Describe the bug
Mitchell Oliver mitchell.j.oliver@gmail.com | Fri, Jun 25, 2021 at 4:26 PM
Cc: Jorge Rojas Alvarez jorger3@illinois.edu, Anita Say Chan asaychan@gmail.com, Joshmita Chintala jchint2@illinois.edu
Hey Jorge, I doubt anyone would exploit this any time soon, but Ginger's message made me realize that you don't have to log in to edit service info. the /services/#####/edit URL seems to grant access to everything, and saves are effective even if not logged in. What do you think we should do? | Hey Jorge,I doubt anyone would exploit this any time soon, but Ginger's message made me realize that you don't have to log in to edit service info. the /services/#####/edit URL seems to grant access to everything, and saves are effective even if not logged in. What do you think we should do?
To Reproduce
Steps to reproduce the behavior:
Find a service in an organization other than yours and keep the ID number displayed in your browser's web address bar.
Describe the bug Mitchell Oliver mitchell.j.oliver@gmail.com | Fri, Jun 25, 2021 at 4:26 PM Cc: Jorge Rojas Alvarez jorger3@illinois.edu, Anita Say Chan asaychan@gmail.com, Joshmita Chintala jchint2@illinois.edu Hey Jorge, I doubt anyone would exploit this any time soon, but Ginger's message made me realize that you don't have to log in to edit service info. the /services/#####/edit URL seems to grant access to everything, and saves are effective even if not logged in. What do you think we should do? | Hey Jorge,I doubt anyone would exploit this any time soon, but Ginger's message made me realize that you don't have to log in to edit service info. the /services/#####/edit URL seems to grant access to everything, and saves are effective even if not logged in. What do you think we should do?
To Reproduce Steps to reproduce the behavior:
Expected behavior OMs only could modify their own organization information (i.e., organization info, services, and events)
Additional context Add any other context about the problem here.