Open Chiggins opened 9 years ago
My git-fu skills aren't that great with all the changes we've been making on our backend, but here's my commit that fixes these issues. Hopefully you guys make the same changes: https://github.com/CAS-IT/ILSTUViews/commit/bf88a7728de5d9ff6745c7c07e732a76d60c279f
Notice that I didn't do a full code audit or security assessment on the software, just happened to notice this one and fix it.
@Chiggins : thanks much! I'll verify your changes and apply them.
There is a vulnerability that allows an unauthenticated user the ability to create questions, delete questions, delete threads, and delete users. This could be accomplished by hitting each REST endpoint.
This commit adds in authorization for these endpoints. A user must be logged in as an administrator to be able to perform these actions.
Unauthenticated create question For this to work, a proper category ID and author ID must be specified.
Unauthenticated delete question Must provide ID of question to be deleted
Unauthenticated delete thread Must provide ID of thread to be deleted
Unauthenticated delete user Must provide ID of user to be deleted