NZOI / nztrain

The NZOI online judge and training site written in Ruby
18 stars 13 forks source link

Limit /users to be admin only #192

Open thebrucecgit opened 1 year ago

thebrucecgit commented 1 year ago

Leaving this here as a note. Feel free to ignore.

I think /users, /users/online, /users/newest (can still be accessed via direct link) should be limited to admin only.

  1. Privacy - I think it's a bit strange that any user can see all 2.5k+ users of the website, even if it's mostly harmless info.
  2. This might be the most resource-intensive request across the whole site, taking up to 5 seconds to respond (and will increase in future). Might be vulnerable to DDOS attacks?
  3. Not much point in having it anyways
tom93 commented 1 year ago

Hi Bruce, thanks for raising this. Some notes:

thebrucecgit commented 1 year ago

Hi Tom,

Thanks for the quick response. If it's easy to fix the performance issue, then sure that would be great. I'm hoping to redesign the NZIC signup process to have instant user validation, which is probably going to call /users, so making it faster would be helpful.

Displaying the top N users with the most problems solved would also be neat - creating some sort of a leaderboard system which the Aussies have.

I imagine hiding /users is a fairly straightforward change. Replacing the incrementing ID would be a nice-to-have but would probably need widespread across the codebase?

tom93 commented 10 months ago

We've finally started making progress on this (sorry for the delay), so far I've just limited /users/online (#210) and /users/newest (#211) to staff but we intend to do more.