Any Logged in user can modify any sheet, not just their own

[ddivecs]

Steps to reproduce: Log in with your own github or google account. Click this link to a sample character sheet http://charactersheet.co.uk/pathfinder/#/sheet/589cb0309ddeeb00048c5c8f

You are able to modify this sheet and it reflects in the sheet and I am able to see it when I log in and go to edit it.

Expected behavior: Sheets should be authenticated such that only the creator of the sheet can edit it. Instead any logged in user is able to edit any sheet.

Also because the "share" link and the "edit" link share a hash, its easy to take a "share" link and move to the edit page and edit someone's character sheet. for example, the only difference between http://charactersheet.co.uk/pathfinder/#/statblock/5893daaf0e82200004ac0f68 and the link above is that "statblock" changed to "sheet".

Together these create a security flaw that prevents users from using the links to share their character stats for fear of someone maliciously or accidentally editing their sheet.

[ddivecs]

It seems that here https://github.com/Mottokrosh/Sheet/blob/master/app/scripts/controllers/sheet.js#L14 You check if there is a userId, and then check if you're given a characterId, but you're never checking if the character was made by that user. It also doesn't seem that your character service keeps information about what user that character belongs to.

[Mottokrosh]

Ouch, good catch! I would certainly welcome a pull request for this glaring omission.

[ddivecs]

@Mottokrosh I'd help with this, but im fairly busy for the next few weeks (family). If, after that, this still needs help i can try to lend a hand if i can.

[andsplat]

Has this been resolved? Just found this app and am liking what I see so far!

[Mottokrosh]

I'm afraid this issue is still open. PRs welcome!

[edreeseg]

This should be resolved at this point. Any attempted edit of a sheet that is not your own will result in a 403 and kick the user back to login.