birm
commented
3 months ago Theoretically, the routes themselves should be controlled by user type in caracal/back's routes.json (https://github.com/camicroscope/Distro/blob/218d97339fd8d237ca1574c881ff1439f2098220/config/routes.json#L257)
I think it's probably a good idea to have the admin page check if the user has sufficient permission. On develop.yml, for example, "everyone" is an admin with the default setup. When security is on and users are added this is different. We have a somewhat strange route for this kind of purpose (http://localhost:4010/data/user/wcido)
barchakuz
Describe the bug Currently, there is a significant security flaw where the admin page can be accessed via URL without requiring login credentials. This flaw enables unauthorized users to access sensitive data and potentially tamper with it.
To Reproduce
Expected behavior Access to the admin page should be restricted to authorized users only. Users attempting to access the admin page should be required to provide valid login credentials.
Desktop (please complete the following information):
Additional context This security flaw poses a significant risk as it allows unauthorized users to access and potentially tamper with sensitive data. To address this issue, I propose implementing a session-based system where access to the admin page is granted only if the user's session is active and authenticated. If the session is inactive or not authenticated, users should be redirected to the signup page or admin login page to prevent unauthorized access.
Solution Suggestion Implementation of Session Management:
Implement session-based authentication to track user sessions.
When a user accesses the admin page, the system checks the status of the user's session.
Enhanced Access Controls: