unautorized access - security problem

[MarcoAJanssen]

I checked what would happen if I use a link of a publication that was processed and access it in a browser that was not logged into ASU. I did this with https://catalog.comses.net/api/publication/222173/aparicio-juan-pablo-nicolas-tomasini-ragone-paula-gabriela-sebastien-gourbiere-patricio-diosque/ and indeed I could see the information without logging into ASU, but to my horror I could access and change all data if I would like to. This should not be allowed. Visitors should only be able to read the data and should not be allowed to change any data entry directly (only by sending us an email with reporting a mistake).

[cpritcha]

If I log out of catalog.comses.net and attempt to access the url you provided (either attempting to retrieve or modify the record) I am redirected to the login page https://catalog.comses.net/accounts/login/?next=/api/publication/222173/aparicio-juan-pablo-nicolas-tomasini-ragone-paula-gabriela-sebastien-gourbiere-patricio-diosque/. Are you sure you can access the page without logging in?

[MarcoAJanssen]

OK I tried it in a newly open browser and than I got indeed the page to log in. Perhaps logging out of ASU was not really done well in the other browser. Sorry for the inconvenience.

[cpritcha]

No problem!