severinbeauvais
commented
4 years ago This ticket is not required at the moment (ie, while only staff can make corrections).
Comments from Thor in RocketChat:
in grooming it is assured staff will never make typos 🙂 and we don't even need that other info
the other fields are needed to assure that the correct NR is returned, WHEN we rework some parts of the filing to make it publicly available
as we don't need it now, it wasn't added to make changes to the BE service.
staff are able to get all that data, so does the service account
the api calls may have to change for public access when the whole user login, anonymous access for NROis done
So, the API calls may have to change in the future. If there is already a ticket for that then let's close THIS ticket. Otherwise let's leave this ticket open.
cameron-eyds
Currently the Legal API has an endpoint to fetch a NR's data.
The Edit UI calls this endpoint to get a potential correction NR and then validates that the entered phone number or email address matches the NR. If so then the NR is used for the subject IA correction.
In my opinion, having the UI determine whether the NR is valid is a (small) security issue (with possibly low severity) -- it may be possible for an altered/alternate UI to bypass the validity check and just use any NR they can fetch for an IA correction.
One potential solution is for the API to validate the NR's phone/email when the IA correction is filed... however the phone/email are available right in the NR so this provides no security.
A better solution is for the phone/email to be required to fetch a NR (as is done in auth-web, see affiliation.py). However this would require rework of all 3 UIs (since they can all fetch a NR).
This ticket should be discussed among the team to decide if this is a significant issue and whether we should do anything about it.