search

hmellor / auction-website

An open-source auction hosting system
https://hmellor.github.io/auction-website/
MIT License
99 stars 47 forks source link

admin #38

Closed justanobody22 closed 9 months ago

justanobody22 commented 10 months ago

Describe the bug you realize if you type admin.html after auction-website on your site and the sites it puts you in the admin area where you can see the bids and winners???

probably needs addressing.

# | Title | Price | Bids | Winning | Time left -- | -- | -- | -- | -- | -- Sam Manilla | £936366636666662289408.00 | 14 |   | Item Ended Polly Ester | £936366636666662289408.00 | 17 |   | Item Ended Liz Onnia | £1000000000.00 | 4 |   | Item Ended Jasmine Rice | £11000.00 | 3 |   | Item Ended Kerry Oki | £12345623.00 | 5 |   | Item Ended Drew Blood | £90.00 | 3 |   | Item Ended Myra Maines | £10033.00 | 1 |   | Item Ended Joe King | £10.00 | 1 |   | Item Ended Rusty Nails | £12.00 | 0 |   | Item Ended I. Ron Stomach | £6.00 | 0 |   | Item Ended Sawyer B. Hind | £500.00 | 3 |   | Item Ended Al Luminum | £1000.00 | 9 |   | Item Ended
© 2022 Harry Mellor
hmellor commented 9 months ago

I'm aware that a non-admin user is able to navigate to the admin page. However, the admin page will only show a non-admin user information that they are permitted to see.

Notice how the "Winning" column is empty, and the console contains 12 "Missing or insufficient permissions" errors:

image

These errors are for the 12 usernames that this non-admin user isn't permitted to see.

justanobody22 commented 8 months ago

and when i pulled it wouldn't have seen that seeing how if y9ou look at what i sent you they all say ended nothing was running they all showed as ended so i had no expectation of there being something there. so maybe in the instance as it was the way you set it up. But if it is all ended why would anyone expect that . and my point was more its never a good idea to let anyone in you admin area regardless. When the NSA and every other agency here and in every other developed land has been hacked why would you even entertain or deem that is a good practice's but whatever . Its not right and should be fixed its a security flaw. It took 4 weeks to get a reply not worth me looking at again so maybe its fixed maybe it s not but, regardless it aint correct.

hmellor commented 8 months ago

I agree with you that it's not good practice for a regular user to be able to see the admin page, even if they can't see any additional information.

Your feedback is part of what prompted me to start working on v3, which now includes controlled access to the admin page. You can see this release here: https://github.com/HMellor/auction-website/releases/tag/v3.0.0