The INVENTORY and SCHEDULE roles were not being properly enforced, allowing any volunteer to perform related tasks.
Restrict access to /inventory and /schedule based on role.
Add more granular permissions to the food controller.
Explicitly require authenticated user for all food endpoints.
I am not all that familiar yet with the code base, so the permissions I set up are likely not correct. But I did try to follow @jspaine's initial suggestions.
The INVENTORY and SCHEDULE roles were not being properly enforced, allowing any volunteer to perform related tasks.
Restrict access to /inventory and /schedule based on role.
Add more granular permissions to the food controller.
Explicitly require authenticated user for all food endpoints.
I am not all that familiar yet with the code base, so the permissions I set up are likely not correct. But I did try to follow @jspaine's initial suggestions.
Closes #303