Open kshavp opened 2 weeks ago
So you'll show toast on each keystroke or on final hit ?
The final hit of course, the mechanism will be same as it is working now, I'll just show a toast if the user does not exist when the button is clicked.
Button is set to be disabled till a valid username (of friend) is entered.
You can enable it, and show toast if, a username is not valid. is this your solution ?
Yes, this is because the button is disabled at the client level, using disabled attribute, which can be easily removed using inspect element and thus this creates a vulnerability.
Thus, for now even if the button is disabled, it is not enough to stop the user. Have a look on the attached media, I have performed a search after removing the disabled attribute manually.
Thus we can possibly avoid this.
Got it.
Any update ?
I'm enhancing my current validations as I found something more critical:
If someone bypasses the add button without actually entering anything, it reveals a few backend side properties.
Because you're running development server with DEBUG=True
in settings.
Could you check the same behaviour on production at https://privateping.bytespot.tech ?
In production i guess its safe.
Kindly make PR before End of the day, else issue will be open to all to be assigned.
Is your feature request related to a problem? Please describe. The feedback from the application that the username does not exist should be informative to the user, thus we can show some "user not found" related feedback instead of what we see in the attached media.
Describe the solution you'd like We can have a toast/popup/alert component to show the feedback.
@princekhunt I'd like to implement this feature under SSOC