rubenlop88
commented
3 years ago Calling https://sso-test.pti.org.py/api/appointments?include=doctor,patient includes detailed information about the patients. This is an endpoint that can be called publicly and should not include any information about patient data. Neither the ID nor any details.
I removed the query param from this endpoint.
Remove thee private data and implement it as described here https://ihub-docs.netlify.app/docs/ihub-docs/appointment
I also removed the "description" and "patientId" attributes.
The endpoint also should only expose data for the passed doctorIds. If it is called without doctor ID it should not return anything as it's too simple otherwise to just scrape all the appointments.
This should be included in the docs. Are the three query params required then? doctors, start and end?
Problem: Calling https://sso-test.pti.org.py/api/appointments?include=doctor,patient includes detailed information about the patients. This is an endpoint that can be called publicly and should not include any information about patient data. Neither the ID nor any details.
Solution: Remove thee private data and implement it as described here https://ihub-docs.netlify.app/docs/ihub-docs/appointment
Sidenote: The endpoint also should only expose data for the passed doctorIds. If it is called without doctor ID it should not return anything as it's too simple otherwise to just scrape all the appointments.