Require session when accessing Rest APIs

mattermost / mattermost-plugin-legal-hold

Plugin to create and manage legal holds in Mattermost

Other

5 stars 5 forks source link

Require session when accessing Rest APIs #51

Closed wiggin77 closed 4 months ago

wiggin77 commented 4 months ago

Currently the code checks for a HTTP header Mattermost-User-ID. The permissions for that userID are checked to ensure they are an admin. However, anyone can create a request with the userID of an admin and use the APIs.

The requester should be logged in and the permissions should be checked against the userID from the session.

grundleborg commented 4 months ago

@wiggin77 I think you might need to update the docs here https://developers.mattermost.com/integrate/plugins/components/server/best-practices/ as that seems to recommend this as the way of checking who the requesting user is.

wiggin77 commented 4 months ago

Sorry @grundleborg, my mistake. I didn't know about the magic done in mmserver to set that header for the incoming request.