search

gothinkster / realworld

"The mother of all demo apps" — Exemplary fullstack Medium.com clone powered by React, Angular, Node, Django, and many more
https://realworld-docs.netlify.app/
MIT License
80.65k stars 7.34k forks source link

User impersonation? #311

Closed cliffordh closed 5 years ago

cliffordh commented 5 years ago

Does the implementation of the Realworld backend prevent user impersonation? Meaning, does the application prevent an authenticated user from updating information in the system that belongs to a different user? If so, what is the mechanism behind this authorization?

anishkny commented 5 years ago

Yes. A RealWorld backend is expected to only allow updates to an authenticated user's own information (its kinda implicit in the API here).

The specific mechanism is up to each individual backend implementation.

cliffordh commented 5 years ago

The Django implementation does not appear to implement object level permissions and is subject to a user impersonation on the API. I've opened an issue on the Django backend implementation: https://github.com/gothinkster/django-realworld-example-app/issues/21

anishkny commented 5 years ago

@cliffordh good catch! Thanks for opening the issue on the Django repo.