Open forus opened 2 weeks ago
@forus this sounds like a good idea! Thanks for posting!
remember to update the FAQ answer here https://docs.cbioportal.org/user-guide/faq/#is-it-necessary-to-log-in-to-use-virtual-studies-if-i-do-log-in-what-additional-functionality-do-i-gain
After fixing this issue, evaluate whether sanitization like this will become obsolete https://github.com/cBioPortal/cbioportal/commit/6d94d9b9de1ca30db9bc818971673ea4316b92be (not part of the main branch)
Anonymous users must be unable to specify the owner
and users
fields.
This feature makes the system vulnerable to DoS attacks.
Frontend: disable the button for anonymous users. Show popup "You have to Login to create a Virtual Study"
Backend: These 2 endpoints have to be closed for anonymous users: