Open ncasnap opened 2 weeks ago
Problematic behavior The django API is too open. If we just make a GET Request to https://domain/api/rooms/name_of_room
We can retrieve all the information including the token. This is problematic as with the token we can bypass the restriction of a room.
Expected behavior/code The GET requests of specific room should work only for an authenticated user owning the room.
Steps to Reproduce
Environment
@jbpenrath, can you help us on this issue ?
Thanks in advance, Regards, Nathan
Bug Report
Problematic behavior The django API is too open. If we just make a GET Request to https://domain/api/rooms/name_of_room
We can retrieve all the information including the token. This is problematic as with the token we can bypass the restriction of a room.
Expected behavior/code The GET requests of specific room should work only for an authenticated user owning the room.
Steps to Reproduce
Environment
@jbpenrath, can you help us on this issue ?
Thanks in advance, Regards, Nathan