Can view user info while logged out

SEGUC17 / mean_squad

The repo for our Software Engineering course.

0 stars 3 forks source link

Can view user info while logged out #243

Open yousseffarahat opened 7 years ago

yousseffarahat commented 7 years ago

Severity: Low
Reported by: Youssef Farahat
Description: If i stop the page from loading as soon as i enter the url for the profile i can see the user info, with slow internet this becomes easier. Recreatable with slow internet and fast reactions so this counts as an exploit
Steps to reproduce the issue: 1) Type in http://35.160.199.92:8000/profile/?username=test2 in the url 2) press escape as soon as info appears
Expected result: No data shown

IElgohary commented 7 years ago

is test2 a business or a client?

yousseffarahat commented 7 years ago

Client

IElgohary commented 7 years ago

I cannot reproduce the problem

yousseffarahat commented 7 years ago

It is hard to reproduce i agree, you need slow internet but i managed to view the info 2 times out of about 29 tries and one time is enough because it is still an exploit

IElgohary commented 7 years ago

until I can reproduce it, I will label it as won'tfix

yousseffarahat commented 7 years ago

Fair enough

abdo-shabrawy commented 7 years ago

Just refresh and scroll down, it flashes briefly, related to #234

Same cause, different side effects.

ameniawy commented 7 years ago

@yousseffarahat @yousseffarahat what causes this behavior to happen is an api call checking the permissions of the logged in user.