There were no checks to make sure that a user can only access or delete their own notes / notebooks. Notes of other users can be accessed or deleted by simple URL rewriting (e.g. by tunneling through a proxy). This is especially easy because the notes' and notebooks' IDs are enumerable and therefore can be guessed by decrementing / incrementing a known ID.
I made sure to always pass the current user's ID when looking up notes and notebooks from the DB. I'm sure this has to be converted into something more sophisticated once sharing is in, depending on the implementation, but for now it should prevent illegal access.
This will be implemented together with #81.
I've already implemented this in my local branch, and get merge conflicts (doh).
Hence reason for closing it.
…tebooks.
There were no checks to make sure that a user can only access or delete their own notes / notebooks. Notes of other users can be accessed or deleted by simple URL rewriting (e.g. by tunneling through a proxy). This is especially easy because the notes' and notebooks' IDs are enumerable and therefore can be guessed by decrementing / incrementing a known ID.
I made sure to always pass the current user's ID when looking up notes and notebooks from the DB. I'm sure this has to be converted into something more sophisticated once sharing is in, depending on the implementation, but for now it should prevent illegal access.