "cover": "//d38xdbig8ajh16.cloudfront.net/amarnath/thumb.jpg?9ef17face99ce40dde0ccaf8b29dc873",
                    "metadata": {
                        "ping_count": 338,
                        "checkin_count": 4,
                        "listener_count": 10,
                        "listening_count": 83,
                        "listening": false,
                        "listens": false
                    }
                },
                "media": {},
                "echo": {
                    "id": 11275595,
                    "text": "How not to get an audit: \r\n<malerzril> Hey all, I am looking for someone to pentest/audit my code for any noticeable security flaws\r\n<pronto> how much are you paying?\r\n<malerzril> 100$\r\n<soot> heh",
                    "user_id": 1688760,
                    "echo_id": null,
                    "reply_id": null,
                    "checkin": false,
                    "created_at": "2013-06-04T14:25:10Z",
                    "user": {
                        "id": 1688760,
                        "username": "katana",
                        "name": "Damian Bushong",
                        "bio": "Burning a hole through the past and lighting the path into the future.",
                        "website": "",
                        "location": "",
                        "timezone": "Central Time (US & Canada)",
                        "created_at": null,
                        "avatar": "//d2trw7474qpa0b.cloudfront.net/katana/thumb.jpg?1aa31f75916f1e69c17373b3087399b3",
                        "background": "//d2dh8keolssd5w.cloudfront.net/default.png",
                        "cover": "//d38xdbig8ajh16.cloudfront.net/default.png",
                        "metadata": {
                            "ping_count": 233,
                            "checkin_count": 0,
                            "listener_count": 26,
                            "listening_count": 6
                        }
                    },
                    "media": {},
                    "metadata": {
                        "echo_count": 2,
                        "reply_count": 0,
                        "can_reply": true,
                        "can_delete": true,
                        "can_echo": false,
                        "is_private": false
                    }
                },
                "metadata": {
                    "echo_count": 0,
                    "reply_count": 0,
                    "can_reply": true,
                    "can_delete": false,
                    "can_echo": true,
                    "is_private": false
                }
            },
            "user": {
                "id": 1984189,
                "username": "amarnath",
                "name": "Amarnath Verma",
                "bio": "",
                "website": "",
                "location": "",
                "timezone": "Kolkata",
                "created_at": "2013-05-31T05:52:28Z",
                "avatar": "//d2trw7474qpa0b.cloudfront.net/amarnath/thumb.jpg?6e5fbb03cda86bda4dac28ad92340046",
                "background": "//d2dh8keolssd5w.cloudfront.net/default.png",
                "cover": "//d38xdbig8ajh16.cloudfront.net/amarnath/thumb.jpg?9ef17face99ce40dde0ccaf8b29dc873",
                "metadata": {
                    "ping_count": 338,
                    "checkin_count": 4,
                    "listener_count": 10,
                    "listening_count": 83,
                    "listening": false,
                    "listens": false
                }
            }
        }
    },
caseym commented 11 years ago

See response re: issue #32

Basically the currently authenticated user executing the API call can echo any Ping they can see that they are not the owner of, in the case of echoed Pings, the original author of the Ping is considered the owner, not the echoer.