search

dmeese / MathWorld

Team Bunny Slippers Math World Web Application
0 stars 1 forks source link

I can type weird links without logged in a user and still get registered output #10

Closed ravthan closed 11 years ago

ravthan commented 11 years ago

link such as https://rocky-meadow-8293.herokuapp.com/documents/?=13 gave the registered user content even after logging in. I made sure it wasn't from browser's cache. The process to get here is unclear as I am mess with this system in various ways, ravi.

CKinWoodstock commented 11 years ago

Attempted using the direct link listed, and only was sent to the documents page for public documents; no registered-user-only content was displayed.

Tried with some other direct links to document ids, both for public and registered. Attempts to direct browse to registered content resulted in redirect to the welcome page of the app.

Any further steps to reproduce?

Please note that Internet Explorer (and perhaps some other browsers) shares session cookies across tabs, but not across separate browser windows. If you log in on one tab, you will have a valid session on other tabs.

ravthan commented 11 years ago

I was using firefox browser, with windows opened in tabs, ravi.

CKinWoodstock commented 11 years ago

From https://support.mozilla.org/en-US/questions/791853 :

"Unlike IE, Firefox runs all windows from the same firefox.exe process, so all cookies are running in the same "session" whether it be separate tabs or separate windows. "

So Firefox is even worse than IE in this regard; login in one Firefox window, the other windows have a valid session as well. Are you able to force your way to registered content after closing all Firefox windows and then opening a new one?

ravthan commented 11 years ago

Yes, even after getting out of Firefox completely, it happened to me. I did it immediately, so, I wonder whether it has to do with timing I was looking at the authenication and db code; was looking for some kind of timeout. Didn't find any and hence thought a test like this will be worth it, ravi.

dmeese commented 11 years ago

Ravi - registered users should only be able to see public content. There are only 2 documents that are private on the site: https://rocky-meadow-8293.herokuapp.com/documents/8

and

https://rocky-meadow-8293.herokuapp.com/documents/12

Everything else should be accessible to public or registered(but not validated)users.

The /13 content should be directly accessible here:

https://rocky-meadow-8293.herokuapp.com/documents/13