byklyci
commented
5 years ago For Attendance the Put is not properly work but in my observation from postman the Post is working.
Open okyksl opened 5 years ago
byklyci
commented
5 years ago For Attendance the Put is not properly work but in my observation from postman the Post is working.
okyksl
commented
5 years ago Can you share us the exact input/output combinations? Can someone post attendance information for someone else?
kemaltulum
commented
5 years ago Vote does not affect even though I got "voted successfully" message from backend
Not tested, just observation from code review.
It seems to me that an external agent can put whatever user he/she desired to the req.body and get away with changing others' attendance and votes.
This possible entry of wrong user/creator is possible also in comment data model and might be applicable for other data models also. One needs to receive such fields directly from
req.body.