Closed Felienne closed 3 years ago
We can definitely allow the admin user to look at all programs. Great idea!
Regarding the 404 (not found) instead of a 403 (unauthorized), it's a security practice I saw implemented to give away as little info as possible - so if someone's trying to figure out if there's a program with id X that doesn't belong to them, they cannot tell whether it exists or not. I admit it's a bit silly to prevent randomly created IDs from being guessed, but it is the application of a general security principle (it would be far less innocent if this referred to named documents or users, which is where the principle comes from). I can change it back to a 403 if you want :).
Yeah you are right, it is somewhat of an exposure if we should that the program exists rather than it not being accessible to this user, so we can leave that as is.
But allowing the admin to see programs (and in the far future: allowing teachers to add kids to their class, see https://github.com/Felienne/hedy/issues/152) would be great!
Would be great if the Hedy/Admin user can see all programs, to aid in lessons. That saves kids with an issue from screensharing or copy-pasting programs to get help. It now shows:
(This error message maybe for other users should be something like: "Unauthorized access" rather than "No such program"?)